On March 19, 2020, the Irish Data Protection Authority (the “DPC”) published guidance to assist organizations in understanding their data security obligations and to mitigate their risks of a personal data breach when using cloud-based services (the “Guidance”).
The Guidance contemplates that cloud-based environments entail a number of technical security risks such as hijacking of accounts and unauthorized access to personal data. Organizations should determine and implement a documented policy and apply appropriate technical security and organizational measures to secure their cloud-based environments, such as access controls, firewalls, antivirus, staff training and policy development. The Guidance highlights the need to apply these measures in a layered manner to mitigate the risk of a single security measure failing and resulting in a personal data breach.
More precisely, the Guidance consists of the five following key steps that organizations can take to secure their cloud-based environments.
1. Implementing User Access Control and Authentication Measures
This includes the following measures:
- Strong password polices;
- Two-factor authentication;
- Documenting user access privileges within the cloud-based environment and each user’s specific access requirements, while ensuring that these are supported by an appropriate change control process; and
- Carrying out regular reviews of user access to ensure all authorized access to personal data is strictly necessary and justifiable for the performance of a specific function.
2. Reviewing Default Security Settings
Organizations should not rely on the default security settings and controls provided by cloud-based service providers. Instead, organizations should review their cloud-based security features to ensure that these features are applied appropriately and in a layered manner. Examples of security settings and controls provided by cloud-based service providers often include:
- Centralized administration tools;
- Mobile device management;
- Multi-factor authentication;
- Login alerts;
- Encryption during message send and receive;
- Encryption of message content;
- Account activity monitoring and alerts;
- Data loss prevention;
- Malware protection;
- Spam and spoofing protection; and
- Phishing protection.
In particular, the Guidance emphasizes that organizations should review and implement the appropriate security settings to secure remote access.
Further, the security settings should be reviewed regularly to ensure they are still appropriate and up-to-date. The Guidance clarifies that applying the appropriate security measures is not a one-off “set and forget” exercise.
3. Seeking Assurances from the ICT Service Provider Charged with Implementing the Cloud-Based Environment
Organizations using external Information and Communications Technology (“ICT”) service providers to implement their cloud-based environments must seek formal assurances from these service providers that the security controls that have been implemented meet the organization’s specific security requirements and protect the organization’s personal data. Organizations should also proactively engage and conduct regular security reviews with their ICT security providers to ensure that the security controls are up-to-date and effective to protect them.
4. Having Clear Policies in Place and Providing Staff Training
Organizations should have clear policies in place with respect to the use and security of cloud-based services. This also includes clear “employee leaver” and “succession” policies that should be applied to the organization’s cloud-based environment and a data retention policy. Regular reviews should be conducted to ensure that the data retention policy is applied in practice.
In addition, measures should be taken to ensure that staff receive appropriate training on social engineering attacks, phishing attacks and threat practices, including refresher training to take into account the evolving threat landscape.
5. Knowing the Types of Data Stored in the Cloud-Based Environment and Securing It
Organizations should understand and monitor the types of data that is stored in their cloud-based environments and use data classification methods to identify the data. This will enable organizations to categorize the stored data in order to determine the appropriate security controls.
Additional information, advice and best practices regarding security of cloud-based environments are also provided by agencies such as the European Union Agency for Network and Information Security and the US-based National Institute of Standards and Technology.