Digital transformation will continue to pick up speed as we navigate another year of the pandemic, where business models are maintaining a virtual approach. According to Forrester Research, the public cloud infrastructure market is expected to grow by 35 percent in 2021 – an increase from the previous prediction of 28 percent. As enterprises continue migrating their workloads to a variety of cloud-based environments, it’s natural that concerns over security, compliance and privacy will follow.
Privacy seems to be the buzzword on the lips of the industry of late, with new and updated state-based privacy regulations coming into play, which in turn have made consumers more aware of what personal information is being collected – from their names and birthdates, down to their unique hobbies and interests. With enterprises storing data in a variety of cloud environments, visibility becomes obscured into who is accessing their applications and data and how it is being stored and shared. With information available from cloud-native applications digitally, it presents the opportunity for various parties to sell off data for a profit – which has left many consumers uneasy.
In the wake of increasing privacy concerns, the European Union (EU) established the General Data Protection Regulation (GDPR) back in 2016. Having long had more stringent privacy rules in place, GDPR takes privacy in the EU a step further, considering items like IP addresses and cookie data as personal information akin to names, addresses and social security numbers. GDPR provides varying levels of control to the information collector, but also much more power to the consumer than is typically expected – giving them the right to know what information is collected, how it will be used, the power to have it erased and more. GDPR introduced the concept that both data at rest and data in transit should be protected, and more authority given to the consumer when it comes to their personal data collection, retention, use and dissemination.
While GDPR is seemingly straightforward, each country’s nuances and interpretations of these regulations make it difficult to implement. In the U.S., privacy is an even more delicate and difficult issue. Given there is no federal privacy regulation, states have followed the lead of GDPR and enacted their own privacy regulations to protect residents. The recent California Consumer Privacy Act (CCPA), Nevada’s Senate Bill 220 Online Privacy Law, the Maine Act to Protect the Privacy of Online Consumer Information, the New York SHIELD Act and others are just a few examples.
As different permutations of these regulations spread across the country, companies operating in the U.S. are more concerned about their ability to manage privacy compliance with varying requirements per state. It becomes increasingly challenging to maintain requirements on a state-by-state basis, as opposed to having set standards at the federal level. It’s also important to remember that these regulations are not just about privacy protection, but the way the standards are enforced.
It’s certainly going to be difficult for enterprises in the U.S. or those that engage with U.S. consumers to navigate the many complex regulations being introduced, as well as the cost of implementing and managing compliance. On the flip side, it also gets difficult for consumers to know what they can expect from privacy protections and how they can validate they are working and effective.
The NIST Privacy Framework, for instance, provides a common standard upon which controls and compliance efforts for managing privacy can be built. This framework was developed to help organizations manage privacy goals and risks while protecting the personal information of consumers. It doesn’t tell providers exactly what to do for each particular regulation, but it provides a repeatable, consistent base from which solutions can be built. While there will be a bit of a “learning curve” as companies adapt to the various requirements, there is at least a baseline where enterprises can build the foundation of their compliance strategy.
Now that we’ve discussed the privacy framework, let’s jump back to data collection. There are two important levels to examine in terms of data collection – the infrastructure and platform on which data is being collected and processed, and how that data itself is managed inside an application. Infrastructure is the crux in terms of privacy and compliance and encompasses every component of the infrastructure – from the network to communication between endpoints and servers, browsers and servers, and more. Within the infrastructure, it’s crucial to have systems in place to audit, track and protect sensitive data and determine how it was accessed, especially with these new regulations in place. Automating these functions also becomes a necessity, as enterprises manage thousands of terabytes worth of data that may come into question during an audit or when facing questions from consumers.
While infrastructure is key, data management inside applications also is critical. The amount of data collected only continues to grow, and communication between infrastructure and applications becomes more challenging. Enterprises need to understand how data is stored inside the application, who can gain access and then how third parties will repackage and sell that data.
As we enter the new age of privacy and compliance, finding the right solutions will be more important than ever. Much like we at Caveonix believe in utilizing the NIST Risk Management Framework (RMF) and NIST Cybersecurity Framework (CSF) as a baseline, we also advocate for enterprises to utilize the NIST Privacy Framework or other models that can help them meet their privacy goals and requirements.
Caveonix can help manage security and compliance at the infrastructure to the application level in hybrid and multi-cloud environments. Through the Caveonix Cloud solution, we automate risk and compliance management across the full-stack and provide complete visibility across the public, private and hybrid cloud footprints of your digital transformation efforts.