Published on September 13th, 2019 📆 | 8202 Views ⚑0
Managing your cloud in the face of the California Consumer Privacy Act
The California Consumer Privacy Act of 2018
(CCPA) was approved by the California State Governor on June 28, 2018, and goes
into effect on January 1, 2020. The CCPA law sets new leading-edge standards in
data privacy, not only for the State of California, but also for the rest of
the United States.
A very large percentage of mid-sized and large
enterprises do business in the State of California. They will have to take
concrete steps to align their cloud security with the requirements of the
pending legislation. For most, this will be a huge administrative and software
development burden. Many businesses will absolutely not be ready by January 1,
2020, to support the compliance of their cloud infrastructure with the CCPA.
Much of the data you keep in your clouds today
likely includes personally identifiable information (PII) which is highly
regulated under the CCPA. PII as defined under CCPA is very broad and includes
real name, alias, postal address, account name, social security number,
driver’s license number, passport number, and other similar identifiers. PII
specifically includes many other categories of data such as biometrics (specifically
including DNA data), internet search and browse data (anything used for digital
marketing), geolocation data, employment information, and much more. The CCPA
definition of PII even addresses “probabilistic identifier” means the
identification of a consumer or a device to a degree of certainty of more
probable than not based on any categories of personal information included in,
or similar to, the categories enumerated in the definition of personal
The rapid move to the cloud has brought new
challenges to protect PII data which must be addressed to meet the CCPA. It is
incumbent on organizations that wish to ensure that their cloud computing is
CCPA compliant to select the new technology sets that provide the protections
Data protection, of course, is your
get-out-of-jail-free card. The CCPA emphasizes data protection rights as
critically important. Encryption stands front and center as a protective
measure to be used by any business. Consider that any “consumer whose non-encrypted
or non-redacted personal information is subject to an unauthorized access and
exfiltration, theft, or disclosure as a result of the business’ violation of
the duty to implement and maintain reasonable security procedures and practices
appropriate to the nature of the information to protect the personal
information may institute a civil action.” The encryption of all of your cloud
data allows you the essential protections to maintain compliance with CCPA, and
minimize or entirely eliminate your liability in the event of a data breach.
In order to adequately protect personal
information (PII) in the cloud the most essential capability is visibility. You
must know what kinds of sensitive data exist in your sanctioned clouds.
Sanctioned clouds contain data in applications which are supported by your
business and information technology teams. Perhaps more important, is to
understand which unsanctioned clouds are in use and which might contain PII and
sensitive data. These may be your greatest liability in meeting the CCPA. You
must be aware of them, understand the liability, and then decisively shut down
those that run afoul of your corporate policy.
Enterprises also need the ability to monitor
and control who has access to what kinds of PII/sensitive data. You need the
ability to block unauthorized individuals from accessing or downloading
sensitive data while at all times monitoring everyone’s access to PII and
sensitive data. Data loss prevention (DLP) can help automate the application of
encryption as data moves through your clouds and supply chain ecosystem.
Digital rights management (DRM) can apply the necessary protection to the data,
such that if it moves out of your organization, or your control, that you can
still secure the data.
As with any compliance law, the collection of
audit and log data is necessary to support compliance assessment and related.
This collection of data is also extremely helpful for meeting the needs of
other compliance and/or data privacy laws. Your must know who accessed your
sensitive cloud data, when they did so, and specifically what data elements
We must also recognize that the enterprise has
become more porous. Cloud, mobile, and on-premise allow a greater probability
that the credentials of your authorized users may be stolen or accesses. Even a
small misconfiguration in your clouds may accidentally expose authentication
data. Once credentials are compromised, you need the behavioral controls that
will help identify both malign behavior and anomalous behavior, even through
authorized user credentials.
CASB is a simple but elegant solution to bring
in the technology sets to support your CCPA compliance. CASB presents an
integrated portfolio of technologies that directly address the top cloud
threats. CASB can align your cybersecurity defense with the CCPA as it brings
important and critical features for cloud threats and data protection.
CASB technologies such as data loss prevention
(DLP), native device management, UEBA, adaptive access control, secure offline
data access, automated PII anonymization, and digital rights management can
also provide the protection your data will need to stay secure. CASB can
shorten the path to addressing cloud threats, directly address the requirements
of CCPA, and strengthen and enhance your cloud security strategy.