Learn how to protect confidential and private data when you store it in the cloud.
Editor's note: This article is part 1 of 2 on cloud security. Don't miss
part 2 of the series.
Cloud security continues to be one of the greatest concerns of organizations that are even thinking about putting any type of data into the cloud. If the data is related to donors, constituents, health care, or finances, cloud security becomes the number one criterion in vendor selection — or at least it should be. The growth in the number and sophistication of cyber attacks should have any reasonable person cautiously paranoid about who could get access to data in the cloud.
What do we really mean when we say "cloud security"? Most people mean the
confidentiality and
privacy of their data — both of which are based on
information security.
What Is Confidential Data?
Confidential data is generally considered to be sensitive (not for public consumption) but not necessarily private. With confidential data, the objectives usually are to
- Limit access to those who are authorized to view the data
- Protect the data from accidental or purposeful unauthorized access by internal or external parties
The following table shows examples of confidentiality breaches. No health care-related or credit card data is accessed in these breaches. The person making the breach would not have access to this data in the normal scope of the person's job.
| Source and Intent of Confidentiality Breach | Accidental | Purposeful |
|---|
| Internal | An employee accidentally opens the wrong file and sees the performance review of a colleague. | An employee seeks out the online purchase records of a friend or celebrity. |
| External | A website visitor mistypes a web page address and gains access to an unpublished area of the website that contains a list of online discount codes that isn't publicly available. | A hacker gains access to the email system and all inbound and outbound email history for all of the nonprofit's staff. |
Notification of confidentiality breaches is generally not required.
What Is Private Data?
Private data
- Is personally identifiable (can be linked to an individual person).
- Usually has regulatory or compliance requirements that force organizations to ensure that the data is not disclosed except in certain allowed circumstances. Health care-related and credit card data are two examples of data subject to privacy via
HIPAA and the
Payment Card Industry Data Security Standard (PCI DSS), respectively.
The following table shows examples of privacy breaches. Again, the person making the breach would not have access to this data in the person's day-to-day work.
| Source and Intent of Privacy Breach | Accidental | Purposeful |
|---|
| Internal | An employee accidentally opens the wrong file and sees the direct deposit request form (including bank account routing numbers) for a colleague. | An employee seeks out the drug abuse treatment records of a friend or celebrity. |
| External | A website visitor mistypes a web page address and gains access to a list of recent credit card transactions, including the full credit card number, expiration date, and cardholder's name and zip code. | A hacker uses malware to gain access to the nonprofit's fundraising system and all of its donor records, including credit card or bank account routing information. |
The handling of private data is often governed by the state or country of residence of the affected individuals, not where your organization is headquartered or has offices. Fines, notice, and remediation requirements are also normally established by the location of residence. So privacy compliance can quickly become complex, especially if donors or constituents are located in multiple jurisdictions.
Protecting Confidentiality and Privacy in the Cloud
Confidentiality and privacy both rely heavily upon information security. Information security
- Seeks to ensure that an organization's data and access to its information systems is well managed
- Helps prevent accidental or purposeful breaches from occurring, both from within and from outside an organization
- Ensures that if breaches do occur, they are detected and addressed quickly
Information security considers
technical security and
logical access controls. Technical security focuses on the actual configuration and physical security mechanisms of the technology itself. Logical access controls focus on the ability to access data or records within the system. Both should meet required standards and should employ best practices.
You must ensure that your cloud service provider has appropriately designed and implemented its information security infrastructure and its associated policies and procedures.
Privacy often has additional requirements. You must also understand what facilities the service provider has for privacy compliance. For example, when HIPAA and PCI DSS compliance are needed, you must obtain assurances from the service provider that it has complied with the requirements.
Information Security Is Your Organization's Responsibility
Cloud security has both technical and procedural aspects that are often taken care of by the cloud service provider's information security infrastructure. Cloud service providers often engage information security professionals, so they usually have much stronger information security capabilities than you, their customer.
However, breakdowns in cloud security usually occur with the customer rather than the service provider. Certain technical and procedural aspects rely on proper configuration and training by your organization.
A cloud-based fundraising system, for instance, might technically have the ability to hide credit card information. But errors by your staff might bypass the security built into the cloud application and result in a breach. For example, your staff might put credit card numbers in the notes field rather than the credit card field. Or your administrator might forget to enable the credit card masking function (which puts asterisks in place of the credit card number and only shows the last four digits).
Data can also be confidential or private, and if private, could be subject to requirements from multiple jurisdictions. It's important for
you to identify which data is subject to which requirements. Then you can ensure that your organization is appropriately securing the data and that you are communicating the requirements to your cloud service providers.
Why Protecting Privacy Matters: Your Reputation and Budget
The biggest risk from a breach of privacy is to your organization's reputation because privacy breaches generally require notification. Privacy breaches may also result in fines, penalties, and remediation costs. These costs are often levied on the organization that owns the data, not necessarily the cloud service provider where the breach occurred.
So it is essential that you ensure the protection of your organization's data. It's your organization's name that will be in the news, and you will be paying the fines, not your service provider.
Learn More
Donny Shimamoto welcomes questions, comments, and feedback via email at donny808@cpa.com, or you can reach him by phone at (866) 737-9991 ext. 200.
