The cloud is transforming the enterprise IT landscape—providing a platform for business innovation through greater agility and access to modern cloud-based technologies. It has also been the key driver behind the exponential growth in the amount of personal data organizations collect about their customers.
This data is routinely bought and sold, and being used to monitor every aspect of our lives—from our age, relationship status and career to our interests, lifestyle, and spending habits.
In the face of this explosion in data, regional, national, and international governmental institutions are responding by bringing in new data privacy regulatory laws, such as the General Data Protection Regulation (GDPR) and the forthcoming California Consumer Privacy Act (CCPA), to safeguard the privacy of their citizens.
These present new challenges to data privacy and compliance across the IT spectrum, but all the more so to organizations that host their applications in complex and dynamic cloud-based environments, which scale with demand.
This post will examine the implications of new data protection regulations for enterprises migrating their workloads to the cloud and see how the new NetApp® Cloud Compliance can help manage and monitor the sensitive private data that enterprises keep in the cloud.
Key Cloud Benefits
Let’s begin by taking a quick look at the advantages cloud computing has to offer enterprises. While the cloud has become vastly more popular in recent years, there are still many companies that have yet to fully embrace what the cloud has to offer. These are the main points that make the cloud attractive, especially to large enterprises.
- More Cost-Efficient: In the traditional son-premises model of IT, you have to purchase more computing capacity than you generally need. This ensures you have sufficient resources to meet future growth and spikes in demand. But when you host your applications in the cloud, you only pay for the capacity you actually need—as and when you need it.
- Lower Barrier to Entry: You don't have to invest in expensive new hardware to host your applications, reducing the financial risk of starting new IT projects.
- Faster Development: Whenever you purchase an on-premises server to upgrade or develop a new system, the procurement process can take weeks or even months. By contrast, you can provision cloud infrastructure at the click of a button. Not only that, but the cloud also gives you access to a large ecosystem of open-source technologies, which help you build applications far more quickly and efficiently.
- Higher Availability: Cloud vendors host their services on highly resilient, distributed infrastructures that ensure high availability and fast access from virtually anywhere in the world.
- Stronger Security: Public clouds are managed by highly trained security professionals and provide more advanced built-in protection than traditional IT environments.
What Is Data Privacy?
Data privacy, data protection, and compliance are very closely interrelated, so much so that many IT professionals use the terms interchangeably. But they're NOT one and the same. To properly explain data privacy, we also need to define data protection and compliance. That way, we can understand how they differ and how they complement one another.
- Data Privacy: Your legal obligations for proper handling of personal data, including where you can store it and who can access it, as well as how you may share it and whether you have obtained consent to do so.
- Data Protection: The technical aspects of protecting personal data, covering cybersecurity measures, such as encryption and identity management, and data resilience measures, such as backup and failover systems.
- Compliance: Compliance is more concerned with ticking the right boxes—by having the right procedures and technologies in place to meet data privacy regulations. Compliance doesn't necessarily guarantee the security, integrity and privacy of your data. However, it does demonstrate you've met specific legal or industry requirements for protecting it.
New Challenges in the Cloud
Though there are a number of benefits that come with migrating operations and data to the cloud, that doesn’t mean that companies will be free from all headaches. Cloud challenges come in many different forms, some of which include data migration, data visibility, data access requests, and data security.
Data Residency and Transfer
Large-scale enterprises, serving customers across the globe, have to comply with a variety of different national and regional privacy regulations, each with their own set of rules about data residency and data transfer.
If you're migrating your applications to the cloud, you should only process and store personal data in those cloud regions that meet your compliance requirements.
The GDPR, which came into force in 2018, has gone some way towards simplifying compliance across the European Economic Area (EEA)—by implementing a common set of data privacy standards across all member states.
But, elsewhere, you could find your preferred cloud vendor doesn't offer data centers that meet your data residency requirements. If so, it’s important that you figure out how you can ensure those requirements are met. One option is to look into NetApp® Cloud Volumes ONTAP, which supports all three main public cloud vendors. This technology can be a key part to adopting a hybrid cloud strategy, whereby you host some of your workloads in the cloud but maintain compliance by keeping sensitive personal data on-premises.
Storage has become more distributed than ever—not only in terms of where it's stored but also how it's stored.
You'll be using different cloud storage services for different types of data. For example, you'll likely use:
- Block storage for transactional workloads and system boot volumes, such as AWS EBS and Azure managed disks.
- Cloud file sharing for web servers and content management systems
- Object storage such as Amazon S3, Google Cloud Storage, or Azure Blob for static data, such as logs and content served up by websites
- Big data solutions for data analytics
- Low-cost cold storage for backups and archives, such as Amazon Glacier and the Archive Access tier on Azure Blob storage.
To maintain visibility into and control over all this data can be a significant undertaking. So you'll need to draw up a data inventory covering all your hybrid cloud environments. This will give you a clear and comprehensive picture of all the data you have.
Next determine which information should be classed as personal data. Ideally, you should look to adopt a privacy-by-default approach to all your personal data, treating all data subjects equally—regardless of where they reside in the world. This will make it simpler to comply with both existing and future data protection regulations. If you’ve already prepared your operation’s privacy stance for GDPR, you should have a head start towards meeting CCPA’s requirements as well—in most cases the European regulation is stricter.
In addition, as you migrate your applications, you should map the flow of data throughout your cloud. This will help you keep track of how personal data is being used and stay on the right side of privacy legislation.
New privacy laws are strengthening consumers’ rights to access, change, or delete their personal data.Right-of-Access Requests
Just as with your on-premises environment, good data inventory management will be essential to ensuring quick and efficient responses to their requests.
On one hand, the cloud could complicate the process of meeting such requests, as much of your data will be stored in unstructured formats for use in big data applications, such as business forecasting, social media analytics and fraud prevention.
On the other hand, the cloud can help simplify matters, as vendors offer low-cost object storage solutions for backup and archiving that allow you to finally do away with outmoded and cumbersome on-premises tape storage systems.
Migration to the cloud also calls for a new distributed approach to software design, where you break your applications down into smaller components known as microservices—each deployed to its own dedicated resource. This will give you more granular control over workload capacity requirements, helping to improve cost efficiency.
At the same time, it will also improve data security, as breaking up your applications this way will introduce additional layers of isolation that make it harder for attackers to penetrate infrastructure boundaries and gain access to your personal data.
Moving your applications to the cloud also means offloading responsibility for the physical security of your infrastructure to your cloud service provider.
But it's important to understand where your obligations lie for other aspects of privacy and security, maintaining strong data protection measures wherever they're still under your control.
Invest in the Right Tools: Try NetApp Cloud Compliance
As privacy laws evolve and mature across the world, you'll need to navigate your way through a multitude of new and increasingly more stringent regulatory requirements. These will prove particularly challenging in dynamic and complex cloud environments. So it’s important to invest in tools that give you the visibility and control you need over your cloud-based deployments. At the same time, as you migrate your workloads to the cloud, you'll be entrusting your personal data to a third party.
It will be key to do your research. Make sure your preferred cloud vendor provides an IT environment that's validated to the appropriate compliance frameworks. Make sure it provides the levels of data encryption your organization requires. And that it also offers data center locations in regions where you're permitted to store and process data.
You shouldn't treat compliance as just a chore. You should treat it as an opportunity. Because compliance not only provides you with a framework to help protect the privacy of your employees, suppliers and customers. It also opens up new business possibilities to companies that can demonstrate they meet the data protection requirements in many regulated industry sectors. Fortunately, NetApp has a whole new way for cloud storage users to do just that.
NetApp Cloud Compliance is the new data mapping and reporting tool for cloud data stored with Cloud Volumes ONTAP, Azure NetApp Files, and on Amazon S3 buckets. Cloud Compliance uses an intelligent AI-based technology to help companies with meeting CCPA and GDPR compliance by generating data subject access reports automatically and with accuracy, identifying potential privacy violations before they happen, and providing insight into where sensitive data is being stored.