You are Now Cloud-first – but are You Putting Privacy First?
Privacy vs Security
Security and privacy often get conflated even though they are quite different things. When it comes to digital assets, security is often associated with organizations, while privacy is associated with individuals. The truth though is that both are important elements in any digital strategy and can impact both individuals and organizations. Privacy especially is an often overlooked element in a business’s security context and is perhaps even more important for a business than for an individual. For example, when you sign up with Google for any of their services, you may be willing to trade off some personal information in exchange for convenience, but businesses have a tough time with this due to liabilities they face under regulation. Paying attention to data privacy is more important than ever, considering the frequency and prevalence of breaches everywhere.
The average cost of lost business after a breach for a US organization adds up to roughly $4.2 million. 1
Ten years ago, in a simpler world, all of a business’ data was in their data center – most likely on-premises. Protecting that data was a relatively simple task. Now, with more than a third of all business data sitting in the cloud, and end-users accessing it on the run, from mobile devices – the world has become infinitely more complex for your average IT Administrator. Data management solutions have adapted to this change and many of them now offer services that protect both on-premise and SaaS assets – and many of these solutions are offered in a SaaS model.
Security ≠ Privacy
But while they can all claim to be secure, few can really claim to provide privacy. The reason is that while they all use encryption to protect backed-up data, in most cases, they also choose to retain the ability to decrypt the data when it suits them.
The key to delivering privacy is to understand a concept called the separation of duties or segregation of duties. Encryption can provide security, but without strict separation of duties, it is as good as no privacy at all or weak privacy at best. When separation of duties is unclear or doesn’t exist, there is an implied loss of data privacy, which in turn leaves the organization in a less defensible position with respect to regulation.
Separation of Duties
When done correctly, Separation of Duties refers to risk and security measure that ensures no two parties can perform the same part of a critical process or function. By dividing responsibilities and limiting access to information and data on a strictly need-to-know basis, organizations can significantly reduce their risk. Many organizations already successfully implement Separation of Duties (SoD) in other areas of their business, such as in their finance teams.
In fact, most of us implement SoD as a society even in the simple act of operating a safe deposit box in a bank. When you do so, you are using the bank’s premises to keep valuable belongings – just like you may use the cloud to store valuable business data.
But when you rent a safe deposit box, you also usually lock it and bring a key back with you. And when you do that, you are forcing a Separation of Duties. You’re entrusting the bank with the duty of keeping your belongings safe. But you’re entrusting yourself with the duty of deciding who gets access to the safe deposit box. And by this simple action, you’ve achieved privacy.
Separation of Duties – in the Digital world
Extending the same analogy to the digital world means a business should be able to use the cloud to store valuable business data, but they should encrypt that data and ensure nobody else (other than the business) has the key to decrypt the data. Delivering real privacy requires a solution that provides strong encryption, and also combines it with strict a segregation of duties – by ensuring that the customer wholly controls the encryption process and the encryption keys. Such an arrangement achieves what is called Zero-Knowledge Privacy – which means the customer can trust that their data is private without the data management vendor or cloud vendor having to read their data or knowing their encryption keys. The business alone is the sole party with the ability to decrypt and recover its data. Therefore, by ensuring strong encryption with a clear separation of duties – one can leave the business in a much safer and more defensible position from a regulatory standpoint.
Parablu’s Private Storage Container
Parablu has pioneered the concept of a “private storage container”. It is a software artifact and can be created inside any cloud storage service you currently use or choose to use. Think of it as a ring-fenced area in which all data is kept safe. Along with strong encryption, Parablu also ensures that all data accesses are audit logged, the data is versioned, shareable, and searchable. And most importantly, it delivers you Zero-Knowledge Privacy.
1: The cost of lost business after a breach for US organizations adds up to $4.2 million
(Ponemon Institute: Cost of a Data Breach Study)