What you need to know about PII in the Cloud
A frequent concern when first making the move to the cloud is how to deal with data security. And perhaps no form of data is of more interest than Personally Identifiable Information (PII). In terms of value and in terms of liability, PII is the first concern of any organisation’s data security strategy.
Perhaps nowhere is concern more visible than in looking at the financial sector. While all organisations deal with PII, the security stakes are typically higher at banks. This is why when Amazon wants to show off the safety and security of its new database offering, it chooses high profile banks like Goldman Sachs.
They know what it means to pass a Goldman security and compliance audit.
When looking at security, many CTOs and security staff make the mistake of seeing a move to the cloud strictly as a liability. In fact, moving to the cloud can just as easily help your organisation’s security posture, by giving you the flexibility and the tools to implement better controls on your data. In this article, we’ll look at how the tools offered by your cloud provider are an effective way to secure the PII in your organisation’s care.
What Is PII?
First, some background. Personally, Identifiable Information is data that an organisation stores which can be used to identify a specific individual. What exactly that means depends on what legal regime you’re looking at. In the EU context, the General Data Protection Regulation (GDPR) defines PII very broadly, so that IP addresses, phone numbers, mailing addresses, and even analytics data are all considered PII.
Organisations are interested in securing PII because it is a source of business value and because they are liable if hackers are able to access PII. In the UK, that liability is defined in the Data Protection Act of 2018 (DPA). That law outlines the penalties for companies who fail to protect PII, and requires companies dealing with PII to lay out processes for securing it. For British companies, the GDPR and the DPA combine to define the minimum PII security, and what a security policy must cover.
In the cloud context, PII carries additional regulatory concerns. However, as a recent survey indicated, 97% of US banks are developing or deploying a cloud strategy. So while regulation is obviously a concern, it’s a small obstacle and not a total roadblock. A proper cloud policy that addresses security is behind every successful move to the cloud.
So what does such a good security policy for PII look like? Well, one good example is the recently revamped security policy at Monzo. Monzo is a digital bank with a multi-cloud strategy. Using AWS, they’re able to use microservices to manage real-time transactions for millions of customers in a scalable infrastructure. And using Google Cloud Compute, their data team can analyse transactions for fraud, and help identify common pain points.
Having a well-defined security policy is an essential part of this process. Moving data between clouds and managing microservices with individual databases are potential pain points because there is a larger attack surface for malicious actors. With all that distributed data, proper encryption is crucial. In the security world, we talk about encryption at rest and encryption in transit, and both are essential to a proper cloud data security strategy. Encryption in transit refers to securing data when it is sent between servers (or between clouds) via technologies like HTTPS. Encryption at rest refers to securing data when not in use, so that malicious actors that come upon it can’t do anything useful with the data.
As a large organisation, Monzo is able to invest engineering effort into building their own tools for encryption in transit. However, most organisations find it cheaper and easier to use the existing tools their platforms provide. Every major cloud storage provider has an option for encryption at rest, where only you hold the keys to your data: Amazon’s S3, Google’s cloud storage, and Microsoft’s Azure storage all offer encryption-at-rest. And there are free, open-source tools for encryption in transit that can be adapted to any use-case, such as the Let’s Encrypt project.
While encryption is a significant part of any security policy for PII, it’s not the whole story. Encryption renders your data useless to attackers if they can see it, but securing PII also means ensuring they don’t have access in the first place. This is where having a cloud-based infrastructure can really improve your security profile. Keeping attackers out requires continuous monitoring and patching to ensure your servers are inoculated against the latest published threats, and that’s easiest in the cloud.
Take another mobile banking provider, Starling Bank. As a major player in the financial space, they recognised that their data put them in the crosshairs of malicious actors. When designing their cloud architecture, security was among their 5 top priorities. By hosting their server architecture on AWS, they’re able to adapt quickly to emerging threats. Like many cloud providers, Amazon has software engineers who identify threats and release security patches before they’re released to the general public, so the bank is ahead of the curve.
Starling also has a multi-cloud approach, and performs their analytics in the Google Cloud to take advantage of their machine learning expertise. Hosting your own analytics server often means constantly checking the database vendor to see if there are critical security updates and running threat monitoring to see if you’ve had reportable security breaches. By hosting in the cloud, you outsource these concerns to the cloud provider. And if the provider is Google, they can put the best security engineers in the world to work on securing your PII.
Staying up to date and patching the instant new security updates are released sounds simple, but it’s an important part of preventing hacks by making it impossible to get a foothold in your infrastructure. All major cloud providers offer monitoring tools that will scan your infrastructure automatically, and warn your security and compliance team of any patches that need to be applied. Taking it a step further, they also offer tools to help lock down your infrastructure even further, such as automated firewall monitoring.
We’ve looked at two major digital banks that take a multi-cloud approach to their infrastructure. In both cases, the cloud was an enabler of security policy, not a hindrance. Monzo and Starling are able to secure PII by adapting the tools provided by cloud providers to their individual needs: making use of the latest cloud-based encryption options and staying on top of the security update and monitoring regime.
In both cases, being in the cloud actually made it easier to secure PII, because it meant that new security tools were immediately available, and upgrades could be rolled out instantly across an entire infrastructure. Interested in learning more about how you can upgrade your security with a cloud-based approach? Learn more about how we can design a strategy to protect your PII while delivering a scalable, modern cloud-based design.