Sensitive Data and Data privacy
Sensitive information is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization.
There are three main types of sensitive information:
Personal information: Sensitive personally identifiable information (PII) is data that can be traced back to an individual and that, if disclosed, could result in harm to that person. Such information includes biometric data, medical information, personally identifiable financial information (PIFI) and unique identifiers such as passport or Social Security numbers. Threats include not only crimes such as identity theft but also disclosure of personal information that the individual would prefer remained private. Sensitive PII should be encrypted both in transit and at rest.
Business information: Sensitive business information includes anything that poses a risk to the company in question if discovered by a competitor or the general public. Such information includes trade secrets, acquisition plans, financial data and supplier and customer information, among other possibilities. With the ever-increasing amount of data generated by businesses, methods of protecting corporate information from unauthorized access are becoming integral to corporate security. These methods include metadata management and document sanitization.
Classified information: Classified information pertains to a government body and is restricted according to level of sensitivity (for example, restricted, confidential, secret and top secret). Information is generally classified to protect security. Once the risk of harm has passed or decreased, classified information may be declassified and, possibly, made public.
Data privacy, also called information privacy, is the aspect of information technology (IT) that deals with the ability an organization or individual has to determine what data in a computer system can be shared with third parties.
Information technology is typically seen as the cause of privacy problems, there are also several ways in which information technology can help to solve these problems. There are rules, guidelines or best practices that can be used for designing privacy-preserving systems. Such possibilities range from ethically-informed design methodologies to using encryption to protect personal information from unauthorized use.
There are also several industry guidelines that can be used to design privacy preserving IT systems. The Payment Card Industry Data Security Standard (see PCI DSS v3.0, 2013, in the Other Internet Resources), for example, gives very clear guidelines for privacy and security sensitive systems design in the domain of the credit card industry and its partners (retailers, banks). Various International Organization for Standardization (ISO) standards (Hone & Eloff 2002) also serve as a source of best practices and guidelines, especially with respect to security, for the design of privacy friendly systems.
Although data privacy and data security are often used as synonyms, they share more of a symbiotic type of relationship. Just as a home security system protects the privacy and integrity of a household, a data security policy is put in place to ensure data privacy. When a business is trusted with the personal and highly private information of its consumers, the business must enact an effective data security policy to protect this data. The following information offers specific details designed to create a more in depth understanding of data security and data privacy.
Data security is commonly referred to as the confidentiality, availability, and integrity of data. In other words, it is all of the practices and processes that are in place to ensure data isn’t being used or accessed by unauthorized individuals or parties. Data security ensures that the data is accurate and reliable and is available when those with authorized access need it. A data security plan includes facets such as collecting only the required information, keeping it safe, and destroying any information that is no longer needed. These steps will help any business meet the legal obligations of possessing sensitive data.
Data privacy is suitably defined as the appropriate use of data. When companies and merchants use data or information that is provided or entrusted to them, the data should be used according to the agreed purposes. The Federal Trade Commission enforces penalties against companies that have negated to ensure the privacy of a customer’s data. In some cases, companies have sold, disclosed, or rented volumes of the consumer information that was entrusted to them to other parties without getting prior approval.
Cloud Data Privacy
Cloud computing is one of the most important current trends in the field of information and communications technology, and ICT management. Elements of cloud computing are Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). The term cloud computing derives from the cloud symbol usually used to represent the internet and the complex infrastructure behind it in graphics.
Hardware and software are no longer procured and operated by users themselves but obtained as services. Cloud service providers enable users to access and use the necessary ICT resources via the internet. To provide these resources, providers often fall back upon other providers in the cloud, which, for example, make storage capacity available for customer data or computer capacity for data processing.
Cloud computing services are used both by consumers as well as by organisations and companies. Offers in cloud computing comprise, among other things, the provision of calculating and storage capacity; the provision and operation of development environments and of operating- and database-management systems; of web hosting; of web mail services; and of a growing number of different types of application software; for word processing and other office applications; customer relationship management; supply chain management; or for the storage and management of photos or personal health-related data (electronic health records), to name a few.
There are several steps you can, and should, take to ensure the security of your corporate data when moving to the cloud.
The issue of data privacy is at the forefront of everybody’s mind. Television commercials advertise security products and news programs frequently describe the latest data breach. Public perception aside, any organization has a legal obligation to ensure that the privacy of their employees and clients is protected.
Laws prohibit some data from being used for secondary reasons other than the purpose for which it was originally collected. You can’t collect data on the health of your employees, for example, and then use it to charge smokers with higher insurance premiums. Also, you can’t share certain data with third parties. In the world of cloud computing, this becomes much more difficult, as you now have a third party operating and managing your infrastructure. By its very nature, that provider will have access to your data.
If you’re collecting and storing data in the cloud and it’s subject to the legal requirements of one or more regulations. You must ensure the cloud provider protects the privacy of the data in the appropriate manner. In the same way as data collected within your organization, data collected in the cloud must only be used for the purpose for which it was initially collected. If the individual specified that data be used for one purpose, that assurance must be upheld.
Privacy notices often specify that individuals can access their data and have it deleted or modified. If the data is in a cloud provider’s environment, privacy requirements still apply and the enterprise must ensure this is allowed within a similar timeframe as if the data were stored on site. If data access can only be accomplished by personnel within the cloud provider’s enterprise, you must be satisfied they can fulfill the task as needed.
If you’ve entered into a click-wrap contract, you’ll be constrained to what the cloud provider has set out in these terms. Even with a tailored contract, the cloud provider may try to limit the data control to ensure its clients have a unified approach. This reduces the cloud provider’s overhead and the need to have specialized staff on hand. If complete control over your data is a necessity, you need to ensure this upfront and not bend to a cloud provider’s terms.
Cloud security architecture is effective only if the correct defensive implementations are in place. An efficient cloud security architecture should recognize the issues that will arise with security management.
These controls are intended to reduce attacks on a cloud system. Much like a warning sign on a fence or a property, deterrent controls typically reduce the threat level by informing potential attackers that there will be adverse consequences for them if they proceed. (Some consider them a subset of preventive controls.)
Preventive controls strengthen the system against incidents, generally by reducing if not actually eliminating vulnerabilities. Strong authentication of cloud users, for instance, makes it less likely that unauthorized users can access cloud systems, and more likely that cloud users are positively identified.
Detective controls are intended to detect and react appropriately to any incidents that occur. In the event of an attack, a detective control will signal the preventative or corrective controls to address the issue. System and network security monitoring, including intrusion detection and prevention arrangements, are typically employed to detect attacks on cloud systems and the supporting communications infrastructure.
Corrective controls reduce the consequences of an incident, normally by limiting the damage. They come into effect during or after an incident. Restoring system backups in order to rebuild a compromised system is an example of a corrective control.