By Filip Cotfas, Channel Manager, CoSoSys
Cloud services have become an integral part of business operations. In an increasingly interconnected world, they support real-time collaboration, access to files, and the use of applications from anywhere, as long as a device is connected to the internet. Not only that it allows companies to reduce the costs of IT infrastructure, and the manpower needed to run on-premises services. At the same time, cloud computing can provide a higher level of flexibility and unlimited scalability for growing businesses.
When it comes to cybersecurity, external data centers can provide a higher level of protection and a distributed service that ensures a level of resilience beyond what a modest IT budget can supply. However, when it comes to data protection, cloud services can become problematic as, once sensitive data makes its way into the cloud, organizations lose part of their control over it as the cloud is an external environment managed by a third-party service provider. Whether a cloud service is Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS), customers remain responsible for securing their data and user access. How does this fit into the broader context of compliance with data protection regulations? Let’s take a look.
Cloud Computing and Privacy Concerns: One of the main problems with cloud services is that the location of data servers determines which data protection law applies to sensitive data. It may also mean that the data servers are compliant with data protection laws within the country they are located, but that these laws may not be considered adequate by the countries the data originates from. Depending on the legislation, companies may need additional consent from data subjects to allow their data to be stored outside the country it was collected.
Most of the new data protection regulations such a GDPR or CCPA have an extraterritoriality clause, meaning they apply regardless of where a business, or service provider, in this case, is located. As long as a company collects personal information from EU or California data subjects, the measures taken to protect that data must be compliant with GDPR or CCPA.
Companies also make privacy commitments to their customers and employees when collecting their personal information and they must ensure that the cloud service provider can also deliver them. If a cloud provider operates in multiple jurisdictions, data subjects may also find it difficult to exercise their rights under new data protection regulations such as the right to be forgotten or to data portability.
Lastly, the cloud is often a shared virtual space. Storing sensitive data in it increases the risk of data leaks and uncontrolled distribution. This means competitors or unauthorized users can more easily gain access to sensitive and confidential company data.
Data Loss Prevention and Cloud Services
While choosing a cloud service provider with a good track record for cybersecurity can give companies peace of mind when it comes to data breaches perpetrated by malicious outsiders, data leaks are harder to guard against, mostly because they often occur due to human error. Cloud services make data easy to share and access which can lead to it being distributed widely to unauthorized users. This is particularly problematic when it comes to sensitive data, whether it is personal information protected by data-protection regulations or confidential company information.
One way to prevent the risk of noncompliance and data leaks is to ensure that these categories of data are kept out of the cloud. By storing sensitive data locally, on company networks, organizations can easily keep track of its movements, control how it is shared, and ensure that it stays in the country where they are located. This can be done through Data Loss Prevention (DLP) solutions that identify, monitor, and control sensitive data, whether it is Personally Identifiable Information (PII), Intellectual Property (IP), or other categories of data a company considers sensitive in their particular area of business.
While cloud services offer a wealth of advantages, companies must always consider the legal implications and risks of storing sensitive data in the cloud. The new wave of data protection regulations has made organizations liable in the eyes of the law for whatever happens to the sensitive data they collect. Should a breach occur because of a cloud service provider, the data collector will also be considered responsible and fined accordingly.