Becoming compliant with a data privacy law is not about technology. The first thing you should do is understand the law thoroughly. To become compliant, you first need to know what data, such as, Personal Identifiable Information (PII) in this case, you are collecting, where you are collecting, where you are storing it, and how you are sharing this data. You need to know this because the strictest data privacy law in the United States, the California Consumer Privacy Act (CCPA), will go into effect on January 1, 2020.
Who does this law impact? Chances are if you do business in the United States, it has an impact on you. The law applies to any business that has more than $25 million in revenue, buys or sells the personal information of 50,000 or more consumers, or derives 50% or more of its annual revenue from selling consumers’ personal information, and that does any amount of business in the State of California. In other words, just about anyone in the United States that has a consumer-facing business.
In my opinion, if you are not sure, and you don’t have the legal bandwidth to figure out how you fit in, do what is right for your organization and follow the regulation to the T. CCPA has a damage limit of $7,500 per person for each violation. In some cases, though, the violation penalty can be much higher. Therefore, it behooves you to play it safe and protect your organization with a robust data protection program and acquire the right technology to help you achieve strong data protection.
CASB to the rescue?
Yes, if you chose the right one. It’s important to understand that CASB (Cloud Access Security Broker) is many things, but it’s not always about data protection. When evaluating a CASB vendor, you need the essentials;
- Shadow IT visibility to determine cloud usage and possible risks and exposure as a result of untrusted apps.
- Threat Protection to protect against zero days, ransomware, and other malware in the cloud.
- Data Protection to identify and protect sensitive data being moved to cloud apps, resting in cloud apps, and shared externally.
- User Behavior backed by machine learning to monitor and detect risky behavior by the user or device accessing federated cloud applications.
Many CASB vendors provide features that can help, but it’s essential to define your data privacy needs. Instead of turning this blog into an educational presentation of what CASB is or is not, let’s discuss what you need to protect your data.
- Choose a CASB that provides field-level data protection. This technology goes by many names, such as data obfuscation or tokenization. This technology will protect cloud applications that require specific fields that hold personal identifiable information, such as Salesforce, ServiceNow, Workday, or homegrown applications for banking or healthcare purposes. Rule One: Encrypt data where you collect it and store it with data obfuscation and tokenization.
- Encrypt data where it rests and wherever it is stored. Encrypt data at the file or folder level. Many organizations will encrypt everything in the finance folder, customer record folder, etc. Encrypting your data is a great idea; if your cloud account is compromised, your data will continue to be protected.
(Pro-tip for all cloud-based encryption – DO NOT TRUST CLOUD APPS. Look for solutions where you, as the organization, own the encryption keys and do not have to give them to the cloud app provider. If you upload your keys to the cloud, you just gave up your control of that data.)
- Conduct data discovery across multiple cloud apps. Since data is created and shared everywhere, it doesn’t take long before you lose track of it. Also, if you want to scan existing data repositories to see if you have PII lying around, you need a CASB that can scan and classify data at rest.
- Data Classification is a powerful technology that allows your users to classify sensitive data. This technology is vital for data protection, as the need to scan data across multiple cloud apps and quickly identify vulnerabilities is foundational to understanding your organization’s risk of exposure. Applications, such as Office365, sometimes have this technology embedded within them. However, sometimes, it’s in other formats, such as AutoCAD, video, or music files, to protect personal information and intellectual property. Make sure your security solution is all-encompassing.
- Protect data wherever it goes with Data Rights Management. When sharing sensitive data with your partners or vendors, or if you’re downloading it to untrusted/BYO devices, or moving it out of secure repositories (finance folder), encrypt it and apply data protection policies to it. The encryption and application of data protection are possible for data rights management technology.
(Pro-tip for data rights management – do not get restricted by DRM technology that limits whom you can share data with, such as ‘must be in the same domain, or use same domain controls, or require cumbersome apps to decrypt the data.’)
- Create data protection policies that can identify the sensitive data, in any form such as images, and apply rules on how the data can or cannot be used. To get this done, you need Data Loss Prevention (DLP). DLP is a powerful technology that can automate data protection controls, such as ethical firewalls in the cloud, so, for example, Finance cannot accidentally share sensitive data with employees in Marketing. DLP is your police officer in the cloud monitoring your data and applying rules based on your policy. Data protection is a defense-in-depth approach.
(Pro-tip for DLP – get a solution that protects data at rest and in motion for email and all SaaS applications. Don’t piecemeal the solution; it will cost you, or worse, you will not know when there has been a breach.)
- Manage and automate cloud infrastructure posture management to avoid common and costly misconfiguration such as folders with sensitive data wrongly exposed, lack of access controls, misconfigured accounts, etc. Your CASB solution should have Cloud Security Posture Management, or CSPM, to achieve and maintain policy frameworks such as NIST.
- Apply strong CASB security controls. The CASB vendor you acquire needs to have all of the above in a single solution, plus more. The CASB solution you choose should be easy to manage, deploy and fit with your existing security infrastructure. Organizations need to have the ability to mix and match security controls, such as Office365 data classification, IDaaS for identity access management, SEIM vendors, etc.
The compliance guidelines set by CCPA might look tough at the onset. The chances of violations might increase exponentially with your organization’s size and the amount of data stored in the cloud. By following the recommendations listed in this blog to choose a comprehensive CASB solution that uniquely addresses CCPA requirements and implementing the security best practices for data privacy and protection, navigating through CCPA and every other global compliance law will become a walk in the park.