The big cloud service providers—think Amazon Web Services, Microsoft, and Google—are very clear about the shared responsibility model. If you distill out of it all the nuances and variables, this model comes down to a single fact: the cloud provider is responsible for the tools or services (and the supporting infrastructure) that make up the cloud offer you’re consuming. However, you are responsible for whatever information you put into those tools or services.
If you process or store sensitive data in the cloud, you and only you bear the burden of securing that data against hacks, leaks, or inadvertent disclosures. Said differently, the regulators will look to you, not the cloud provider whose services you leveraged, in the event of a data breach or leak.
What does this mean for you? Well, for starters it means that your company (and everybody in it) needs to take the role of data caretaker very seriously, regardless of whether you use cloud services or not (and chances are you do or soon will). Everything about a corporation has its roots within its organizational culture. A responsible enterprise that takes data stewardship seriously promotes a positive culture of privacy within its operations and among its workforce—the way it gathers sensitive data (usually from customers or prospects prior to or during business transactions), the way it handles this data, and the way it processes and stores this data. This culture of privacy should be reflected in your data processes, workflows, and protection strategy.
The responsible business does not look upon customers’ sensitive data as its own property, as an asset owned by the business. It intuitively understands that this data belongs to the customers, who by the way are real people who have put their trust in the organization to take very good care of that highly sensitive information. This is the reason that most cybersecurity firms will point out that the most detrimental outcome of a data leak or data breach isn’t fines, sanctions, or the like, though these are painful outcomes in their own right. Rather, it’s the squandered trust of their customers. Trust is a very hard thing to rebuild with customers who have been burned once.
Emphasizing the negative outcomes aren’t the best way to encourage a positive culture of privacy. The optimal way to do this, after making sure everybody in the organization understands the seriousness of the caretaker role of course, is to assume a constant and proactive stance on data security assessment followed by commensurate data protection and management techniques. This ongoing assessment, by the way, isn’t just one focused on the security tools and services used, though that’s a natural place to start. Don’t forget your operational processes and the data workflows within your organization: the way that data comes into the organization, gets moved around, is processed and stored by different users, and ultimately expires at some point in the future. Understanding the lifecycle of your organizational data and the processes around that lifecycle is as important as the data security tools you apply to protect it, both on premise as well as in the cloud (or in some hybrid data environment). A positive culture of privacy is holistic and takes everything into consideration to ensure that data is secure in the most appropriate way.
So what are some steps in carrying out iterative data security assessments as a reflection of a proper culture of privacy? In short, these steps include finding data, understanding it, applying the correct protective measures, and then managing the ongoing presence of that data in your environment. Because this is an iterative process, automation can drive this cycle, especially in the automated discovery of data. Because data is so dynamic within any enterprise, discovery has to be an ongoing driving force for the cycle. Knowing where data is, being able to identify it and its lineage, and then classifying its level of sensitivity is crucial. Only with data discovery can you find any potentially overlooked data and address it with the proper level of data protection depending on how it’s used in workflows and where it gets handled, processed, and stored.
Comforte can help you with your effort to build a culture of data privacy. Our data security platform addresses the entire process and helps keep all data secure, on premise or in the cloud, with data-centric protection. Unlike more traditional forms of data security which rely on user access, perimeter defenses, and data-at-rest methods like conventional encryption, data-centric security such as tokenization and format-preserving encryption obfuscates sensitive data while ensuring that it is still workable within your organizational workflows. Critical functions such as data analytics can still be carried out with data protected by these methods. Also, no matter where the data travels or is stored, data-centric security continues to protect it. And that’s an important point to note, because it brings us back to the initial thought. No matter where your organizational data goes, even if it lands in a cloud environment (cloud-based application, cloud processing, or cloud storage), comforte’s data security platform assists you in your effort to instill a positive culture of privacy within your business, of being a proactive caretaker of sensitive data. Your customers expect and deserve it, regulators demand it, and you’ll be the beneficiary now and in the future of the trust and respect in your brand that it builds.