Can your organization manage privacy risk on cloud computing?
Recently Mercedes-Benz USA has disclosed sensitive personal information of nearly 1,000 customers and interested buyers was inadvertently made accessible on a cloud storage platform. The data accidentally made accessible comprised self-reported credit scores, driver license and social security numbers and credit card information which was entered by customers and interested buyers on dealer and company websites between January 2014 and June 2017.
Data Users have Ultimately Legal Responsibility
As many of you have known cloud services usually operate on a shared data security responsibility model: a CSP must ensure that its infrastructure is secure and that the data and applications of a customers using its service are protected, whereas the customers (Data users) must take measures and security tools to safeguard data.
Recommendations from HK PCPD
Data users are expected to maintain the same level of protection of personal data irrespective of whether the personal data is managed/held by them or by a cloud provider. Where data users may not have direct oversight over all the controls necessary for the protection of personal data, they should seriously consider implementing an end-to-end, comprehensive and properly managed encryption system for the transmission and storage of personal data.
Cryptographic Techniques for Cloud Deployments
Irrespective of the delivery or service model used by an organization, cryptography and in particular encryption and digital signature techniques can play a crucial role in securing data, the platforms upon which data is stored and the applications processing this data.
Based on this idea, our partner - Utimaco, a German based leading manufacturer of Hardware Security Modules (HSMs) that provide the Root of Trust to all industries in digital society, recommends nine different layers at which cryptographic techniques can serve as the cornerstone of any successful security policy regardless if the respective data is in motion, at rest or in processing.
Enforce multi-factor authentication
Role based access control (RBAC)
Encrypt and digitally sign virtual machines & containers
Securely manage workstations by enforcing code signing
Run critical applications in secure environments
Enable database encryption
Protect data in transit
Enforce file and folder level data encryption
Utilize PKI technologies
For details of these cryptographic techniques, you may download below white paper - Hardware-based cryptographic key management in the Cloud.