Big Data, the Cloud, SaaS, IaaS and PaaS all are major topics of discussion amongst enterprises at the moment, but many are concerned about the consequences of moving data from their 'protected' infrastructure and onto what is seen by many as a unregulated environment.
So, how can a CIO or Head of Information Security ensure that they can embrace new web-based technologies without incurring the wrath of regulators, or facing the negative publicity associated with data loss?
How many times have we read stories in the press about people not being able to take pictures of their child's school play because of the dreaded Data Protection Act? Like most of the stories attributed to that other most misunderstood document, the Health and Safety at Work Act, most of these tales are based on a fundamental misunderstanding or deliberate misreading of the regulations.
I've lost track of the amount of times I've heard that we can't use Technology X because of the DPA. If you've ever taken the time to read the entire Act, nowhere does it stipulate what technologies can and cannot be used. However the two key elements which people should be concerned about are the transfer of data outside the EU, and the disclosure to unauthorised parties.
So, as a hard-pressed Information Security professional, how can I meet the challenges of utilising new technologies without jeopardising security or compliance regulations?
One technique I use is something I call “taking the sting out of the data”. If the data can be manipulated in such a way that it is sanitised of any sensitive information whilst still maintaining the value inherent in the data, then we can be more flexible and agile in the way we can now use the data.
The first and most important thing to do is to look at the data and classify what components are personally sensitive, commercially sensitive or subject to compliance, and which would not affect the business significantly if disclosed.
This may seem a fairly easy task, but you will need to agree everything with the data owners first, and sometimes you'll need to steer them in the right direction. For example, there was a promotions manager who once tried to argue that in-store prices were commercially sensitive, until I pointed out that they are publically available by going into the store and looking at the price tag. Another time, a marketing manager suggested that a customer's name was public information because everybody has a name!
Therefore being concerned about: A) the transfer of data outside the EU and B) the disclosure to unauthorised parties, I recommend that security professionals have the following checklist in mind to ensure they take the sting out of the data:
1. Understand the overall statutory and regulatory framework that the organisation operates under. As well as the DPA consider other frameworks such as FCA Data Security expectations. If you don't understand the context it will be impossible to be assured of compliance
2. Understand what data needs to be in the Cloud to support the solution. Plan according to the real need rather than the perceived need. Challenge the rationale in terms of understanding how the solution will work without the data (or could be joined within the organisations' intranet)
3. Validate whether or not the data that needs to be in the cloud falls under the Data Protection Act in the first place – ie is it Personal Data under the terms of the Act. Associate types of data with the required compliance
4. If the Data falls within the scope of the Data Protection Act, determine whether a reference rather than the actual data can be stored (eg a tokenised version of the data)
5. Understand the Cloud operational environment – where will the data reside and under what circumstances (if any) it might move out of the European Economic Area or Safe Harbor. This will include storage, operational access and failover/Disaster Recovery scenarios
6. Perform a Data Protection Impact Assessment
7. The landscape of Data Protection is changing; ensure you review the approach against the Draft European General Data Protection Regulation.
Once you've put the work in, gone through the checklist, and are satisfied with the levels of security in place, you can learn to love the Cloud!
Contribued by John Sidhu, partner Glue Reply