Updated: Jul 23, 2019
Today in this series, we are going to look at protection of Personally Identifiable Information (PII) which has become a major issue across the globe and is amongst the hottest topic in the security community.
But, before that, let us list down our 10 steps to cloud security as defined by Cloud Standards Council:
Ensure effective governance, risk and compliance processes exist
Audit operational and business processes
Manage people, roles and identities
Ensure proper protection of data and information
Enforce privacy policies
Assess the security provisions for cloud applications
Ensure cloud networks and connections are secure
Evaluate security controls on physical infrastructure and facilities
Manage security terms in the cloud service agreement
Understand the security requirements of the exit process
Let us begin by understanding what Personally Identifiable Information (PII) is and some background it. There are numerous definitions out there on the internet but one which, I think, do full justice is this one.
“PII or personally identifiable information is any data that can be used to contact, locate or identify a specific individual, either by itself, or combined with other sources that are easily accessed. It can include information that is linked to an individual through financial, medical, educational or employment records.”
Some of the examples of PII are :
Personal identification number, such as driver’s license number, passport number, credit card number or social security number.
A name, full name, their maiden name or mother’s maiden name.
Address information, like email address or street address
Biological or personal characteristics, such as image of distinguishing features, fingerprints, x-rays, voice signatures retina scan
Now, since, we know what PII is, why do we need to protect it how do we protect it and what are the challenges?
One of the primary reasons to protect PII is increasing stringent laws and regulations in many countries. One of the most prominent on is gdpr (General Data Protection Regulation) which is to regulate PII collected from EU citizens and it further means that it apply to all organizations (whether established in EU or outside EU) dealing with PII data of EU citizens.
There is some sensitive type of PII which require additional regulations like health records and financial data. Protected Health Information or PHI is regulated through HIPAA and Protected Card Information (PCI) is self-regulated by card industry through PCI DSS.
Now, let us understand few terms related to PII:
Data Controller – It is an individual or an organization which collects PII and determines the purpose for which and manner in which any personal data, or are to be, processed. In cloud environment, it is the cloud customer.
Data Processor – It is an individual or an organization who processes the data on behalf of the data controller and is the cloud service provider in reference to the cloud environment.
Data Subject – It is an individual from whom the PII is collected.
Let us know list key things to remember when dealing with PII in cloud:
Cloud customer is ultimately responsible for protecting and securing PII when it is placed or transferred into the cloud environment. However, there could be certain circumstances where the responsivity can be shared with cloud service provider. Therefore, it is very important to enter into an agreement with the CSP for sharing of security responsibility.
One of the key requirements to notice here from both GDPR & ISO 27018 perspective is that Data subject (whose PII is in question) should be given access to the PII and that too in a machine-readable format. This adds a challenge in cloud environment in regard to authentication provision to data subject and granting authorization to access only his piece of data and making sure that they do not have access to other PII.
GDPR and ISO 27018 makes it mandatory to appoint Data Protection Officer (or point of contact) for public cloud PII processor (CSP like AWS, Microsoft Azure).
One of the key challenges is location and jurisdiction. It is very important to know where PII is stored and processed because many countries have different laws and regulations regulating PII
So, we can see that protection of PII is very important for any organization processing and it is due to legal requirements around it and severe implications that It can has for an individual whose PII is compromised. Technically, we need to implement all the security controls that we implement for data protection but additional care should be taken in classification and tagging of PII.