The recent breach at Capital One brings to the forefront the concerns companies have about moving personal information to the Cloud. It shouldn’t.
The incident, which involved a rogue former employee of AWS, suggests the conditions that allowed the breach to manifest are not necessarily related to where the data was hosted, but how it was protected. At the heart of the matter is the question of technical controls: how effective are they at protecting sensitive data, and how adequately they operate.
Companies, including banks, should continue moving personal information to the Cloud. As noted in the WSJ following the disclosure of the breach “By 2023, banks globally are forecast to spend more than $53 billion on public cloud infrastructure and data services, up from $24.3 billion this year.”
Controlling Data in the Cloud
There are three areas of controls to protect personal information that is hosted in the Cloud:
Controlled Cloud Migration – Companies should decide which data elements should be moved to the Cloud and which shouldn’t, and diligently adhere to those decisions. Controlling the migration of data should be done any time personal information is introduced to a new environment, Cloud or otherwise; call it Privacy-by-Design, Security-by-Design, or plain common sense. Controlled migration means that the data elements of interest are detected through reliable objective means—not through surveys, interviews or cursory examination—so the risk profile of the new environment can be reliably determined.
Conditional Obfuscation – For those new to this fun term, programming code is often obfuscated to protect intellectual property and prevent an attacker from reverse engineering a proprietary software program. Different authorized users have different needs for access to data. Obfuscating the data elements that are not needed for a particular purpose, especially when those data elements are sensitive, is the first step in proactively controlling damage.
User A and User B may both have access to the same repository, but each of them should only see those date elements their role requires, and it is very likely that neither of them will ever be able to see all the data elements in the repository. Conditional Obfuscation also applies when the data is being used. Companies may expect authorized users to process personal information during work hours but need to make decisions on governance such as if the same data should be made available during odd hours or the weekend. The answer for many companies is probably not.
Monitor for the Telltale Signs of a Breach – Breaches often represent an anomalous behavior on a data set. Trends of how authorized users process personal information can be learned by data protection tools, and exceptions to those trends should trigger alerts about a brewing incident. Trends can apply to the volume of data accessed, when it is accessed and what is being done with it (e.g., downloads of multiple datasets late at night).
Data protection controls may not be able to prevent all breaches, but they can certainly limit their scope and impact on both companies and the individuals the personal information pertains to.
Preparing for a migration to the Cloud? Let PKWARE help. Get a free demo now.