Welcome 2020: The Cloud is here to stay…so also is cloud data breaches!

by | Jan 1, 2020 | Uncategorized

First of all, I’d like to wish you a happy new year 2020!

My sincere prayer is that 2020 will be a successful, rewarding and remarkable year for you and your loved ones.

Reflecting back on 2019

As I personally reflect back on the year 2019 – my successes, missed opportunities and personal failures, I remain thankful for this journey of life that I have continued to embark on, and look forward to the opportunities, experiences and lessons that lie in store for me in year 2020!

In a previous article that I published 18 months ago titled What Is Your 2020 Vision?, I mentioned 4 exciting goals (3 customer and 1 personal) that I wanted to achieve before 2020. While I was able to successfully achieve the 3 customer goals, I beat myself up for not achieving the 1 personal goal that actually benefits me and my family, which was to raise Series A funding of $5 million for my bootstrap SaaS/Mobile App startup CloudeAssurance hosted on Microsoft Azure PaaS/IaaS. However, I’ve decided not to dwell on the past, but instead fail forward using the lessons learned from this failure to better position myself for success in 2020. This approach is already yielding dividends, with the help of my amazing Ghost Writer Amanda Holloman. Towards the end of 2019, we managed to complete my fictional novella titled Attribution (you guessed right, it is about Cyber Security…).

Attribution is a fictional novella that brings awareness to social injustice, cyber security, family breakdown and autism by detailing 40 weeks in the life of a fourteen-year-old ninth grader from Atlanta, who went from being a straight A student, winning a hackathon, experiencing parental separation, and expulsion from school to ending up as a national security threat and surviving a drone attack in a remote location in Montana.

I’m looking forward to publishing this thought-provoking novella later this month and exploring options to turn it into a movie by year end!

Now, on the topic of cloud security…I think I’m qualified to speak on this important topic considering I’ve been providing thought leadership about this topic for the past 8 years in the form of cloud security related whitepaperswebinars and public speaking engagements.

2020 threat landscape and the cloud

From a threat landscape perspective, Gartner predicts that “by 2020, 95% of cloud security failures will be the customer’s fault” and “by 2023, at least 99% of cloud security failures will be the customer’s fault”. I believe that the dire warning from this Gartner prediction is spot on, as evidenced by the spate of cloud security failures (data breaches, service outages etc.) that have been highly publicized recently.

2020 regulatory perspective and the cloud

From a regulatory perspective, the General Data Protection Regulation popularly known as GDPR that went into effect on May 25, 2018 is now starting to resonate with both enterprises and their service providers, as we have seen record fines handed down by different EU states to non complying global companies in the past year.

According to Wikipedia, GDPR applies if the data controller (an organization that collects data from EU residents), or processor (an organization that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. A report by the European Union Agency for Network and Information Security elaborates on what needs to be done to achieve privacy and data protection by default. It specifies that encryption and decryption operations must be carried out locally, not by remote service, because both keys and data must remain in the power of the data owner if any privacy is to be achieved. The report specifies that outsourced data storage on remote clouds is practical and relatively safe if only the data owner, not the cloud service, holds the decryption keys.

According to Wikipedia, depending on severity of GDPR infringement, the following liabilities and penalties apply:

  • A fine up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
  • A fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

The immense impact of GDPR has been felt on both sides of the Atlantic. For example, GDPR has inspired the creation of its US equivalent California Consumer Privacy Act, otherwise known as CCPA, which goes into effect today January 1, 2020. We will most likely start to see some enforcement action of CCPA in early 2020.

According to Wikipedia, CCPA applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least one of the following thresholds:

  • Has annual gross revenues in excess of $25 million;
  • Buys or sells the personal information of 50,000 or more consumers or households; or
  • Earns more than half of its annual revenue from selling consumers’ personal information.

Organizations are required to “implement and maintain reasonable security procedures and practices” in protecting consumer data.

According to Wikipedia, the following sanctions and remedies can be imposed for violation of CCPA:

  • Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it.
  • A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation.

Small to Medium sized enterprises and their cloud service providers could potentiality be most impacted by CCPA considering the penalties are not actually derived from the revenue size of the organization.

I’d also argue that smaller organizations are unlikely to be aware of, much less comprehend, what the “shared responsibility model” actually requires of them when using a cloud service provider.

2020 the path forward

Here are my top 7 recommendations to consider for the path forward in 2020:

  1. Seek to understand and embrace privacy laws (GDPR, CCPA etc.).
  2. Seek to understand and embrace security frameworks (NIST, ISO, COBIT, ITIL etc.).
  3. Seek to embrace the cloud for agility, security and resilience, not just because everyone is doing it.
  4. Seek to leverage public cloud services, but understand the “shared responsibility model” and own your responsibility.
  5. Go “beyond compliance” to “embracing maturity” by proactively identifying those proverbial icebergs that could sink your Titanic.
  6. Rely on independent, objective and impartial third-party validation of your internal and service provider controls for privacy and security.
  7. Utilize cyber insurance coverage as a risk transfer mechanism once you have done all you can to proactively manage your cloud security risks.

Once again, happy new year 2020!

Regards,

Taiye.