Data privacy risks include those associated with access control, internal segmentation, sub-contractors, data ownership, e-discovery, data censorship and encryption. Let us discuss them in detail as follows:
When an organization decides to move corporate data and /or documents to an external cloud environment, there is a high tendency that individuals working in the service provider organization may have access to the data in a bid to provide support to the provisioned service.
To manage this risk, potential cloud customers can request the cloud service provider to:
- Grant data/files access to only personnel
- Run background checks on such personnel
- Maintain proper records of approval and removal of internal access to the data
- Review and monitor data access
- Conduct essential training for internal staff on data protection requirements
This is a data disclosure risk of likely occurrence between two or more organizations when the vulnerabilities associated with improper structuring and configuration of the data architecture of a cloud service exposes the data of one organization to another in a multi-tenant cloud environment.
To manage this risk, potential cloud consumers can request the cloud service provider to:
- Practice internal walls/segmentation between the data of different organizations
- Audit data storage to ensure effective implementation of internal barriers
- Monitor the cloud provider for compliance to these risk mitigation strategies
A number of cloud service providers with multiple layers of cloud services usually engage in subletting cloud provisioning to support the services of other cloud provides.
Should it arise that the original cloud service provider sub-contracts one or more of the cloud services being provisioned to an organization to another service provider, the organization must enforce that its cloud services’ regulatory compliance requirements be met by the sub-contractors through appropriate contract language/terms with the original cloud service provider.
The organization must also ensure it identifies all sub-contractors associated with provisioning of its cloud services in order to be able to tract their level of compliance adherence.
To manage this risk, the organization is required to:
Discuss how to provide the identities of all sub-contractors with the cloud service provider in order to monitor their compliance status.
- Reach a contractual agreement with the service provider to ensure that the serial service associated with the organization’s cloud service provisioning adhere to compliance requirements.
- Ensure that the service provider puts a vendor management program in place to tract the compliance of its vendors.
- Monitor the service provider’s compliance with the vendor management program requirements.
Most cloud service providers usually place ownership claims, usage and redistribute rights over consumer’ data being hosted. To manage this risk, the organization can:
- Emphasize on the primacy of its data ownership rights and ensure it is acknowledged by the service providers.
- Contractually bind the service provider to use organization data within the agreed limit.
- Contractually bind the service provider to return and delete the organization’s data when the period of their contract terms expires.
Organization data hosted by a cloud service provider is potentially prone to e-discovery and disclosure risk and such compromised by legal actions targeting the service provider, any of its associated service providers or customers. To manage this, the organization can:
- Contractually bind the service provider to inform the organization of any required legal disclosure that may compromise the organization’s data via e-discovery.
- Make internal arrangements to tackle e-disclosure needs if it arises.
Unacceptable delays on the part of an organization (cloud consumer) are often experienced when changes are required to be made to an organization’s data when the cloud providers hold the right to audit and censor any data to the host. To mange this risk, the organization can:
- Contractually identify and assess conditions for such activities to hold any supported process from the service provider.
- Request to be notified of such activities by the service provider.
Some uncommon cloud services are hyped to meet specific regulatory requirements, including data encryption. However, it could be very expensive to encrypt data-at-rest. To address this risk, the organization can:
- Adopt the use of encryption-free cloud data services only
- Select and validate that such a cloud service provider is encryption complaint and with appropriate encryption controls that are often assessed.
- Ensure that the appropriate key management practices for encryption support are available.