10 Steps to Cloud Security: Step 5 — Enforce policies for protection of personal data

(Originally published by author in Jan. 2018 in Peerlyst.com)

Today in this series, we are going to look at protection of Personally Identifiable Information (PII) which has become a major issue across the globe and is amongst the hottest topic in the security community.

But, before that, let us list down our 10 steps to cloud security as defined by Cloud Standards Council:

1. Ensure effective governance, risk and compliance processes exist
2. Audit operational and business processes
3. Manage people, roles and identities
4. Ensure proper protection of data and information
5. Enforce privacy policies
6. Assess the security provisions for cloud applications
7. Ensure cloud networks and connections are secure
8. Evaluate security controls on physical infrastructure and facilities
9. Manage security terms in the cloud service agreement
10. Understand the security requirements of the exit process

Let us begin by understanding what Personally Identifiable Information (PII) is and some background it. There are numerous definitions out there on the internet but one which, I think, do full justice is this one.

“PII or personally identifiable information is any data that can be used to contact, locate or identify a specific individual, either by itself, or combined with other sources that are easily accessed. It can include information that is linked to an individual through financial, medical, educational or employment records.”

Some of the examples of PII are :

• Personal identification number, such as driver’s license number, passport number, credit card number or social security number.
• A name, full name, their maiden name or mother’s maiden name.
• Address information, like email address or street address
• Biological or personal characteristics, such as image of distinguishing features, fingerprints, x-rays, voice signatures retina scan

Now, since, we know what PII is, why do we need to protect it how do we protect it and what are the challenges?

One of the primary reasons to protect PII is increasing stringent laws and regulations in many countries. One of the most prominent on is gdpr (General Data Protection Regulation) which is to regulate PII collected from EU citizens and it further means that it apply to all organizations (whether established in EU or outside EU) dealing with PII data of EU citizens.

There is some sensitive type of PII which require additional regulations like health records and financial data. Protected Health Information or PHI is regulated through HIPAA and Protected Card Information (PCI) is self-regulated by card industry through PCI DSS.

With so many regulation and standards governing the use and processing of PII, it becomes necessary for all organizations to have privacy policy. However, these policies are generally written by NON-IT persons who are mostly from legal and risk management teams. Enforcing this policy, though, require security controls, proper tagging and classification of data storage of PII and allow only authorized people to access PII. ISO 27018 standard contains number of security controls which can be implemented in conjunction with ISO 27002 for PII protection.

Now, let us understand few terms related to PII:

1. Data Controller — It is an individual or an organization which collects PII and determines the purpose for which and manner in which any personal data, or are to be, processed. In cloud environment, it is the cloud customer.
2. Data Processor — It is an individual or an organization who processes the data on behalf of the data controller and is the cloud service provider in reference to the cloud environment.
3. Data Subject — It is an individual from whom the PII is collected.

Let us know list key things to remember when dealing with PII in cloud:

1. Cloud customer is ultimately responsible for protecting and securing PII when it is placed or transferred into the cloud environment. However, there could be certain circumstances where the responsivity can be shared with cloud service provider. Therefore, it is very important to enter into an agreement with the CSP for sharing of security responsibility.
2. One of the key requirements to notice here from both GDPR & ISO 27018 perspective is that Data subject (whose PII is in question) should be given access to the PII and that too in a machine-readable format. This adds a challenge in cloud environment in regard to authentication provision to data subject and granting authorization to access only his piece of data and making sure that they do not have access to other PII.
3. GDPR and ISO 27018 makes it mandatory to appoint Data Protection Officer (or point of contact) for public cloud PII processor (CSP like AWS, Microsoft Azure).
4. One of the key challenges is location and jurisdiction. It is very important to know where PII is stored and processed because many countries have different laws and regulations regulating PII

So, we can see that protection of PII is very important for any organization processing and it is due to legal requirements around it and severe implications that It can has for an individual whose PII is compromised. Technically, we need to implement all the security controls that we implement for data protection but additional care should be taken in classification and tagging of PII.