Becoming data-driven is a critical priority for organizations of all shapes and sizes. Data, combined with analytics, equals insights – and these insights can form the basis of predictions, better customer relationships and informed decisions.
However, in the modern world, generating data insights comes with great responsibility. A lot of data, after all, relates to people. It’s personally identifiable information (PII). If an organization holds this data and it is stolen, leaked or used incorrectly, then the consequences are grave.
Compliance laws such as the GDPR, CCPA and HIPPA all govern that organizations put in place thorough protocols and solutions to protect this sensitive data. At their core, these regulations are about privacy: ensuring that citizens have a measure of who can access their personal information, and how it is used.
While this sounds good in principle, many companies are failing when it comes to application. In 2020 alone, European supervisory authorities issued at least 196 administrative fines, totaling over €72 million.
The Cloud Conundrum
According to Vanson Bourne, more than 90% of companies store some data in the cloud. In this environment, maintaining visibility and control over data can seem like an impossible task. Between data lakes, citizen developed apps, SaaS applications and thousands of endpoints, security and IT decision makers are left chasing their tails. They want to keep data secure and compliant, but they often don’t know where it is, who has access to it or if it’s been shared.
Cloud-delivered solutions like Box, Slack and Office 365 have become the bread and butter of employee productivity. Often, sensitive data will be uploaded, stored and downloaded from these apps – and the IT team will be none the wiser.
This is a breach waiting to happen. Without a complete view of where data is, companies simply can’t protect it. The threats are numerous: a disgruntled employee stealing IP, a cyber criminal that’s hacked into an administrator’s email account or a contractor who set the wrong document permissions – to name just a few.
It’s also important to remember that cloud providers are third parties themselves. You need to make sure that PII and PHI cannot be seen by these vendors.
But properly securing PII isn’t just about preventing a breach – it’s about gaining a competitive advantage too. Companies that are able to properly secure PII are more likely to retain their customer base, as well as gain new customers. On the other hand, a data breach can sink a business’ reputation. It’s clear, then, that prioritizing privacy is more than just about avoiding regulatory fines – it’s about surviving as a company.
Why DLP isn’t enough
If you’re reading this and thinking…
Well, we have data loss prevention in place, I’m sure we’ll be ok.
…Unfortunately, you’re not. Legacy DLP isn’t fit for a cloud environment. Here’s why:
Lacks visibility: Traditional DLP monitors traffic within the enterprise network. However, with cloud applications, data might not even touch the enterprise network at all. An employee could upload data to an app straight from their mobile or from their laptop at home, without being plugged into a VPN. This means that traditional DLP lacks the visibility to be effective today.
Not intelligent enough: Traditional DLP focuses on protecting data, but lacks contextual awareness. It won’t be able to distinguish between a hacked administrator account and a genuine one. Plus, if an employee with access permissions decides to go rogue, traditional DLP won’t even sound the alert.
Impossible to keep up to date: Configuring DLP can be extremely time consuming and drain resources. More than that, though, in a cloud-first world, yesterday’s configurations and policies might not be applicable today. The enterprise is constantly changing. Data is moving, transforming and growing. Traditional DLP simply can’t keep up with the pace.
These shortcomings are just a few of traditional DLP’s problems. We’ve discussed these in more depth in this blog, which you can read here.
How to get a handle on data privacy in the cloud
Invest in a next-generation CASB
Modern CASBs are designed to secure cloud apps accessed by unmanaged devices and endpoints. Their protection is expansive and borderless, reaching beyond the traditional firewall to secure, check and analyze any and all incoming traffic into cloud applications.
This provides much needed visibility into cloud applications, data and users, which mitigates the risk of shadow IT and ensures data is being processed ethically and correctly.
It’s important to note that not all CASBs are created equal. They’ve been around for a long time and, just like DLP, older vendors have their limitations. Ideally, you should settle for a CASB vendor that uses API controls. These are out-of-band solutions that integrate into cloud services, providing security and monitoring by maintaining a dialogue with other known APIs.
In particular, keep an eye out for these factors:
Offers policy enforcement across multiple cloud environments
Granular visibility into who can access data, along with controls to change access privileges
Intuitive to use for the security team
Regularly check security controls
The cloud is based on a shared responsibility model. This means your company has security duties in relation to the applications, data, containers, and workloads you use in the cloud.
Many cloud providers offer embedded security controls – but how you use them is up to your team, and many companies aren’t getting it right. In fact, according to Gartner, through 2025, more than 99% of cloud breaches will be traced back to preventable misconfigurations or mistakes by end users.
To get a hold on this problem, you should create an inventory of your cloud services, along with the controls they offer. From there, you can assess what controls you have put in place, or what controls need to be put in place. Remember that, if you use multiple cloud providers, the levels of protection they offer will be different. Moreover, these controls shouldn’t be your be all and end all. You should complement them with third party tools, like CASBs, for complete protection.
Use the principle of zero trust
Zero Trust security is an IT security model centered around the concept that organizations should verify every person and device attempting to access their systems and data, whether they are inside or outside the network perimeter, before permitting access.
With more employees accessing cloud apps remotely, this principle is a must for privacy and security. However, zero trust isn’t a single solution – it’s an overarching process. To start with, you should analyze the company’s user base. From there, you can implement tools like Identity and Access management with single sign-on.
You should ensure that only users who are verified through these tools can access corporate data and applications. Make sure to consider all of your cloud applications with this approach, including tools like Slack, Box and Outlook. For a detailed overview of Zero Trust, read our blog here.
Looking to the future
Complying with privacy policies and data protection regulations can seem like a headache, but as data continues to fuel business operations, these restrictions will only become more stringent.
Companies that use people’s data for their benefit will need to ensure that they are not infringing the rights of citizens – even if accidentally. With many more states currently reviewing their own privacy regulations, it’s clear that this issue is not going away.
By getting ahead of the pack, and deploying the right solutions now, companies can put themselves in a positive position for the data-driven, cloud-based future.