3 minute read

Responding to a Data Breach in the Cloud

Data breaches are the #1 cloud security threat. So given this level of risk, learn from this post how do you prepare for, and what new twists must you anticipate, when it comes to a data breach by a cloud vendor?

There are new and additional challenges that come into play when you have a data breach of sensitive personal information of your customers, or others, when that data resides in the cloud. The Cloud Security Alliance February 2013 report titled The Notorious Nine: Cloud Computing Top Threats in 2013 recognizes data breaches at the #1 cloud security threat. So given this level of risk, how do you prepare for, and what new twists must you anticipate, when it comes to a data breach by a cloud vendor?

So first and foremost, when you have personal data on your customers, be it personally identifiable information (PII) or protected health information (PHI) stored on or transmitted through a cloud vendor, you relinquish the level of physical and logical security and control that you have with your own servers. The implication of this is that it makes it more difficult for you to determine exactly what data was “breached”.

As noted in a recent discussion with Seth Berman of Stroz Friedberg (Cloud service providers often not set up for incident response, ComputerWeekly.com, August 2, 2013):

“Companies are forced to fight attackers on multiple geographic fronts, but the complexities of the internet cloud and patchwork quilt of data privacy laws means a prompt response is often difficult.”

And while as Mr. Berman notes, part of the complexity is the interesting web of laws that dictate the requirement for data breach notification, especially given that in the U.S. federal and state laws can overlap in confusing ways, much of the challenge can be in just determining the relevant facts: what data on what individuals was exposed? He further notes that:

“We regularly deal with incidents where data is scattered across servers in multiple physical locations or even on servers that may house other companies' data. This makes forensic response complicated, slow or, in some cases, impossible.”

Which is understandable. Part of the benefit of using cloud services is that they handle the virtualization process and scalability issues for you. So sensitive personal data to which you are entrusted can be spread across servers, and in some cases, on shared systems with other company’s similarly sensitive information. So imagine the challenges of carrying out a forensics investigation to determine the nature and level of data exposure, when you don’t “control” the computing environment.

A starting point to address this thorny issue comes in a recent report from Gartner Group on cloud contracts. Gartner has recommendations and guidance for companies to improve the provisions in their cloud contracts to address data breach risks and the processes for mitigating compromises and supporting the required data breach notification process. And then of course, there is the question of who bears the costs, and which costs.

It makes a great deal of sense to address the questions of how a data breach is handled with your cloud vendor as part of the agreement. Given the challenges in carrying out forensics in a timely and accurate fashion, you really want to be assured that your cloud vendor will have your back.

While it might be obvious to you already, it is your company’s reputation that is at risk with such a breach, and your obligation, morally and otherwise, to address the issues that surface with the affected individuals. So if your cloud vendor isn’t prepared to help you in promptly assessing the nature, scope and extent of a breach, then your life is likely to be much less pleasant for a long while.

About IDX

We're your proven partner in digital privacy protection with our evolving suite of privacy and identity products.