By 2025 the amount of data stored in the cloud by governments, organizations, and individuals will reach 100 Zettabytes. This means that for many organizations their attack surface is expanding, as an increasing amount of sensitive data, including customer PII is stored in the cloud. In this post, we’re going to go over the ways that companies can safely maintain the security and integrity of PII within cloud systems.
What is PII?
PII or Personally Identifiable Information is any data about an individual that can be tied to that individual’s identity. PII typically includes:
- Full name
- Social Security Number (SSN)
- Passport numbers
- Credit card number
- Financial information like taxpayer ID numbers or routing numbers
Legally codified definitions of PII vary between jurisdictions. For example, in California, in order for a security incident to count as a breach of PII (or personal information as it's defined in Cal. Civ. Code §1798.82) it must impact data containing:
An individual’s first name or first initial and last name in combination with any one or more of the following data elements in plaintext:
Alternatively a breach includes California PI if it contains usernames or email addresses, in combination with a password or security question and answer that would permit access to an online account can constitute California personal information.
How can PII be stored in the cloud safely?
To store PII securely in the cloud, organizations should implement the following best practices:
- Encryption: Ensure data is encrypted both at rest and in transit to protect it from unauthorized access. Use robust encryption protocols, such as SSL/TLS for data in transit and AES-256 for data at rest. Additionally, consider implementing encryption key management best practices, such as key rotation and secure key storage, to maintain the integrity of encrypted data.
- Access controls: Employ strong access controls to limit access to PII to only authorized personnel. Implement role-based access control (RBAC) to assign permissions based on job responsibilities, multi-factor authentication (MFA) to verify users' identities, and the principle of least privilege to ensure users have the minimum necessary access.
- Data segregation: Segregate PII from non-sensitive data to reduce the risk of unauthorized access or exposure. Store PII in separate databases, storage accounts, or containers and implement additional access controls to limit access to these segregated areas.
- Data retention and disposal: Establish data retention policies to store PII only for the required duration and securely dispose of it when it's no longer needed. Implement secure deletion techniques, such as cryptographic erasure or physical destruction of storage media, to ensure that the deleted data cannot be recovered.
- Data Loss Prevention (DLP): Implement DLP solutions to monitor, detect, and prevent the unauthorized transfer or exposure of PII. DLP tools can be configured to identify sensitive data patterns, such as credit card numbers or Social Security numbers, and take appropriate actions to prevent data leakage, such as alerting, blocking, or encrypting the data.
- Cloud Security Posture Management (CSPM): Utilize CSPM tools to continuously monitor and assess the security posture of your cloud environment. These tools help identify misconfigurations, compliance violations, and potential threats, enabling organizations to remediate security issues proactively and maintain a robust security posture.
- Incident response planning and training: Develop a comprehensive incident response plan to handle potential data breaches or unauthorized access to PII. Conduct regular training sessions and drills to ensure that employees are aware of their responsibilities during a security incident and are prepared to respond effectively.
By implementing these best practices, organizations can improve their security posture and store PII safely within cloud systems.
What regulations do I have to follow to store PII in the cloud?
Several regulations outline requirements for securing PII in the cloud. While each regulation has its nuances, they generally aim to protect individuals' privacy and ensure responsible data handling. Key regulations include:
- GDPR (General Data Protection Regulation): GDPR is a comprehensive data protection regulation that applies to organizations processing personal data of individuals in the European Union. The challenge with GDPR compliance lies in the strict requirements around data subject rights, such as the right to be forgotten and data portability, which demand robust data management processes.
- CCPA (California Consumer Privacy Act): This data privacy law governs the collection and use of personal information for California residents. Unique challenges under CCPA include the need to provide consumers with the option to opt-out of the sale of their personal information, necessitating a mechanism to track and manage such requests.
- HIPAA (Health Insurance Portability and Accountability Act): HIPAA is a U.S. regulation that mandates the protection of sensitive patient health information. The challenge with HIPAA compliance lies in the need to secure not just PII but also Protected Health Information (PHI), requiring additional safeguards and strict access controls.
- PIPEDA (Personal Information Protection and Electronic Documents Act): PIPEDA is a Canadian law that governs the collection, use, and disclosure of personal information in private sector organizations. Challenges with PIPEDA compliance include the requirement to obtain consent for the collection and use of personal information, as well as providing individuals access to their data upon request.
Ultimately, the cloud offers numerous advantages for organizations, but securing PII within cloud systems presents unique challenges. By implementing best practices such as encryption, access controls, data segregation, DLP, and data retention policies, organizations can effectively store PII in the cloud while maintaining compliance with various data protection regulations. Understanding the specific regulatory requirements and the unique challenges they present is essential in ensuring the secure handling and storage of PII in the cloud.