Privacy Considerations in the Cloud Part 3: What to Consider When Choosing Cloud Services

Multi-Cloud and Privacy Challenges

One of the biggest challenges for privacy professionals today is how to implement various privacy compliance requirements across multiple platforms, technologies, third-party providers, geographies, internal data users and customers.

As discussed in the first post in this series, organizations across the globe face the daily risk of security and data breaches. With that in mind, businesses need to understand how to deliver multi-device user experiences while securely sharing industry and customer data across various application environments.

Moving to the cloud can modernize an organization’s IT capabilities to expand beyond the traditional outsourcing service model, but selecting and architecting a multi-cloud solution can be a complex and challenging task.

Benefits of the Cloud

Moving data and business workloads to the cloud can have wider business benefits, especially when it comes to running organizations’ systems and applications that both manage business processes and generate revenue. The rapid growth of cloud computing options enables companies to scale and provide “as needed” data storage and computing power in a more cost efficient way.

As a practical matter, when the cloud is implemented correctly it can offer certain benefits, such as:

  • speed, power, scalability, agility, and reliability of organizations’ online solutions
  • improved efficiency with the faster time to market
  • improved security of infrastructure, applications, and data
  • access to cloud expertise organizations don’t have in-house
  • tools and features that organizations don’t have resources for to build in-house
  • a centralized approach to cloud and the ability to shift from shadow IT
  • service level agreements to address availability

The right cloud provider can provide expertise, experience and required capabilities across a range of infrastructure and cloud deployment models, enabling in-house IT personnel to focus on what is core to their own business.

Cloud Service Models and Privacy Challenges

When it comes to the use of cloud services, one size does not fit all. Organizations need the freedom to put their applications, workloads and data where they’ll fit best. This is especially true when we are talking about privacy. The way organizations utilize the cloud matters when it comes to privacy and security of personal data.

Depending on the type of cloud services used (SaaS, PaaS or IaaS), the roles and responsibilities for the security and privacy of data may vary. These service models split up responsibility for risk and ability to mitigate data breaches in an entirely different way. Responsibility for the data and data risk mitigation may be divided among data owners and multiple cloud providers.

Therefore, it is imperative for privacy professionals to understand:

  • the interaction between various cloud service models used by their organization
  • the cloud architecture and topology: public, private, hybrid and managed cloud
  • the underlying infrastructure and third-party providers involved in the cloud services delivery
  • how the responsibility for their data is passed down the contractual chain among multiple providers
  • how the roles and responsibilities are divided up among the internal IT staff and multiple third-party providers
  • the impact of inter-cloud interoperability or the lack thereof.

Having an understanding of the cloud and knowing what type of data your organization will be sending to the cloud can help privacy professionals address specific privacy compliance requirements.

Privacy Considerations When Building a Cloud Strategy

Cloud users need to ensure that personal data is properly stored, processed and protected. By combining different cloud deployment models, organizations can better address privacy concerns in the cloud. Choosing the right cloud deployment model — and the right cloud providers to deliver it — is a fundamental component in ensuring a successful and long-term privacy strategy in the cloud.

On-Premise vs. Off-Premise Solutions

Compared to an on-premise-only deployment, storing data and deploying IT solutions in an off-premise cloud can result in a much better solution for the privacy of personal data.

An on-premise solution can provide some advantages, but it can also expose data to greater risk if an organization doesn’t have sufficient security, resources and expertise to support it on a 24x7x365 basis. There may be a more significant threat to the privacy of data that’s sitting in an on-premise solution than when organizations store data in a third-party off-premise cloud.

On-premise solutions require dedicated space for servers, hardware, cooling systems and system redundancy to ensure availability and integrity of the data. Organizations need to deal with setting up a secure infrastructure in a secure building and deal with failures and glitches, patches, upgrades and monitoring.

Additionally, on-premise deployments are heavy on capital expenses for organizations because an organization must have dedicated space, redundant solutions, hardware, software and human expertise to support it. By using a reputable, trustworthy cloud provider, organizations can address these needs in a more secure and cost-efficient way.

Reputable cloud providers have high data security standards as well as extensive expertise and experience in maintaining and securing cloud infrastructures. In many cases, businesses cannot afford to build their data centers with state of the art security, software, infrastructure, tools and hiring their internal technology experts need to maintain it.

Key Steps for Building Privacy Strategy in the Cloud

Having an understanding of the cloud is only one step in the IT transformation process. One of the most important steps in building an organization’s privacy strategy is having an understanding of your data landscape, what you are buying from a particular cloud provider and how roles and responsibilities in managing the infrastructure, applications and data are divided up.

Planning a migration to the cloud while considering the following points is imperative to addressing privacy requirements adequately and implementing your organization’s privacy policies and procedures across all of your clouds.

Assess Your Organization’s Readiness for the Cloud

It’s imperative that privacy professionals initiate their cloud readiness assessment before migrating data to the cloud. Proper cloud-readiness assessment can enable a data-informed migration to the cloud and an understanding of security controls that must be in place to adequately protect the data and address compliance requirements. In this phase, privacy professionals need to partner with security and IT experts as well as with their internal business partners (such as leadership, legal, compliance and sourcing teams) to assess and understand their organization’s business goals, drivers, pain points and objectives.

When determining which cloud deployment model to use for which workloads and data, privacy professionals need to assess:

  • their organization’s business needs and goals for migration to the cloud
  • their organization’s data landscape and information governance
  • the type of data their organization will be sending to the cloud
  • the data flows – where is the information coming from and where is it going to be processed and stored
  • any particular privacy, security and compliance requirements that need to be met based on data types
  • any restrictions on transferring personal data to another country
  • the risk profile and who can mitigate the risk to data
  • how their organization will be able to implement any particular organizational and security measure to protect personal data
  • their organization’s in-house technical ability to manage different cloud workloads themselves
  • the ability of a cloud provider to offer multi-cloud options and the technical ability to support it
  • whether multiple cloud providers will be required for specific workloads
  • the capacity to deploy appropriate technical and organizational security measures across organization’s on-premise and off-premise solutions
  • the support and service model provided by a prospective cloud provider

By conducting a cloud-readiness assessment and sufficient research to find trustworthy and experienced cloud providers, organizations can scale better, free up internal resources and deploy cost-efficient cloud deployment models while addressing privacy, security and availability of their data. Appropriate assessment can help identify and mitigate the risks with various cloud service models.

Plan Your Migration to the Cloud

Don’t migrate your mission critical data without doing your homework. It’s all in the planning!  When building and designing a multi-cloud environment, organizations need to keep in mind that every IT application is a complex ecosystem. It requires an understanding of the infrastructure and where it connects to. It also requires an understanding of who uses the application, how it’s used and how often it’s used.

As mentioned in the previous blog post in this series, an appropriate review of how technology, multiple providers, people and processes interact in the cloud all need to be considered to deploy a more secure online business infrastructure. This allows organizations to set the foundation for their privacy strategy in the cloud.

Proper planning can ensure the right solution, from the right providers, for the right risk profile, is designed and deployed.

When planning a migration to the cloud, privacy professionals need to:

  • engage the right expertise to conduct due diligence based on the organization’s application portfolio, data types, compliance requirements, and their business needs
  • understand cross-cloud connection points with third-party systems, software, and infrastructures
  • put in place a robust disaster recovery, redundancy, and data backup plan
  • identify who will be responsible for the different aspects of data protection and security.

With this foundational assessment and planning, organizations can design a target cloud solution based on their data landscape, privacy compliance requirements and resources available. Having this baseline understanding can help privacy professionals create a roadmap for their organization’s multi-cloud journey. Moreover, it can help choose the right cloud solution with appropriate controls in place, such as adequate security, monitoring, redundancy, support and response time.

Design Your Cloud Solution(s) With Privacy In Mind

The design phase of your cloud journey will allow your organization to integrate your privacy policies with technology. When designing their cloud deployment, organizations should consider their internal capabilities to support it as much as the capabilities of their prospective cloud provider.

Ensuring that privacy professionals provide insight on privacy requirements in this phase can help define clear objectives and implement appropriate measures to protect personal data and address compliance requirements.

Which deployment model is best for an organization will depend on organization’s specific requirements.

The solution is often a multi-cloud approach — a combination of a public and private cloud. The public cloud — meaning the cloud in traditional multi-tenant hosting sense — is something that all businesses may find useful for some portion of their infrastructure, applications and data, but this may not necessarily be the best fit for every component of their business.

So, the first question privacy professionals need to address when designing their cloud deployment is whether public cloud is appropriate for their data types.

Multi-Cloud Flexibility: Privacy Benefits of Private and Hybrid Cloud

With today’s multi-cloud flexibility, an organization can architect an environment that best addresses business needs as well as privacy and compliance requirements.

Public cloud is ideal for rapid scalability, fast deployment and utility billing models but some applications and data demand dedicated infrastructure and single-tenant hosting; primarily where compliance, security and privacy are concerned.

Dedicated servers and private cloud can be customized to give organizations higher performance, greater security and more control over servers and hardware configurations.

Dedicated infrastructure and private cloud are therefore a critical component of the cloud ecosystem, providing greater control of the environment and increased security for critical workloads. With the right cloud provider, cloud solutions can be architected to scale from dedicated, private cloud into the public cloud.

Having the flexibility to deploy hybrid multi-cloud for different workloads and data types lets businesses achieve better performance and security without sacrificing agility that comes with typical public cloud deployments. Most importantly, this can help organizations address specific compliance requirements by implementing appropriate technical and organizational measures internally and across multiple clouds, based on the type of data stored in a particular cloud.

Deploying the right hybrid cloud — connecting dedicated private infrastructure to the public cloud — can enable organizations to protect their business-critical data better with a private circuit that bypasses the internet for the most secure connectivity to organization’s other data centers and cloud environments.

When designing your cloud solutions, ensure that cloud providers offer hybrid cloud options that allow you to store your personal and sensitive data in a private cloud with layered security services on top of such deployment.

Once the ideal cloud deployment models and providers are mapped out, organizations need to work with migration and security experts to develop and execute a detailed migration plan and architect, secure and operate cloud resources across private and hybrid cloud platforms. The critical step in the design phase is also to test the cloud solution before the data migration.

Address Exit Strategy Across All Cloud Deployments

While it may be awkward to talk about divorce while you are just getting married to your cloud provider(s), it’s important to discuss exit strategies across your clouds at the beginning of your relationship with multiple cloud providers. When addressing privacy considerations in the cloud, organizations need to understand what service levels the cloud provider offers, what happens at the end of the contract and how their data will be received at the termination or expiration of the contract.

These details should be understood and worked out in advance to understand how your organization can walk away from your service provider and how you will be able to move your data.

From a practical perspective, it is important to have an exit strategy if the cloud provider does not meet its service level commitments or if one of the providers in the chain of service delivery discontinues their services to your organization. Organizations need to understand how they will be able to move away from a cloud provider and whether they will need ongoing operational assistance from that provider to migrate the data to another provider.

Maintain Your Cloud Solution

Once you go live with your environment in the cloud, your responsibility for protecting the data does not end. Organizations need to maintain appropriate security posture based on the type of data, threat vectors, industry and regulatory developments.

To ensure security and privacy risks are properly managed, organizations should conduct periodic risk and privacy impact assessments across on-site and off-site solutions. Organizations should test their environments regularly by performing load and performance testing, penetration testing and vulnerability scanning.

Additionally, organizations should encrypt their personally identifiable and sensitive information (at rest, in transit and logically) and properly layer additional security features and solutions on top of their cloud. When sensitive data is at stake, organizations should enhance the security of a single-tenant environment with the physically isolated network, compute, dedicated hardware firewall layers and other security measures.

With the right provider, cloud users can get access to the latest cyber-security defenses and updates for security threats without the need for deploying on-premise devices or employing in-house experts at a higher cost.

Stay tuned for the next post in this series, which will take a closer look at the importance of security for privacy, and visit Rackspace for more information about applying Fanatical Support to the clouds of your choice.

Sabina Jausovec-Salinas worked as a corporate counsel at Rackspace for eight years, until early 2017. Much of her work focused on privacy, data protection, marketing, advertising, and intellectual property law. She managed the company’s privacy program and supported the in-house marketing department in advertising, direct marketing, promotions, contests, public relations and branding. Sabina has a wide-range of international legal experience in US and EU privacy and data protection law. She has worked in multiple practice areas in Slovenia, the UK, and currently in the US. Sabina holds CIPP/US and CIPT certifications and served as a co-chair of the IAPP KnowledgeNet Chapter in San Antonio. To learn more about Sabina visit linkedin.com/in/sabinajausovecsalinas

LEAVE A REPLY

Please enter your comment!
Please enter your name here