The Challenge of Keeping PII Secure in the Cloud

by Feb 24, 2020

A common characteristic shared by things of value is that measures must be taken to keep them safe. There are always entities who would like to take advantage of negligence to steal or otherwise use valuable items for their own purposes. Even if you are absurdly optimistic about human nature, you probably still don’t leave your wallet lying around where anyone can pick it up. The risk that someone might take it and have access to your cash, credit cards, and driver’s license is too great to leave to chance. You make certain that you know where it is and that it’s safe at all times.

Personally identifiable information (PII) is often the most sensitive data that an organization possesses. A few categories of data such as military or state secrets may rival its sensitivity, but most organizations do not store that type of information in their SQL Server databases. For the majority of enterprises, PII is their most valuable data asset and demands an appropriate level of protection. Eliminating unauthorized access to the information and avoiding data breaches are critically important functions of an IT department’s responsibilities.

In the case of PII collected on customers or employees, its loss can result in serious damage to the individuals whose information has been compromised. They can be subject to identity theft and liable for financial obligations made with their stolen credentials. Companies that are responsible for protecting this data are also penalized when data breaches come to light. They face financial penalties that vary based on the locale in which the affected individuals reside along with a hit to their reputation which may result in the loss of current and future business.

PII in the Cloud

There are many regulations such as HIPAA and the GDPR that are designed to hold organizations accountable for the way they handle PII. They are general regulations that address sensitive personal data stored in electronic form wherever the associated computer systems are located. Companies need to implement compliance with these standards across their computing environment on-premises and in the cloud.

The International Organization for Standardization is a non-governmental body with home offices in Geneva, Switzerland. They are responsible for developing and publishing many standards that are used throughout the IT industry. One that specifically speaks to securing PII in the cloud is ISO/IEC 27018:2019. The standard specifies guidelines based on ISO/IEC 27002 that are expected to be met by public cloud providers. This includes all large and small organizations that provide information processing services to other entities using cloud computing resources.

Cloud Providers and PII

Introducing the offerings of cloud service providers to an enterprise’s computing landscape often results in a combination of benefits and complications. Taking advantage of the provider’s resources can be financially advantageous while at the same time complicating issues such as delineating responsibilities regarding security or system configuration. Companies with a cloud computing presence need to always remember that they are the ones who are responsible for the security of their PII.

The major cloud providers adhere to the security provisions defined in ISO/IEC 27018:2019. Some of the stipulations include establishing clear parameters regarding the return, transfer and secure disposal of personal information. These requirements build on the overall cloud security spelled out in ISO 27001 and ISO 27002. Organizations must go through an annual certification process to remain compliant with the ISO standards.

Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Services are certified as ISO/IEC 27018 compliant. This should give their customers confidence that they are doing their part to protect a client’s PII. Companies doing business with these providers need to keep in mind that this does not eliminate the responsibility for ensuring that PII is fully protected. It’s still yours even when it’s in the cloud.

Think of it like leaving your wallet in a locker at the gym. If it is lost due to your negligence, like not ensuring that the door is locked, whose fault is it? The facility offered the necessary protective measures, but you failed to use them correctly. The loss is your responsibility and you have no reasonable recourse against the gym owner.

Identifying PII That Requires Protection

An essential component of providing security for PII is knowing where it is. Without this knowledge, it is impossible to implement the protection required to keep it safe. When moving systems to the cloud it is vitally important that you know exactly which systems and databases contain personally sensitive data. It’s the only way you can ensure they are being handled correctly by your chosen cloud provider.

IDERA’s SQL Compliance Manager is a versatile tool designed to keep your SQL Servers compliant with privacy and security regulations. One of the ways it accomplishes this feat is with the ability to discover exactly where sensitive information is stored. The tool also audits and alerts when access to PII is attempted with SELECT statements. Privileged users can be audited and alerts set for specific activities to ensure that databases remain secure. It can be configured to support a wide range of regulatory standards and supports SQL Server 2008 through SQL Server 2019 whether the systems are down the hall or in the public cloud.

With the help of SQL Compliance Manager, you can lock down the PII in your SQL Servers to protect your organization and the individuals who trusted you with sensitive data. It lets your company take advantage of the benefits offered by the cloud while maintaining the integrity and security of your customers’ personal information.