Protecting personal data is always a top priority during largescale cloud adoption. For organisations routinely working with financial or healthcare data, concerns reach a whole new level. Security practices that work in traditional settings don’t necessarily translate well to cloud-based environments.
Public cloud providers offer effective measures to address this challenge. However, they must be properly implemented, and default offerings don’t always go far enough for highly regulated industries.
This blog post outlines practical ways to enhance the protection of data in the cloud. We use personal data as an example, but the principles apply to other types of sensitive data too.
For a deeper dive on this topic, check out a two-part blog by Thomas Smart at our partner consultancy Sourced. He covers Personally Identifiable Information in Regulated Organisations and Protecting Personal Data in Serverless Cloud.
Personal data rules
‘Personal’ data is that which can identify a specific person either by itself or when combined with additional information. General Data Protection Regulations (GDPR) in the UK and EU outline strict rules surrounding its handling, storage and processing. Certain special categories, such as individuals’ health data, require a higher level of protection due to their sensitivity.
Organisations breaching GDPR risk fines and reputational harm, regardless of whether personal data has been leaked. Infringements in the EU trigger a maximum penalty of €20 million or 4% of annual global turnover, whichever is greater. Tessian, the enterprise email security specialist, recently wrote about the 25 biggest GDPR fines levied since GDPR came into effect.
Article 32 of EU GDPR and the security principle of UK GDPR highlight an obligation to implement ‘appropriate technical and organisational measures’ to protect personal data. What’s more, measures taken must reflect the level of risk to individuals if their data is leaked or stolen. So, while financial data isn’t classified as a special category, security surrounding it must be rigorous.
The following measures offer effective and scalable ways to maintain or improve on traditional data security in the cloud.
1. Consider serverless for ‘principle of least privilege’
This well-established security strategy is widely used in traditional environments. However, it becomes considerably more powerful when used in a cloud-based context, and especially so in serverless architectures. Based on this principle, any entity (user or service) is granted minimal permissions to perform its role at any given time.
With a server-based approach to principle of least privilege, entire applications retain access to anything required by individual functions. For instance, if any part of the application needs access to a database, full read-write access must be provided.
With a serverless approach it’s easier to control (and track) access to different sets of data. Each microservice is allocated its own set of permissions, unique to its needs and distinct from other microservices. So, a single microservice may have exclusive access to a source of sensitive data. Any other microservices, applications or individual users needing to access the data would have to do so via the microservice. This improves visibility and makes it easier to monitor and validate data requests to ensure they are authorised and auditable. It’s also possible to limit permissions so users can only perform specific requests or actions, or access certain data attributes.
2. Use advanced logging and monitoring
AWS and Azure both offer powerful solutions to handle data logging and monitoring in their cloud-based environments. There are also some excellent advanced cloud monitoring options available ‘as a service’ from third party providers.
One provider that we rate very highly is DataDog. Its scalable log management service improves visibility and integrates seamlessly with security signals to aid rapid investigation of emerging threats. And its Sensitive Data Scanner helps organisations meet compliance goals by discovering, classifying and hiding sensitive data within log data. This offering can follow built-in or user-defined rules to meet the requirements of GDPR as well as industry-specific data rules like the Health Insurance Portability and Accountability Act (HIPPA).
We used DataDog to help strengthen security parameters in our work with health technology company Closed Loop Medicine (CLM). When CLM ran a clinical trial for a hypertension therapy package, we ensured the platform underpinning it ran smoothly and securely throughout.
Read the full CLM case study here.
3. Go beyond basic encryption
GDPR stipulations include encryption as an appropriate option for personal data protection. Data should be encrypted in transit using transport layer security (TLS), and at rest with encryption keys. Encryption provides an additional layer of security on top of access control, and it’s readily available via managed services from AWS and Azure.
In addition to basic encryption services from cloud providers, large organisations and those operating in highly regulated industries benefit from advanced options. These include the cloud service Lambda which hosts microservices and only supports secure connections over HTTPS. Lambda environment variables are encrypted at rest. There are encryption helpers for additional protection, but it is better to use a dedicated service to store sensitive parameters.
The storage service S3 and the DynamoDB database service have many options for encrypting data at rest and in transit. S3 can also be configured to reject incoming data or requests for data that don’t arrive via an encrypted channel.
For scenarios where sensitive data needs to be completely anonymised, tokenisation is worth considering. While encryption uses a mathematical process to transform data, tokenisation replaces the data entirely. If necessary, a token vault can be used to remember the relationships between tokens and sensitive data.
Investing in appropriate measures
While many traditional practices are different in the cloud, the people, process, technology framework remains wholly relevant. When it comes to modern cloud security, people working with personal data need training to ensure they can handle it safely and securely. Processes must be robust and carefully orchestrated to maximise personal data protection. And new technologies offering enhanced security should be explored and embraced where appropriate. All of this requires ongoing attention and investment, both during largescale cloud adoption and beyond throughout longer-term cloud management.
We’ve helped lots of financial services and healthcare organisations find the right balance to protect data effectively in the cloud.
Check out our case study for Bond Digital Health which needed a secure, highly available cloud-based application to handle lateral flow test data. To maximise security, we used AWS Web Application Firewall which acts as a filter before load balancers, monitoring all incoming traffic. We also took a methodical approach to setting permissions. This included making sure we were unable to ‘access object’ in certain buckets which contain sensitive information.
You can also read about how we supported Creditsafe, a provider of online company credit scores and credit report information. Ahead of its accelerated migration to AWS we created a series of blueprints for secure, cost-effective and consistent cloud adoption.