{"id":3005,"date":"2015-01-19T00:00:00","date_gmt":"2015-01-19T00:00:00","guid":{"rendered":"http:\/\/otava.test\/maintaining-privacy-in-the-cloud-cultures-keeper\/"},"modified":"2015-01-19T00:00:00","modified_gmt":"2015-01-19T00:00:00","slug":"maintaining-privacy-in-the-cloud-cultures-keeper","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/maintaining-privacy-in-the-cloud-cultures-keeper\/","title":{"rendered":"Maintaining privacy in the cloud: culture’s keeper?"},"content":{"rendered":"

\u201cDear Diary,\u201d\"privacy_thumb\"<\/a><\/i><\/p>\n

These words carry two powerful implications:<\/p>\n

    \n
  1. If I am the author, this information is personally valuable and private to me.<\/li>\n
  2. If I am not the author and reading someone else\u2019s \u201cdear diary\u201d entry without being granted permission, I am violating a deeply personal boundary.<\/li>\n<\/ol>\n

    With everything-as-a-service and the prevailing forecast calling for use of \u201cclouds everywhere\u201d to store and send all manner of sensitive data – personal, financial, or health related information – the internet of everything now harbors millions of \u201cdear diary\u201d entries. At odds are the increasing use of cloud services in corporations without IT department involvement – so called \u201cshadow IT\u201d – and the cries of consumers, companies, and countries that \u201csomething must be done\u201d to protect privacy. It\u2019s no wonder that the majority of executives and board members are worried about cloud privacy, according to a recent survey by the Cloud Security Alliance (CSA).<\/p>\n

    Maintaining privacy is not a simple fix. As Forbes contributor Ben Kepes points out, \u201cTechnology alone cannot fix this problem.\u201d<\/i><\/p>\n

    Indeed. At its core, privacy comes down to my attitude of respect and discretion towards information that is deeply private and meaningful to you. In other words, a company\u2019s privacy record might be best predicted by culture, rather than by technology or even policy.<\/p>\n

    Each participant along the cloud highway – from infrastructure to networks, storage arrays, cloud controllers, backup environments, and user facing interfaces – needs to incorporate privacy, and the security safeguards that protect it, as a non-negotiable part of design requirements. Even \u201cpublic clouds\u201d would do well to ensure that they can be \u201cprivate clouds<\/a>\u201d.<\/p>\n

    Accomplishing privacy in the cloud requires two things:<\/p>\n

      \n
    1. setting aside the time and the money to consider and implement privacy safeguards at the start of new projects, and<\/li>\n
    2. monitoring and reviewing privacy controls as a part of daily operations and finding ways to incentivize ongoing improvement.<\/li>\n<\/ol>\n

      Neither of these points have a high take rate: they are complex, challenging, and require ongoing commitment. Worse, they threaten timelines, budgets, and short-term profits. But any informed cost comparison between taking these preventative measures to exercise the privacy muscle on a daily basis to avoid the long-term risks and costs associated with breaching private information suggests they are worth investing in.<\/p>\n

      Let\u2019s look at some examples.<\/p>\n

      Policy without process or ongoing commitment to privacy<\/strong><\/p>\n

      The FCC (Federal Communications Commission) announced last fall their plans to levy a $10M fine against two telecoms for storing personal information of over 300,00 of their customers, including social security and driver\u2019s license numbers, on public servers – accessible to anyone on the internet. Big mistake? Absolutely, but large fines typically mean more than an isolated process or technology error. In this case, two additional issues contributed to the action:<\/p>\n

        \n
      1. The company stated in their privacy policy that they had \u201ctechnology and security features in place to safeguard the privacy of your customer specific information from unauthorized access or improper use.\u201d<\/li>\n
      2. Even after the companies learned of the security breach, they failed to notify all affected consumers, jeopardizing their ability to take measure to safeguard their information.<\/li>\n<\/ol>\n

        Policy without technology or ongoing commitment to privacy<\/strong><\/p>\n

        The action of the FTC (Federal Trade Commission) against Wyndham hotels has been brewing for a long time. The breach of personal and credit card information several years ago resulted in over $10M in fraudulent claims and countless headaches for their patrons.<\/p>\n

        Those of you familiar know this case is not just a matter of missing firewalls, intrusion detection and prevention, encryption, and other basic security technologies. Nor about poor processes that delayed detection of intrusion by 4 months and also stood in the way of being able to physically locate the compromised servers after persistent failed login attempts were finally identified.<\/p>\n

        The galling issue, and one of the core reasons that the FTC is involved is because of the blatant misrepresentation to consumers in their privacy policy that \u201ccommercially reasonable\u201d and \u201cindustry standard\u201d protections were in place to protect their information – with nothing of substance to back up the promise.<\/p>\n

        While the Wyndham case is still churning in the courts, the FTC settled with ChoicePoint out of Atlanta for $10M in civil penalties and $5M for consumer redress when personal information including social security numbers was sold without adequate assurance that\u00a0the requesting customers had a legitimate right to receive\u00a0it.<\/p>\n

        Lack of commitment to privacy<\/strong><\/p>\n

        In perhaps the clearest attribution of organizational culture to its impact on privacy, the Health and Human Services (HHS) Office of Civil Rights (OCR) levied a $275,000 fine against a medical center when 2 senior executives shared personally identifiable information about a patient throughout their organization with staff that had no clear need to know, as well as with members of the media.<\/p>\n

        Then OCR director Leon Rodriguez stated: \u201cSenior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients\u2019 rights are fully protected.<\/i>\u201d<\/p>\n

        In addition the penalty, the resolution agreement calls for policy overhaul throughout the 16 medical centers and hospitals under the same ownership.<\/p>\n

        Your commitment to privacy<\/strong><\/p>\n

        Whenever you see large fines associated with a data breach, recognize there is usually a bigger integrity issue – not just a technology, process, or policy flaw.<\/p>\n

        So, how can you improve a culture of privacy in your organization?<\/p>\n