The operative application of defined controls for the protection of PII is widely affected by the “cluster” of providers/sub-providers involved in the operation of a specific cloud service; therefore, any attempt to provide guidelines for this can be made only at a general level.
Since the goal of applying data protection measures is to fulfill the P&DP laws applicable to the controller, any constraints arising from specific arrangements of a cloud service operation shall be made clear by the cloud service provider to avoid any consequences for unlawful personal data processing. For example, regarding servers located across several countries, it would be difficult to ensure the proper application of measures such as encryption for sensitive data on all systems.
In this context, the PLAs mentioned earlier play an essential role. Furthermore, the cloud service providers could benefit from making explicit reference to standardized frameworks of security controls expressly defined for cloud services. One such example is the “Trust Services Principles and Criteria” for security, availability, processing integrity, confidentiality, and privacy that the American Institute of Certified Public Accountants (AICPA) has developed. The trust services are a set of professional attestation and advisory services that address risk.
According to AICPA, the following principles should be used in the performance of trust services engagements:
- Security: The system is protected against unauthorized access (both physical and logical)
- Availability: The system is available for operation and use as agreed
- Processing integrity: System processing is complete, accurate, timely, and authorized
- Confidentiality: Information designated as confidential is protected as agreed
- Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in “Generally Accepted Privacy Principles”
Management Control for Privacy and Data Protection Measures
There is a need to have management oversight and control for privacy and data protection measures. The designing and implementing of security policies is carried out with input from senior management and reference to any of the issues identified. Assessment and review of the policy is also carried out with a reference to issues identified and input from senior management. Risk analysis is performed to ensure that all policies are understood in the context of the risks they may introduce into the organization. The outcome of this assessment is shared with senior management and is used to weigh the applicability and usability of the policy within the organization. Adjustments or changes to the policy required to be implemented because of the assessment fed back into the policy cycle to drive implementation of the changes.
When implementing a security policy, typical data protection and privacy measures should include:
- Segregation of roles and appointments
- Training and instructions
- Authentication techniques and procedures
- Authorization techniques and procedures
- Control on the time validity of assigned authorization profiles
- Vulnerability control (patches and hardening)
- Intrusion/malware detection and relevant countermeasures
- Backup plans, techniques, and procedures
- Data recovery plans, techniques, and procedures
- Additional measures according to the criticality of the personal data and/or purpose of processing (strong authentication techniques, encryption)
- Personal data breach management plans, techniques, and procedures
- Log activities according to the criticality of personal data and/or purpose of processing
- Data retention control according to the purpose of processing
- Secure disposal of personal data and of processing equipment when no longer necessary.
Challenges with Data Classifications in the Cloud
Some challenges in this area include the following:
Data classifications at creation: One needs to ensure that proper security controls are in place so that whenever data is created or modified by anyone, the person modifying the data is forced to classify or update the data as part of the creation/modification process.
Security controls: Controls could be administrative (serving as guidelines for users who are creating the data), preventive, or compensating.
Metadata: Classifications can sometimes be made based on the metadata that is attached to the file, such as owner or location. This metadata should be accessible to the classification process to make the proper decisions.
Classification data transformation: Controls should be placed to make sure that the relevant property or metadata can survive data object format changes and cloud imports and exports.
Reclassification consideration: Cloud applications must support a reclassification process based on the data lifecycle. Sometimes the new classification of a data object may mean enabling new controls such as encryption or retention and disposal (e.g., customer records moving from the marketing department to the loan department).