Data Privacy and Protection in the Age of Cloud

Data privacy and protection have always been a top concern for organizations. Its importance has only grown as more data is stored on public cloud services, increasingly more sophisticated cyber attacks take advantage of the inter-connected nature of modern business, and stringent laws and regulations governing privacy have been put into place in recent years.

The bottom line is that there are several factors making it harder for organizations to protect data. To start, most organizations have little insight into the data once it gets to the cloud. Many are using multiple clouds. And the protection of the privacy of that data is increasing under different rules based on the country it is generated or stored in. These issues are driving the need for better observability tools and sovereign cloud.

A few stats help put the scope of the matter into perspective. First, a large percentage of corporate data now resides in the cloud. As of 2022, over 60 percent of all corporate data is stored in the cloud, according to one study. That is up from just 30 percent in 2015.

And that data is now distributed to multiple clouds. With multi-cloud adoption on the rise, 71 percent of organizations leverage more than three cloud infrastructure providers, according to a recent Enterprise Strategy Group survey.

At the same time, regulations and laws governing data privacy and protection have continued to evolve. The pace of change is such that 64 percent of security professionals surveyed by Splunk stated that it's challenging to keep up with new security requirements. That was up from 49 percent a year ago.

That survey also highlighted another growing problem in today’s cloud-centric world. Namely, many applications and services today are composed of multiple elements (e.g., a third-party database, a cloud computing analytics service, open-source middleware, and more). Some of the largest data breaches of the last few years (e.g., the SolarWinds hacks of 2020) have used the weakness of one aspect of a larger application to cause great damage.

“We found that organizations are deeply concerned about supply chain attacks, especially after the SolarWinds hacks of 2020 and the Log4Shell incident in late 2021,” says Ryan Kovar, Distinguished Security Strategist at Splunk. "Ninety percent of organizations reported that they have increased their focus on third-party risk assessments as a result of those high-profile attacks. In my 20 years in IT security, I've never seen software supply chain threats given this level of visibility. Unfortunately, this will only increase the already intense pressure security teams face."

The need for better insights

With more data on more cloud platforms being subject to increasingly stringent regulations, traditional approaches to protecting data fall short. One great challenge is that most enterprises use many point solutions to monitor and manage the data. These tools generate vast volumes of alerts, logs, and other data. Those responsible for data protection and security are simply overwhelmed with this data and have a hard time aggregating it, correlating events, or getting any insights out of the data.

How challenging is the problem? On average, IT professionals see over 500 cloud security alerts per day. Increasingly, enterprises are turning to SOAR (security orchestration, automation, and response) solutions to help. A SANS Institute survey found SOAR adoption grew 85 percent from 2020 to 2021. 

Why the rapid embracement of SOAR? SOAR solutions bring together data from multiple cloud-based tools, including vulnerability scanners, endpoint protection software, firewalls, intrusion detection systems, and security information and event management (SIEM) software. Many SOAR offerings incorporate artificial intelligence (AI) and machine learning to derive insights. For instance, a SOAR solution might elevate threats if human intervention is needed, make action recommendations, and automate responses.

Sovereign cloud becoming mainstream

One of the fastest emerging developments related to managing cloud data privacy in the last year has been the embracement of the sovereign cloud concept. According to Gartner, sovereign cloud describes cloud platforms that are isolated from interference from regions or countries outside the jurisdiction of wherein the cloud service is provided.

Fueling the interest in and demand for sovereign cloud has been emerging concerns, particularly in Europe, about the sovereignty of data. One of the main driving factors for sovereign cloud is the U.S. CLOUD Act and similar laws in other countries such as China. The Clarifying Lawful Overseas Use of Data (CLOUD) Act allows US federal law enforcement to compel U.S.-based technology companies via to provide data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil. Regulations like this are in conflict with European Union rules and decisions by the EU Court of Justice.

With the great interest in this area, several new sovereign cloud offerings have recently been launched to help enterprises that need data protection. For example, earlier this year, Accenture launched the Accenture Cloud First Sovereign Practice, which brings together industry, security, and technology specialists together with Accenture partners to help enterprises accelerate the digitization of business processes while protecting data in accordance with local regulations.

“[Enterprises] need ways to use and share trusted data confidently, in a secure and compliant way,” says Accenture Cloud First global lead, Karthik Narain. “This often involves navigating an intricate patchwork of technology solutions while aligning with various regional, local, and industry regulations – not only in the European Union but around the world.” The new practice aims to address these issues.

Another example of a concerted effort to keep data in one country protected from the reach of other countries is the VMware sovereign cloud initiative, which launched last year. Its efforts in this area help ensure that data is subject to only the jurisdictional control and authority of the nation-state or international federation where the data is collected and resides.

A late-breaking twist

Many European Union and other regional data protection and privacy laws were concerned with the protection of data hosted locally on the major U.S. cloud provider platforms. The global reach and dominance of the three major cloud providers meant that even if an organization stored its data on systems that were physically located within their country, the U.S. (and other countries) might still have legal access to the data.

European-centric efforts, such as the Accenture Cloud First Sovereign Practice, aimed to help enterprises. But last week, another source of help emerged. Amazon announced its AWS Digital Sovereignty Pledge, “our commitment to offering all AWS customers the most advanced set of sovereignty controls and features available in the cloud,” according to the company.

Related articles: