Data security is most important requirement to the customers or user. If the organisation wants to run a business successfully, they need to give surety of data protection as it gives customers the assurance that their data is being collected, processed, and transferred through secure mechanism. Data is most critical and important for businesses of all sizes, from a small start-up to a global conglomerate and so is data privacy.

Data is information processed by a computer system and stored in a system known as server. This information may be in the form of text, image, documents, audio clips, software programs, patents, financial information, secret information, health data, personal information or other types of data.

Every organisation collect data with different mediums either by old traditional method or by modern digital methods. Be it hospitals, banks, companies, government departments etc data is everywhere. Processed data is known as information.

Sometimes a set of data can formulate a sensitive information, so Data privacy is a mechanism to maintain our privacy online, because information is a highly value asset and sought-after commodity by malicious users and cyber criminals. As an end user it is very essential to know what is happening with our online information, what can be done with the data or who all can have access to it. Users often give their consent and allow companies to track and store their data can have disastrous results, so one should have a say in the matter.

Normally organisation focus on the risks originated hackers and cyber criminals, however this is much more than this. Protecting your data privacy is as significant as managing your data security.

Firstly, and fore mostly, Data Privacy is an arm of data security and its motive is to safeguard the data from unauthorized access. Data privacy aims to the proper handling of information based on its significance-

• Regulatory requirements and data privacy laws
• Consent of the data owner
• Privacy Notice
• About the public expectation of privacy.

Main objective of Data privacy is to safeguard the users’ data as per the regulations and users’ rights. Main factors to consider are:

• How to collect and share the data legally
• Whether to data can be shared with the third parties and identification of the third parties with whom data can be shared.
• Adhering to the regulatory compliance and laws limits such as-HIPPA (Health Insurance Portability and Accountability Act), GDPR (The General Data Protection Regulation), GLBA (The Gramm-Leach-Bliley Act), CCPA (The California Consumer Privacy Act), ECPA (Electronic Communications Privacy Act 1986),Personal Information Protection and Electronic Data Act (PIPEDA) and so on. Different countries have different data protection regulations and all these regulations have their own set of rules and legislation pertaining to a specific area, purpose, and type of companies or individuals.

In a nutshell this means protection of critical user information primarily PII (personally identifiable information) of an individual:

PII consists of: – 

• Full Name,
• Address,
• Contact details,
• Date of birth,
• Social Security Number
• Bank Account Number
• Driving License Number
• Some more personal information such as an-
• • IP address,
  • Profile photo,
  • Social media post,
  • Financial Information
  • Medical Information
  • Location
  • And many based on regulatory compliance.

Importance of Data Privacy and Data Security for Business

 Data privacy and security helps in protection of customer’s data privacy.

It helps reduction of the number of information security incidents like data breaches that an organization can suffer.

• It is helpful in maintaining, improving and retaining brand value of the business.
• It is helpful in safeguarding the business from hefty penalties for violating the rules. Regulators impose huge penalties in case of data breach which could be few thousand dollars or a big part of revenue generated, and it’s different for various types of data breach incidents.
• Data sharing will be limited and identification of third party would be done on prior basis according to the risk level of data.
• It saves the organisations from the theft of data by hacker or cyber criminals, that can cause enormous monetary losses
• Data privacy limits the access of customer’s critical data and hence safeguarding the right of customers to be free from uninvited surveillance
• This helps the organisations to keep track of their data breach records and organisations can learn lesson in order to avoid future recurrence.
• Now a days most of the business run on customer’s critical data safeguarding the privacy expectations should be priority of the organisation.
• It helps the organisations from loss of revenue.
• It is also provided competitive advantages to business.
• Last but not the least it is helpful in adherence to the strict policies of how PII is collected, accessed, protected, and erased.
• Data security and privacy controls are helpful in enhancing company’s reputation and built customer trust.

Importance of Data Privacy for Users

• It provides assurance from unauthorised access of data.
• It will keep customers personal, health and financial information safe.
• It generates a trust value for the customer.
• It provides a legal right to the end user or customer to challenge the company in case of any data breach.
• Data can only be collected by receiving consent from the users.
• Companies which collect the data provides data security guarantee to the end user.

Tips and Tricks to help protect your personal data

Data privacy is such an important issue, nowadays many government organizations and companies spend a good part of their revenue each year to help protect their data—which could include your PII (Personally identifiable information)—from exposure. As an end user may not be able to implement high end security solutions to safeguard their personal data, however there are inexpensive ways whichyou can take to help protect your data. Below are a few suggestions:

• Use strong passwords for your online accounts also avoid having same password for multiple accounts. Change password on regular basis.
• Chane the default password for your home network devices, especially Wi-Fi device. A weak password is easy to guess and any unauthorized person can connect to your network with malicious intent.
• Avoid clicking on any random link received via mail or message, these can have malicious links which will give access of your device to cyber-criminal who could eavesdrop your network traffic including personal data.
• Don’t ever share your personal details like bank account number, credit card detail, social security number, Aadhar card number etc over call.
• Avoid writing your personal details like phone number and address at public platform unless necessary. This could sometimes be very dangerous if accessed by any cyber criminal.
• Avoid sharing too much personal information on social media platform.
• Always use security setting on social media accounts, which you can always secure your accounts by changing in Privacy settings. Always keep your social media count in most private mode in order to avoid disclosure of personal information.
• Use VPN (Virtual Private Network) for online activities, however avoid the freeware for financial transactions.
• Share your personal details over the websites which are using encryption.
• Carefully shred all the personal document, receipts, bank statements and your courier packaging as well before discarding.
• Use genuine software on your system.
• Install antivirus and anti malware.
• Always keep firewall on.

Data Protection regulations and laws of different countries are developed and designed in order to maintain the data privacy of the citizens of that particular country. There are many countries where data privacy is already in place, however there are countries where there are no such laws. Having a framework for data privacy and security will definitely safeguard the critical information. A set of defined roles and responsibilities, network security controls like firewalls, secure configurations, Intrusion detection and prevention systems, monitoring, logging the activities, having proper procedures and processes in place of conducting any activity like access provision, de-provisioning, change management, patch management, backup management, privilege access management, physical security management etc certainly provide a more secure environment to data and information systems. Expectation and responsibilities of third-party service providers also plays critical role in data security. Technical controls should be according to the organisations risk appetite and relevant regulations.

Although cyber criminals are inventing new techniques to intrude into the networks but using encryption techniques will help the data in non-readable formats.

 Data is the most precious asset for both organisation and customer, a vigilant consumer and an organisation with adequate resources, diligent employees, regular monitoring, proper governance, periodic reviews can safeguard their information assets and maintain data privacy and security.

#Keywords,-Data security, data privacy, encryption, Cybercriminals, hackers, GDPR,HIPPA,GLBA , CCPA , ECPA ,PIPEDA, password protection, network security, patch management,

]]> https://www.cyberlaws.org/cyber-security-must-knows-for-cloud-service-providers/ Thu, 02 Apr 2020 18:42:04 +0000 http://www.cyberlaws.org/?p=78

CYBER SECURITY MUST KNOWS FOR CLOUD SERVICE PROVIDERS

WHAT IS CLOUD COMPUTING?

The Information Technology world is emerging and with fast pace, new innovative ideas are changing the scenarios constantly and cloud computing was one of those ideas which has changed the perspective of IT services.

Cloud Computing is a network of remote servers which are used to store, manage and process data via internet, instead of local servers or hard drives.

With ease of use and flexibility, it has become most usable IT services nowadays.

SECURITY RISKS ASSOCIATED WITH CLOUD COMPUTING?

Cloud computing transformed the way organizations store, use, and share data, applications, infrastructure and workloads. Cloud computing also provides a flexible model for simplified IT management, remote access, mobility, and cost-efficiency. With so much ease of access and flexibility most of the organisations are availing cloud services, however as more mission-critical applications migrate to the cloud, data privacy and software security are growing concerns. With so much data going into the cloud including critical data like PII and PHI —these resources become natural targets for hackers.

Availing IaaS or Moving web applications to the cloud does not make organisations inherently more secure.  Organization nowadays might be ready to adopt the benefits of the cloud infrastructure. But you must also ensure you address all the potential security risks in cloud computing, especially public clouds.

WHAT IS CLOUD COMPUTING SECURITY?

Cloud computing security is the combination of guidelines and technologies controls, which are helpful to manage information security compliance and provides instructions for securing data applications and infrastructure identify with cloud computing use.

Cloud computing has many advantages, such as Ease of use for customer, speed and efficiency. But there are also many potential threats in cloud computing. These threats include human errors, misconfigurations, data breaches, insider attacks, account hijacking, and DDoS attacks. According to studies, businesses which are using cloud computing services are more prone to data breach and cyber-attacks in comparison of others.

CLOUD SECURITY: CHALLENGES AND SOLUTIONS

Below is the list of most critical cyber security challenges faced by Cloud Service providers.

1.      DATA BREACHES:

A data breach is a result of infrastructure or application vulnerabilities, human error, poor security practices such as weak password, inadequate access control etc. Data breach is one of the top most security challenges, mostly public cloud because of different requirements by different customers. Solution to this problem is that organizations should always secure their databases which contains sensitive data like user credentials, by hashing and salting and implement proper logging and behavior anomaly analysis.

2.    HUMAN ERROR:

Human errors like clicking on malicious links, sharing data with unauthorised person, using weak passwords and not having maker checker procedures etc. are challenges in Cloud security. These errors are often at customer’s end. Training and awareness pertaining to Cyber Security, imposing strong password policy and segregation of duties can really resolve this issue. Proper monitoring is also necessary.

3.    INSUFFICIENT IDENTITY, ACCESS AND KEY MANAGEMENT:

Hackers can act as legitimate users, developers, or operators can read, manipulate, and delete data; snoop on data in transit or release malicious software that appears to originate from a genuine source. Any unwanted service running on the server can allow access without authentication. Solution to this problem is implementation of preventative controls across all perimeters, and that organizations scan managed, shared and public environments for vulnerabilities.

4.    DATA LOSS:

Data loss can be because of an accidental deletion by the cloud service provider, or a disaster like a fire or earthquake, can lead to the permanent loss of customer data unless the provider or cloud consumer .takes adequate measures to back up data, Solution to this problem is having a full proved Business Continuity and Disaster Recovery plan in place, performing data backups & testing regularly and conducting DR drills at regular intervals.

5.    INSECURE APPLICATION PROGRAMMING INTERFACES (APIS):

APIs are exposed to public and so too attackers, an API is likely to be the initial entry point for attackers. Hackers exploit vulnerabilities of insecure APIs to get access to servers. Performing security assessment prior to deployment and after any significant change can help to identify the existing weaknesses and patching it.

6.    ADVANCED PERSISTENT THREATS (APT):

APT uses sophisticated and continuous attack techniques to get access in Cloud infrastructure and monitor the Cloud provider’s activity and steal the data rather damaging the networks. In this the attacker gain access and remain undetected for long. Monitoring network on regular basis for abnormal behaviour, update latest antivirus signatures and scanning networks on regular basis can resolve this issue.

7.    INSIDER ATTACKS/ MALICIOUS INSIDER:

A malicious insider can be performed by any employee or any privileged user who has access to potentially sensitive information, and critical systems which contains critical data. Organisations which are doesn’t have their own IT security mechanism and solely dependent on cloud service providers are at higher risk. A Data Loss Prevention (DLP) solution along with event logging and monitoring is a solution for this challenge. A Confidentiality Agreement signed with employees will act as deterrence.

8.    DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS: 

DDOS attack is a crafted malicious attack to disrupt normal traffic and prevent users of a service from being able to access their data or applications. Attacker can cause a system slowdown and leave all legitimate service users without access to services by forcing the targeted cloud service to consume inordinate amounts of finite system resources such as network bandwidth, processor power, memory or disk space. Implementing adequate network security measures like IDS, IPS, and Load Balancers and monitoring networks for anomalies. Having a robust Business Continuity plan will definitely help.

9.    SYSTEM VULNERABILITIES:

System vulnerabilities are the weaknesses or loopholes in any application and network, which can be exploited by any malicious user to intrude into a system to steal or manipulate data, taking control of the system or disrupting service operations. Vulnerabilities within the components of the application and operating system put the security of all services and data at significant risk. In case of public cloud, application or systems from various organizations are sharing memory and resources, creating a new attack surface. Regular patch management, bug fixing and vulnerability management is the best solution for this issue.

10. SPECTRE AND MELTDOWN:

Last but not the least, Spectre and Meltdown which are considered as the most catastrophic vulnerabilities where hackers can exploit Meltdown to view data on virtual servers hosted on the same hardware, potentially disastrous for cloud service providers. Spectre is worse –it is hard to exploit and even harder to fix.

In a nutshell the security solution is very crucial for any Cloud Service provider for their business .Compliance related to cyber security protect the organisation from unauthorized access, data breaches and other threats and also provide assurance and confidence to clients.