The challenge of protecting personally identifiable information in the cloud

In the rush to turn data into valuable business insights, it can be easy to forget the importance of protecting personal privacy. Many data sets contain details collected from individuals and ensuring those details are handled appropriately at all times is critical.

It’s a challenge coming under a spotlight as organisations increasingly shift their data storage and processing to cloud platforms. In the past, protecting personally identifiable information (PII) has involved locking it behind layers of security such as firewalls. However, when the cloud comes into play, this approach is no longer possible.

Indeed, many security, governance, and compliance professionals cannot imagine that a cloud-based Software-as-a-Service (SaaS) platform could ever measure up to their standards and practices. Some may have had bad experiences with services in the past while others may have read headlines that made them hesitant to put their data into a cloud platform.

Processes and policies

Another challenge when dealing with PII is that there are often well-established processes and policies that dictate how it may be used. Even if a new technology turns the data processing world upside down, it’s not allowed to sidestep these important processes.

Insights gleaned from PII may represent new, exciting opportunities, but in many cases, failing to meet information security standards and laws are existential threats to an organisation as a whole. New revenue streams won’t mean anything to firms if they are sued out of existence.

Perhaps the most fascinating challenge many organisations face is adapting their processes after years of living with exceptions. Those layers and layers of customer-built protections can actually hide a lot of technical debt that will need to be removed as part of any migration process.

Intriguingly, despite these issues, many security experts are actually still happy to move to the cloud. This is not because they are particularly enamoured with shifting PII there, but because it’s a forcing function that sweeps away ad-hoc measures in favour of more standardised, well-tested approaches to security and governance.

VIEW ALL

The journey to the cloud

When it comes to initiating a shift of PII storage and processing to a cloud platform, the first step is to confirm with everyone involved that the concept is sound. Every organisation that takes its duty to protect PII seriously must answer all questions raised and confirm that it will be meeting the required standards for security.

The next step is determining exactly where the organisation is currently when it comes to data, as not all organisations will be starting from the same place. Determine where data is currently stored, how it will be migrated, and how it will be processed to gain insights.

Most organisations will find that the process of shifting PII to the cloud will happen in stages. Each stage needs to be carefully planned and all security implications considered. A slow and steady approach will be much more effective than a large-scale “big bang”.

Naturally, there will be some challenges that will need to be addressed along the way. These could come in the form of technologies, processes and people.

Challenges may also arise when it comes to policies. This is because policies in place within organisations that handle large amounts of sensitive information are designed to be very hard to change.

In some cases, existing policies may appear to cause a dead end. They might state that the organisation cannot put sensitive data into the cloud at all. It doesn’t matter what the business wants when the policy is that clear. Of course, such policies can be changed, but that can take time and result in frustrating delays.

For this reason, an increasingly common step taken by many organisations is to engage third parties to handle the tokenisation or encryption of the sensitive data. This is a great way to get the benefits of the cloud in the short term while waiting for policies to be changed.

Communication is critical

Regardless of the steps that end up being taken during the process of shifting PII to the cloud, having effective communication channels between all parties involved is very important. The reason is that some processes can occur and evolve much more quickly than others and there are risks that misunderstandings may arise.

It’s easy to overlook the annual, biannual and even quarterly cadences of governance and compliance when your technology is on an agile cadence measured in weeks or even days. Clear and consistent communication is the best way for problems to be identified and solved as swiftly as possible.

There are significant benefits that can be obtained by shifting PII to a cloud platform. However, for these to be realised, careful planning is required to guide every step along the way. Consider starting your journey today.

Peter O’Connor is the vice-president, ANZ at Snowflake.