Cloud Data Protection, Security and Privacy Essentials

by Ionela Barbuta

In the world’s current economic environment strategic business decisions are many times made on collected information, thus no one can really put a price on the true value of this data. It is for this reason that data is and should be protected at all costs. With non-secure data posing just as much risk as corrupted data, it is, in actual fact, vitally important that one’s data is kept both safe and private.  So just how do companies ensure data protection, particularly when that data is stored using cloud software?

The basics

The term ‘data’ can be considered to be any facts or statistics collected together for either reference or analysis. Traditionally, each respective user or business would be solely responsible for ensuring that the protection and privacy of their own data was maintained, however, with the emergence of cloud computing in tandem with software as a service (SaaS), the fundamental relationship between user’s and their data has changed. Cloud computing stores user data on third party servers as opposed to your own local hard drive, thus, users must trust that their data is kept both safe and secure when making use of the service.

It is worth noting that data protection and data privacy are not identical. ‘Data protection’ is used to describe how secure one’s data is with regards to potential access of unauthorized entities while ‘data privacy’ is a term that represents the ability a user or business has to determine what aspects of the data can be shared with other third parties.

While data protection deals with how secure data is from an unauthorized use perspective, data privacy is more of a generic term, encompassing the protection and extending it to define whom, how and when has access to private data, with what purpose and does that entity has permission to use it for that purpose.

Data protection – key considerations

As already stated, protecting data from unauthorized entities is a crucial aspect of any cloud software. So what are some key topics that must be considered by companies with regards to security when developing cloud software?

  1. Structured Application Security Process – This is an integral step that encompasses measures taken to prevent gaps in the security process of any given software. This step is particularly important when the software is being redesigned, upgraded, or simply undergoing maintenance as it is at these times that the data contained in the software is at its most vulnerable. A respectable application security process will usually entail knowledge of who exactly has access to the encryption keys, a complex password security policy and extreme vigilance when the system is upgraded or patched.
  2. Encryption Algorithms – Encryption algorithms represent the benchmark for data protection in our current technological climate, but it is also very important to ensure that the right standard of algorithm is used. It is integral that companies utilize ‘standard encryption libraries’ that have been tried, tested and certified as opposed to homemade encryption libraries that could possess fatal defects. As far as encryption algorithms go, the industry standard is always improving, thus, it’s key that companies keep up to date with the latest technology to ensure the best protection for their user’s data.
  3. Ensuring Database Protection – By far and away the most common cyber-attack in the world today is the ‘SQL injection attack’, which targets a company’s database and ultimately compromises the integrity of its stored data. A key step towards preventing this threat is through ‘input validation testing’. This means cloud software should double-check every input for malicious threats before making use of it or storing it.
  4. Secure Connection When Transferring Personal Data – Like any great Hollywood bank heist, the goods are always most vulnerable when in transit. When developing cloud software, companies can go a long way towards protecting their data simply by ensuring that it is protected adequately during transmission. The most common method of achieving this goal is through the use of either Secure Sockets Layer (SSL) or Transport Layer Security (TLS). All data transmissions should be conducted through either of these programs as it worth noting that most conventional social mediums, such as email, are not secure.

While the technical solution should be as bullet proof as possible, data protection is more than code. You have to consider a few more factors among them being:

  • Physical security of the servers and/or any devices that have the data.
  • Computer security of your personnel.
  • Your security process with regards of employing and managing your staff.

Data privacy – key considerations

Protecting the privacy of one’s data is just as important as protecting its integrity. Any cloud software should have a series of controls to prevent any of its stored data leaking out be it general public or malevolent entities:

  1. Allow Users to Control Data Access – Respectable cloud software should allow users to delegate permission with regards to who has access to certain data. The stored data should not, under any circumstance, be visible to anyone, even those working for the cloud company itself. Strictly implementing the privacy configuration of the user with regards to who has access will all ensure privacy of the data is maintained.
  2. Give Users the Ability to Customize – Cloud users should have the ability to personally configure and customize their own solution to meet their personal privacy requirements. This can involve the end user deciding on what medium the data is displayed through, which sections of it are visible to the public, who has permission to change certain sections of the data and the amount of the user’s personal information that can be disclosed.
  3. Allow Users to Freely Edit Data – Cloud software should allow users to access their respective data at all times and should never lay any personal claim to it without the user’s permission. This means that the user should have the ability to remove or add data at their own discretion.
  4. Ensure Deleted Data is Deleted – Often pressing the ‘delete’ key does not result in the permanent removal of the object. To ensure future data privacy, data deleted by the user should be permanently destroyed off the system. To other extent, for accuracy purposes, it should also be ensured that the deletion of data does not affect any aggregated statistical analysis being run on other remaining data.
  5. Privacy by design –Products today offer users convenience as a key value. When it comes to the new generation of products, these applications receive access many times to social media accounts, email accounts, or other private information such an address. Many of them draw data to offer back information, statistics or reports. But regardless of the privacy policy that is on the website, and legislation compliance the product still manages personal identifiable information that can be used, lost or in some cases even shared with others. Whether it is depersonalized or not, our data still faces a level of insecurity. Privacy can be considered from the start, when designing the core of the application. I detailed my view on Privacy first products here.

The future of data protection

With high profile data breaches becoming increasingly common in today’s world, general data protection and privacy has risen to the top of the agenda for world’s developed nations. In the wake of Snowden revelations, that United States was covertly collecting information and spying on their own citizens, the US is looking to pass the Consumer Privacy Bill of Rights. This legislation will look to reinstate US citizens the right to decide what information of theirs can be collected and stored.

The European Union (EU) is also looking to take a strong stance with regards to the future of data protection and privacy. The ‘Directive 95/46/EC’, which was the original data protection act formed in 1995, is being reconsidered in favor of a more modern and up to date version. The EU has also implemented the ‘European Cloud Partnership’ (ECP) which will look to streamline Europe’s cloud computing laws with regards to situations involving location of data, ownership of digital content and increased transparency with regards to who has access to what data.

There is simply no denying that data privacy is going to become both important and sophisticated in the near future. Be sure to keep an eye on what is happening with data protection and privacy, so you keep your own data safe!

Share this article