Cloud services have become an integral part of business operations. In an increasingly interconnected world, they support real-time collaboration, access to files, and the use of applications from anywhere, as long as a device is connected to the internet. Not only that it allows companies to reduce the costs of IT infrastructure, and the manpower needed to run on-premises services. At the same time, cloud computing can provide a higher level of flexibility and unlimited scalability for growing businesses.
When it comes to cybersecurity, external data centers can provide a higher level of protection and a distributed service that ensures a level of resilience beyond what a modest IT budget can supply. However, when it comes to data protection, cloud services can become problematic as, once sensitive data makes its way into the cloud, organizations lose part of their control over it as the cloud is an external environment managed by a third-party service provider. Whether a cloud service is Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS), customers remain responsible for securing their data and user access. How does this fit into the broader context of compliance with data protection regulations? Let’s take a look.
What are the main privacy concerns?
One of the main problems with cloud services is that the location of data servers determines which data protection law applies to sensitive data. It may also mean that the data servers are compliant with data protection laws within the country they are located in, but that these laws may not be considered adequate by the countries the data originates from. Depending on the legislation, companies may need additional consent from data subjects to allow their data to be stored outside the country it was collected.
Most of the new data protection regulations such as GDPR or CCPA have an extraterritoriality clause, meaning they apply regardless of where a business, or service provider, in this case, is located. As long as a company collects personal information from EU or California data subjects, the measures taken to protect that data must be compliant with GDPR or CCPA.
Companies also make privacy commitments to their customers and employees when collecting their personal information and they must ensure that the cloud service provider can also deliver them. If a cloud provider operates in multiple jurisdictions, data subjects may also find it difficult to exercise their rights under new data protection regulations such as the right to be forgotten or to data portability.
Lastly, the cloud is often a shared virtual space. Storing sensitive data in it increases the risk of data leaks and uncontrolled distribution. This means competitors or unauthorized users can more easily gain access to sensitive and confidential company data.
How can DLP protect your Cloud Services?
While choosing a cloud service provider with a good track record for cybersecurity can give companies peace of mind when it comes to data breaches perpetrated by malicious outsiders, data leaks are harder to guard against, mostly because they often occur due to human error. Cloud services make data easy to share and access which can lead to it being distributed widely to unauthorized users. This is particularly problematic when it comes to sensitive data, whether it is personal information protected by data-protection regulations or confidential company information.
One way to prevent the risk of non-compliance and data leaks is to ensure that these categories of data are kept out of the cloud. By storing sensitive data locally, on company networks, organizations can easily keep track of its movements, control how it is shared, and ensure that it stays in the country where they are located. This can be done through Data Loss Prevention (DLP) solutions that identify, monitor, and control sensitive data, whether it is Personally Identifiable Information (PII), Intellectual Property (IP), or other categories of data a company considers sensitive in their particular area of business.
Solutions such as Endpoint Protector offer advanced tools to inspect data based on both content and context and offer a vast library of predefined policies for compliance with data protection regulations and standards such as GDPR, HIPAA, PCI DSS, etc. If sensitive data is identified in one of the over a hundred file types DLP tools can scan, its transfer into the cloud, whether it is company-authorized services or those that might be used by employees without an organization’s knowledge, is automatically blocked and the attempt is logged. In this way, companies can keep sensitive data safely on company networks.
In conclusion
While cloud services offer a wealth of advantages, companies must always consider the legal implications and risks of storing sensitive data in the cloud. The new wave of data protection regulations has made organizations liable in the eyes of the law for whatever happens to the sensitive data they collect. Should a breach occur because of a cloud service provider, the data collector will also be considered responsible and fined accordingly.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.
