Is My Data Private in the Public Cloud?

Data privacy is central to every organization and balancing that against securing your customers’ personal data is one of the highest priorities of your information security team. This isn’t just true for highly regulated industries like healthcare or finance, but for every company that processes personal information. Directives like the European General Data Protection Regulation (GDPR) have set minimum privacy and data security standards. It’s vital for both your users and your business to understand the implications of data privacy, especially when securing sensitive data in cloud environments.

As businesses and consumers move increasingly to SaaS applications and data, it’s worth exploring the roles, responsibilities, and expectations for data privacy and who provides it. This comes down to two fundamental questions:

• How will security be handled, and who will be responsible for what?
• Is data private in the public cloud?

Responsibilities for Data Privacy in the Public Cloud

We can divide the responsibilities into four key areas:

• The end-user, known as the “data subject” (e.g., an individual customer)
• The SaaS customer, known as the “data controller” (e.g., a bank using a SaaS system to manage logins securely)
• The SaaS provider, known as the “data processor” (e.g., the vendor of the SaaS login platform)
• The cloud infrastructure provider, known as the “data processor or data sub-processor” (e.g., the underlying cloud servers that the SaaS application runs on, like AWS, Google Cloud, or MS Azure)

In a typical public cloud ecosystem, responsibilities follow a “shared security responsibility” model. One of the main principles of this model is that you are always responsible for securing what’s under your direct control.

End-User Security and Privacy Responsibilities
The end-user is responsible for:

• Establishing their credentials for accessing the SaaS application
• Keeping their login credentials private
• Not sharing or exposing their credentials
• Renewing their credentials when required to do so

SaaS Customer Security and Privacy Responsibilities
The SaaS customer is responsible for:

• Using the data within the application responsibly and securely
• Using the SaaS application as part of their relationship with the vendor and the end-user

SaaS Provider Security and Privacy Responsibilities
The SaaS provider is responsible for:

• Everything else at an application or data level
• All application-level security within the cloud application
• All data-level security within the cloud application

Cloud Infrastructure Provider Security and Privacy Responsibilities
The cloud infrastructure provider is responsible for:

• The security of the public cloud infrastructure platform
• The physical infrastructure, networking infrastructure and virtualization layer

It’s essential to have a Zero Trust security model. Despite the shared security responsibilities, each party must have rigorous controls to ensure they meet their obligations.

Data Privacy in the Public Cloud

Here are some important considerations for managing data privacy:

• Any SaaS provider that relies on a public cloud service provider should also implement its security controls and follow a Zero Trust, best-practice security model
• Certifications like ISO 27001 or SOC2 are excellent indicators of a robust approach to data security and privacy, so look for providers that meet these criteria
• Evaluate adherence to the following security controls*:
  • Following privacy-specific safeguards around data, such as minimizing the use of data to only use data that is essential for the products and services and being clear about data collection, creation, management and deletion
  • Keeping the data within the same region without transfer across different data protection regulations, for example, the U.S. and Europe
  • Ensuring that personal data is anonymized and de-identified
  • Conducting regular and comprehensive security monitoring and penetration testing
  • Maintaining full segregation between tenant accounts, with exclusive, tenant-specific keys for encrypting and transferring data
  • Encrypting data in transit through TLS/SSL and public cloud infrastructure provider security protocols
  • Protecting data in use through strong authentication at all stages, including fine-grained and well-maintained permission management, following the Principle of Least Privilege, and having robust logging and audit trails
  • Leveraging cloud provider hardware and hypervisor hardening (e.g., AWS Nitro System)

*note that this list isn’t exhaustive but that it includes essential components to consider

Our Approach to Data Protection and Privacy

Data protection regulations will continue to evolve. As a SaaS provider, we believe that it’s better to take a firm stance on data protection now to ensure compliance in the future by continuously challenging and improving the status quo. This includes implementing region-specific platforms and a comprehensive encryption architecture from the very early stages of design.

This expands into end-to-end encrypted data and confidential computing — and the confidence that personal data is always protected: at rest, in transit and during processing. Public cloud providers realize the importance of this too by offering solutions to support data privacy. Here are some examples of well-known provider solutions:

• MS Azure with hardware-based trusted execution environments
• Google Cloud with a Confidential VMs feature
• AWS with AWS Nitro Enclaves on Nitro based EC2

Whatever the future of data protection and privacy brings, we’re ready to protect your business and user data and ensure that privacy is maintained.

Wadiha El Batti is a Senior Product Owner for the Authentication Platform within Identity and Access Management (IAM) at HID Global. She has 20 years of experience in IT Security and more particularly authentication products. Wadiha has significant experience within Engineering and is highly technically skilled. She started her career as a developer and software architect and then evolved to being responsible for managing international delivery engineering teams. Wadiha managed the project which transformed our authentication platform offering by adding a multi-tenant Authentication SaaS.