How Can Enterprises Solve the Data Protection in the Cloud Dilemma?

Cloud computing plays a key role in enterprise data management because it allows companies to store, process, and analyze large amounts of data in a highly scalable and cost-effective manner, plus improve overall business performance. However, data protection in the cloud is a big challenge for many enterprises. Not only does it require robust security of the cloud infrastructure, but it also adds complexity to ensure data privacy and security within the cloud environment.

This article provides an overview of IDC's spotlight on cloud data compliance, which delves into the latest research on cloud data protection. It highlights the emergence of Statutory Pseudonymization as a way to effectively address most enterprise cloud use cases.

Here’s what you will learn:

  • What cloud privacy and security challenges organizations encounter;
  • Why using conventional methods like encryption isn't enough;
  • The benefits of Statutory Pseudonymization for cloud data protection;
  • Why your cloud data protection toolbox should include several privacy-enhancing technologies (PETs).

What is security and privacy in cloud computing?

Cloud data security and privacy refer to the measures and technologies that are implemented to protect data that is stored, processed, used, and shared in the cloud.

According to IDC, as organizations move away from centralized data centers and toward distributed infrastructure models and edge computing, multiple cloud environments are becoming increasingly popular.

It's important to understand and properly configure security and compliance features from the start to guarantee cloud data security. The industry-wide shared responsibility model outlines security responsibilities where typically, the cloud service provider (cloud vendor) is responsible for cloud security, while the customer (cloud user) is responsible for data protection in the cloud, including putting in place security measures to prevent unlawful data access, data loss and ensure data integrity.

Many organizations still rely on conventional cloud data protection methods, such as governance policies, access controls, and encryption; however, these measures are not enough when it comes to cloud data protection. This is because they do not take into account the unique characteristics of protecting data in all its states: at rest, in transit, and in use.

What are the key cloud data security risks enterprises should anticipate?

Data breach exposure. From a CEO perspective, cybersecurity and data sovereignty are seen as the foremost risk factors impacting their businesses during the next two years, according to the IDC Worldwide CEO Survey 2022.
How Can Enterprises Solve the Data Protection in the Cloud Dilemma?
Since cloud environments are accessed by a large number of stakeholders, the security risks increase. This is especially concerning when sensitive information, such as personal customer data is accessible in the cloud.

Data loss, once it occurs, is irreversible and beyond the control of an organization. In a 2022 IDC European security survey, 54% of respondents had experienced an increase in the volume of cyberattacks during the prior 12 months. Accenture, Facebook, Cognyte, and LinkedIn all recently experienced cloud breaches that cost them money, customer trust and brand reputation. Inconsistent cloud data protection practices often result in more frequent data breaches and, as a consequence, high fines for non-compliance with data protection regulations.

Increased regulations. Privacy regulations are also tightening with new major data regulations introduced globally. For example, the EU-U.S. Data Privacy Framework crystallized with a new data transfer agreement, expected to be completed by summer 2023, three years after the EU-U.S. Privacy Shield was invalidated.

In early 2022, the EU proposed a Data Act that outlined new rules allowing customers to effectively switch between different cloud service providers and putting in place safeguards against unlawful data transfer.

In Switzerland, the newly updated Federal Act on Data Protection (nFADP) will take effect on September 1, 2023. The latest revision is a comprehensive overhaul designed to keep pace with the changes in technology and society, including the use of cloud services, to ensure that individuals have an appropriate level of data protection.

The rise of data sovereignty regulations presents a challenge for organizations as they strive to reconcile the desire for innovation with compliance requirements. This is especially relevant for companies that utilize cloud services from global providers, as they must contend with the added complexity of data sovereignty in a cloud-based setting.
"Privacy and security concerns are inhibitors to moving regulatory sensitive data to the cloud, particularly in Europe. Security concerns center around the perceived increased security risk of storing data with a third-party provider, the lack of visibility into what data is within cloud applications, the extent to which they have control of who can access sensitive data — and, lastly, the extent to which government and law enforcement can access and request customer data. For example, the reach of the U.S. CLOUD Act has inhibited public authorities in some European countries from using the cloud."
- IDC, “Data Without the Drama — How to Process Data in the Cloud While Being Fully Compliant.”
Lack of cloud security strategy. One of the key cloud privacy concerns that enterprises should be aware of is the lack of a robust cloud security strategy. Most organizations protect their data when it is in storage and in transit, with methods such as data encryption, data masking and access controls.

However, IDC states, once data is de-encrypted for use, it becomes vulnerable and open to misuse and breach. This makes getting approvals difficult for complex use cases that require data processing, enrichment and sharing.
"Encryption and access controls in the cloud can solve security and compliance requirements for data at rest and data in transit. But problems arise when you want to process or collaborate with the data because it must be de-encrypted and is therefore transformed into a state that is unprotected."
- IDC, “Data Without the Drama — How to Process Data in the Cloud While Being Fully Compliant.”
Tools that can secure data at rest, in use and in transit power more use cases and also provide significant cost reductions with regard to such expenses as cyber insurance.

Protecting data in all its states is possible with Statutory Pseudonymization, as set forth in the General Data Protection Regulation (GDPR).

What is Statutory Pseudonymization and how can it support your cloud security strategy?

Statutory Pseudonymization applies a combination of de-identification techniques, dynamic pseudonyms or codes, and separate protection by technical and organizational measures to replace both direct and indirect identifiers of personal data. Re-identification of individuals is not possible without the use of additional information (keys) that are held separately and securely by the data controller or their designee. The process can only be reversed when re-identification of the source data is authorized, with the use of the keys.

It is important not to confuse Statutory Pseudonymization with anonymization, as the latter is a process of irreversible transformation of data that eliminates the possibility of re-identifying individuals within the dataset.

In cloud environments, Statutory Pseudonymization protects data at rest, in transit, and in use. This allows data in the cloud to be used, processed, shared, and combined lawfully while securely relinking to the original identity of the data subject when authorized.

The business benefits of Statutory Pseudonymization in the cloud and beyond

Many organizations have avoided utilizing the benefits of cloud computing, data sharing and collaboration due to data security concerns. However, Statutory Pseudonymization gives organizations both data utility as well as privacy and security compliance. This data protection solution enables businesses to ensure data security while gaining valuable insights.

Let's take a look at the business benefits of Statutory Pseudonymization outlined by IDC:

  • Secure computation in the cloud: Organizations can use Statutory Pseudonymization to securely process data in the cloud while maintaining control over data privacy and compliance. This approach eliminates concerns about third-party access control.
  • Data sovereignty and Schrems II-compliant processing: Data sovereignty jumped six spots in IDC's 2022 European security survey, becoming the third most important concern after privacy compliance and data security. Statutory Pseudonymization has proved to be the technical measure that allows organizations to continue transferring personal data outside the EU while complying with data protection laws.
  • Privacy-compliant data analytics and collaboration: Encryption is commonly used to secure data. However, encrypted data can inhibit data sharing and analytics. Many organizations now prioritize collaboration and data sharing to gain valuable insights. For example, a survey by IDC found that 71% of organizations prioritize investment in industry ecosystems to share and combine data, applications, and insights.
  • Unlock datasets to expand trusted AI/ML capabilities: Regulatory restrictions, latency, and high transfer costs inhibit the collection and use of larger datasets for machine learning, limiting the training and fine-tuning of algorithms. Statutory Pseudonymization allows multiple organizations to share data for machine learning algorithms in the cloud without compromising data privacy. This enables the training and fine-tuning of algorithms on larger datasets.
Access the IDC “Data Without the Drama — How to Process Data in the Cloud While Being Fully Compliant” spotlight for an in-depth description of the business benefits of Statutory Pseudonymization.

One Privacy Solution Is Not Enough: The Benefits of Privacy-Enhancing Technology (PET)

In a modern data protection market, companies have access to a toolbox of various privacy-enhancing technologies (PETs) that can be used separately or in combination, depending on the specific use case.

State-of-the-art PETs protect data in untrusted environments – such as the public cloud or when using different cloud providers – during active processing, when it is decrypted and most vulnerable. It provides proactive data risk management by preventing privacy violations and security breaches before they occur, restricting the amount of identifying information available for processing to only what is required and limiting it to a specific purpose.

In most cases, companies need more than one technology to unlock use cases and avoid obstacles to effective data use. Here's why:

  • Each technology has its own strengths and weaknesses, and using multiple technologies addresses different types of privacy threats.
  • Different technologies are better suited to different types of data and use cases. For instance, synthetic data may be more appropriate for completing missing data in the dataset or balancing a dataset rather than a use case that requires to apply secure re-identification.
  • Using multiple technologies provides multiple layers of protection, making it more difficult for unauthorized parties to access data.

The Anonos Data Embassy platform

Anonos' Data Embassy software centers around Variant Twins: non-identifiable yet 100% accurate variations of the source data required for specific use cases.

The patented system uses a combination of 10 state-of-the-art PETs, including Statutory Pseudonymization, synthetic data, differential privacy, and more to suit a variety of use cases that every enterprise needs to unlock in a cloud environment.

Data protection rules are centrally customized, configured and enforced, and they can be adjusted as required with downstream changes automatically applied. As a result, data-driven initiatives can be expanded and expedited for value creation while complying with applicable regulations, enhancing your cloud data protection strategy and unlocking more use cases along the way.

Read IDC’s analysis of Anonos' Data Embassy

About IDC:

International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the information technology, telecommunications, and consumer technology markets.