David Burt Senior Compliance Manager, Azure Trust and Compliance
Today we’re pleased to publish Data Protection and Privacy Compliance in the Cloud: Privacy Concerns Are Not Slowing the Adoption of Cloud Services, but Challenges Remain, original research sponsored by Microsoft and independently conducted by the Ponemon Institute. The report concludes with a list of 10 recommended steps that organizations can take to address cloud privacy and security concerns, and in this blog, we have provided information about Azure services such as Azure Active Directory and Azure Key Vault that help address all 10 recommendations.
The research was undertaken to better understand how organizations undergo digital transformation while wrestling with the organizational impact of complying with such significant privacy regulations as the European Union’s General Data Protection Regulation (GDPR). The research explored the reasons organizations are migrating to the cloud, the security and privacy challenges they encounter in the cloud, and the steps they have taken to protect sensitive data and achieve compliance.
The survey of over 1,000 IT professionals in the US and EU found that privacy concerns are not slowing cloud adoption and that most privacy-related activities are easier in the cloud, while at the same time, most organizations don’t feel they have control and visibility they need to manage online privacy. The report lists ten steps organizations can take to improve security and privacy.
Key takeaways from the research include:
• Privacy concerns are not slowing the adoption of cloud services, as only one-third of US respondents and 38 percent of EU respondents say privacy issues have stopped or slowed their adoption of cloud services. The importance of the cloud in reducing costs and speeding time to market seem to override privacy concerns.
• Most privacy-related activities are easier to deploy in the cloud. These include governance practices such as conducting privacy impact assessments, classifying or tagging personal data for sensitivity or confidentiality, and meeting legal obligations, such as those of the GDPR. However, other items such as managing incident response are considered easier to deploy on premises than in the cloud.
• 53 percent of US and 60 percent of EU respondents are not confident that their organization currently meets their privacy and data protection requirements. This lack of confidence may be because most organizations are not vetting cloud-based software for privacy and data security requirements prior to deployment.
• Organizations are reactive and not proactive in protecting sensitive data in the cloud. Specifically, just 44 percent of respondents are vetting cloud-based software or platforms for privacy and data security risks, and only 39 percent are identifying information that is too sensitive to be stored in the cloud.
• Just 29 percent of respondents say their organizations have the necessary 360-degree visibility into the sensitive or confidential data collected, processed, or stored in the cloud. Organizations also lack confidence that they know all the cloud applications and platforms that they have deployed.
The Ponemon report closes with a list of recommended steps that organizations can take to address cloud privacy and security concerns, annotated below with relevant Azure services that can help you implement each of the recommendations:
1. Improve visibility into the organization’s sensitive or confidential data collected, processed, or stored in the cloud environment. Azure service: Azure Information Protection helps discover, classify, and control sensitive data.
2. Educate themselves about all the cloud applications and platforms already in use in the organization.
Azure service: Microsoft Cloud App Security helps discover and control the use of shadow IT by identifying cloud apps, infrastructure as a service (IaaS), and platform as a service (PaaS) services.
3. Simplify the authentication of users in both on-premises and cloud environments.
Azure service: Azure Active Directory provides tools to manage and deploy single sign-on authentication for both cloud and on-prem services.
4. Ensure the cloud provider offers event monitoring of suspicious and anomalous traffic in the cloud environment.
Azure service: Azure Monitor enables customers to collect, analyze, and act on telemetry data from both Azure and on-premises environments.
5 .Implement the capability to encrypt sensitive and confidential data in motion and at rest.
Azure service: Azure offers a variety of options for encrypting both data at rest and in transit.
6. Make sure that the organization uses and manages its own encryption keys (BYOK).
Azure service: Azure Key Vault allow you to import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary.
7. Implement multifactor authentication before allowing access to the organization’s data and applications in the cloud environment.
Azure service: Azure Active Directory offers multiple options for deploying multifactor authentication for both cloud and on-prem services. Learn more.
8. Assign responsibility for ensuring compliance with privacy and data protection regulations and security safeguards in the cloud to those most knowledgeable: the compliance and IT security teams. Privacy and data protection teams should also be involved in evaluating any cloud applications or platforms under consideration.
9. Identify information that is too sensitive to be stored in the cloud and assess the impact that cloud services may have on the ability to protect and secure confidential or sensitive information. Azure service: Azure Information Protection helps discover, classify, and control sensitive data.
10. Thoroughly evaluate cloud-based software and platforms for privacy and security risks. Azure service: Microsoft Cloud App Security Assess the risk levels and business readiness of over 16,000 apps.