Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Types of Sensitive Data: What Cloud Security Teams Should Know

Published 10/13/2022

Types of Sensitive Data: What Cloud Security Teams Should Know

Originally published by Sentra here.

Not all data is created equal. If there’s a breach of your public cloud, but all the hackers access is company photos from your last happy hour… well, no one really cares. It’s not making headlines. On the other hand if they leak a file which contains the payment and personal details of your customers, that’s (rightfully) a bigger deal.

This distinction means that it’s critical for data security teams to understand the types of data that they should be securing first. This blog will explain the most common types of sensitive data organizations maintain, and why they need to be secured and monitored as they move throughout your cloud environment.

Types of Sensitive Cloud Data

Personal Identifiable Information (PII): National Institute of Standards and Practices defines PII as:

(1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

User and customer data has become an increasingly valuable asset for businesses, and the amount of PII - especially in the cloud- has increased dramatically in only the past few years.

The value and amount of PII means that it is frequently the type of data that is exposed in the most famous data leaks. This includes the 2013 Yahoo! breach, which affected 3 billion records, and the 2017 Equifax breach.

Payment Card Industry (PCI): PCI data includes credit card information and payment details. The Payment Card Industry Security Standards Council created PCI-DSS (Data Security Standard) as a way to standardize how credit cards can be securely processed. To become PCI-DSS compliant, an organization must follow certain security practices with the aim of achieving 6 goals:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor networks
  • Maintain an information security policy

Protected Health Information (PHI): In the United States, PHI regulations are defined by the Health Insurance Portability and Accountability Act (HIPAA). This data includes any past and future data about an identifiable individual’s health, treatment, and insurance information. The guidelines for protecting PHI are periodically updated by the US Department of Health and Human Services (HHS) but on a technological level, there is no one ‘magic bullet’ that can guarantee compliance. Compliant companies and healthcare providers will layer different defenses to ensure patient data remains secure. By law, HHS maintains a portal where breaches affecting 500 or more patient records are listed and updated.

Intellectual Property: While every company should consider user and employee data sensitive, what qualifies as a sensitive IP varies from organization to organization. For SaaS companies this could be source code of all customer-facing services or customer base trends. Identifying the most valuable data to your enterprise, securing it, and maintaining that security posture should be a priority for all security teams, regardless of the size of the company or where the data is stored.

Developer Secrets: For software companies, developer secrets such as passwords and API keys can be accidentally left in source code or in the wild. Often these developer secrets are unintentionally copied and stored in lower environments, data lakes, or unused block storage volumes.

The Challenge of Protecting Sensitive Cloud Data

When all sensitive data was stored on-prem, data security basically meant preventing unauthorized access to the company’s data center. Access could be requested, but the data wasn’t actually going anywhere. Of course, the adoption of cloud apps and infrastructures means this is no longer the case. Engineers and data teams need access to data to do their jobs, which often leads to moving, duplicating, or changing sensitive data assets. This growth of the ‘data attack surface’ leads to more sensitive data being exposed/leaked, which leads to more breaches. Breaking this cycle will require a new method of protecting these sensitive data classes.

Cloud Data Security with Data Security Posture Management

Data Security Posture Management (DSPM) was created for this new challenge. Recently recognized by Gartner® as an ‘On the Rise’ category, DSPMs find all cloud data, classify it by sensitivity, and then offer actionable remediation plans for data security teams. By taking a data centric approach to security, DSPMs are able to secure what matters to the business first - their data.

Share this content on your favorite social network today!