Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog

Protecting PII in the Cloud

Home
Industry Insights
Protecting PII in the Cloud

Blog Article Published: 07/25/2023

Written by Ashwin Chaudhary, CEO, Accedere.

Cloud computing has revolutionized the way businesses operate, providing flexibility, scalability, and cost savings. PII (Personal Identifiable Information) refers to any data that can be used to identify a specific individual. PII is often sensitive information that needs to be protected to ensure the privacy and security of individuals. However, cloud environments can also pose significant risks to PII if not properly secured.


What is PII?

Any information that can be used to identify an individual falls under the category of PII. The most common types of data exposed in these breaches are personally identifiable information (PII).


Why is PII important?

PII is important because it can be used for identity theft and fraud if it falls into the wrong hands. PII falls under Privacy regulations and the consequences of non-compliance with privacy requirements are as follows:

  • Legal Ramifications
  • Reputation Damage
  • Financial Impact
  • Loss of Customer Trust
  • Regulatory Scrutiny and Audits
  • Limited Business Opportunities


Challenges for Protecting PII in Cloud

Data Security: Cloud environments are susceptible to security breaches, which can lead to unauthorized access to PII.

Data Privacy: Cloud providers may have access to PII stored on their platforms, raising concerns about data privacy.

Compliance Requirements: Various compliance regulations, such as GDPR, CCPA (California Consumer Privacy Act), or sector-specific regulations like HIPAA, impose strict requirements for protecting PII.

Data Residency and Jurisdiction: Cloud services often operate across multiple jurisdictions, and data may be stored or processed in different locations.

Shared Infrastructure: Cloud environments involve shared infrastructure where multiple customers' data coexist on the same physical resources.

Insider Threats: Unauthorized access or misuse of PII by insiders, including employees of the organization or cloud service providers, remains a significant concern.

Data Transfer and Interoperability: Transferring PII to and from the cloud and ensuring interoperability between different cloud services can introduce security risks.

Vendor Lock-in and Service Continuity: Organizations may face challenges if they need to switch cloud providers or migrate data from one provider to another while maintaining the security and integrity of PII.


Data Breaches Statistics

According to research by Surfshark, 41.6M accounts were leaked in the first quarter of 2023, i.e., one account was leaked every second.

Data Breached in Q1 2023

In an article by Mr. Scott Mathrick on March 7, 2023, Top cyber security breaches of 2022, a few of the data breaches related to Personal data are listed below in the table.

Affected Entities Entities Countries Data Breached Impacted Users
Optus September 22, 2022 Australia Personal & Medical Information like names, dates of birth, phone numbers, email, and home addresses, driver's license and/or passport numbers, and Medicare ID numbers 11 million
WhatsApp November 16, 2022 Germany(G), US, UK Personal Information of 500 million users from 84 countries 32 million (US)
11 million (UK)
6 million (G)
Nelnet Servicing June-July 2022 US, Canada Sensitive data like student loan account registration data, including names, addresses, phone numbers, and social security numbers 2.5 million
Revolut September 11, 2022 British-Lithuanian, Europe Personal Information like Database, names, addresses, and partial payment card information 50,150

Reference


Controls to be addressed via processing PII

  • People have the right to know the purpose and how their personal information is being collected, used, and shared.
  • Before sharing the PII with any third-party Consent from the PII owner is a must.
  • A privacy Notice must be communicated to the PII owner if there is any change in the privacy policy.
  • Protecting PII ensures that individuals can maintain control over their personal data and can limit access to it by unauthorized parties.

One of the major international standards for privacy information management is ISO/IEC 27701. Protecting private information assets and proving compliance with privacy and data protection laws are two of ISO 27701's key goals, regardless of location or industry.


Protecting PII with ISO 27701 Certification

  • Promotes trust in your company's handling of personal information.
  • Effective commercial agreements may be facilitated.
  • Assists in ensuring adherence to various privacy laws.
  • Assists in fostering confidence in your company's management of personal information.
  • Enhances organizational clarity regarding roles and duties.

In addition to legal and ethical obligations to protect PII, businesses also face regulatory requirements. For example, the General Data Protection Regulation (GDPR) in the European Union requires businesses to protect the privacy and security of personal data. Failure to comply with these regulations can result in significant penalties and reputational damage for businesses.


How to protect PII?

Protecting PII is essential to prevent identity theft and ensure privacy criteria. Here are some best practices to help protect PII.

  • Limit the collection of PII: Collect only the information you need and avoid collecting unnecessary data.
  • Securely store PII: Store PII in a secure location and limit access only to authorized personnel.
  • Use access controls and segmentation: Access controls should be used to restrict access to PII based on job function and need-to-know. Segmentation can also be used to isolate sensitive data from other less sensitive data.
  • Implement multi-factor authentication: Multi-factor authentication adds an extra layer of security to user accounts, making it harder for unauthorized users to gain access to PII.
  • Use encryption: Use encryption to protect PII while in transit and at rest.
  • Train employees: Educate employees on the importance of protecting PII and provide training on best practices for handling PII.
  • Monitor PII usage: Monitor the use of PII and implement security measures to detect and prevent unauthorized access or use.
  • Regularly review and audit logs: Regularly reviewing and auditing logs can help detect any potential security incidents or breaches. This can also help identify any areas where security can be improved.
  • Conduct regular vulnerability assessments and penetration testing: Regular vulnerability assessments and penetration testing can help identify any weaknesses in your cloud environment before they can be exploited by attackers.

Protecting PII is necessary to ensure privacy, prevent identity theft, meet legal and regulatory obligations, and protect the reputation of businesses.

By implementing these best practices & implementing ISO/IEC 27701 for protecting PII, organizations/entities can ensure that they meet their legal and ethical obligations to protect sensitive information. By adopting a proactive approach to ensure Privacy that includes regular audits, vulnerability assessments, and pen testing organizations can stay ahead and protect PII in cloud environments.


About the Author

Ashwin Chaudhary is the CEO of Accedere, a Data Security, Privacy Audit and Training Firm and an ISO/IEC Certification Body as well as a CPA Firm. Ashwin is a CPA from Denver, Colorado, MBA, CITP, CISA, CISM, CGEIT, CRISC, CISSP, CDPSE, CCSK, PMP, ISO27001 LA, ITILv3 certified cybersecurity professional with about 20 years of cybersecurity/privacy and 40 years of industry experience. He has managed many cybersecurity projects covering SOC reporting, ISO audits, VAPT assessments, Privacy, IoT, Governance Risk, and Compliance.

ComplianceEnhancing cloud security strategyIdentity and Access ManagementTransitioning to the cloud

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Virtual Cloud Trust Summit 2024
AT&T Cybersecurity in Seattle
This Year’s Zero Trust Opportunity for Security Professionals
Trending This Week
#1 CCSK vs CCSP: Unbiased Comparison
#2 Demystifying Secure Architecture: Review of Generative AI Based Products and Services
#3 Managing Cloud Misconfiguration Risks
#4 Five Approaches for Securing Identity in Cloud Infrastructure
#5 Clarifying 10 Cybersecurity Terms
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Business Risks Explored: Practical Insights for Resilience

Published: 05/03/2024

Automation is Key: DHS Report Unveils Lessons from the Microsoft Exchange Incident

Published: 05/02/2024

Defining Cloud Key Management: 7 Essential Terms

Published: 05/01/2024

Livin' on the Edge: Linux's Impact on Computing

Published: 05/01/2024