Personal data of Mercedes-Benz customers was inadvertently made accessible on a cloud storage

Can your organization manage privacy risk on cloud computing?

Recently Mercedes-Benz USA has disclosed sensitive personal information of nearly 1,000 customers and interested buyers was inadvertently made accessible on a cloud storage platform. The data accidentally made accessible comprised self-reported credit scores, driver license and social security numbers and credit card information which was entered by customers and interested buyers on dealer and company websites between January 2014 and June 2017.

Source: Reuters

Data Users have Ultimately Legal Responsibility

As many of you have known cloud services usually operate on a shared data security responsibility model: a CSP must ensure that its infrastructure is secure and that the data and applications of a customers using its service are protected, whereas the customers (Data users) must take measures and security tools to safeguard data.

Recommendations from HK PCPD

Data users are expected to maintain the same level of protection of personal data irrespective of whether the personal data is managed/held by them or by a cloud provider. Where data users may not have direct oversight over all the controls necessary for the protection of personal data, they should seriously consider implementing an end-to-end, comprehensive and properly managed encryption system for the transmission and storage of personal data.

Source: Information Leaflet concerning Cloud Computing published by PCPD

Cryptographic Techniques for Cloud Deployments

Irrespective of the delivery or service model used by an organization, cryptography and in particular encryption and digital signature techniques can play a crucial role in securing data, the platforms upon which data is stored and the applications processing this data.

Based on this idea, our partner - Utimaco, a German based leading manufacturer of Hardware Security Modules (HSMs) that provide the Root of Trust to all industries in digital society, recommends nine different layers at which cryptographic techniques can serve as the cornerstone of any successful security policy regardless if the respective data is in motion, at rest or in processing.

1. Enforce multi-factor authentication

2. Role based access control (RBAC)

3. Encrypt and digitally sign virtual machines & containers

4. Securely manage workstations by enforcing code signing

5. Run critical applications in secure environments

6. Enable database encryption

7. Protect data in transit

8. Enforce file and folder level data encryption

9. Utilize PKI technologies

For details of these cryptographic techniques, you may download below white paper - Hardware-based cryptographic key management in the Cloud.