GRC Tuesdays: Developers Can’t Escape Data Protection in the Cloud
Public clouds have the ability to transform enterprises, but they also create new data protection and security challenges for companies and its developers. While the cloud services provide speed and flexibility for developers, using the cloud without appropriate governance creates data protection risks and unprotected environments.
To avoid reputational loss associated with data breaches, companies need a systematic methodology to data protection in the cloud. They need to ensure that their developers are thinking about data protection and privacy while designing the applications—a data protection by design/default approach.
This should not be rocket science—in many cases, it is common sense. But as the old saying goes, common sense just isn’t all that common. So what do developers need to keep in mind as they develop software, especially in the public cloud?
Compliance: Data Protection by Design and Default
An understanding of data protection laws and information security is a prerequisite for developing software. Developers should know the applicable requirements and which tools will help them convert knowledge of data protection and information security into software that safeguards the software.
As the volume of data continues to grow and flow more easily with the help of the globally connected clouds, over 60 countries have created data protection laws requiring public/private entities to provide complete data protection. The penalties for not following data protection laws are rising. For example, the General Data Protection Regulation (GDPR)¹, recently implemented by the European Union has a penalty of up to €20 million or 4% of a company’s worldwide annual revenue (prior financial year)!
Under GDPR, a data controller (and their developers)are required to follow data protection by design and default while developing software. The concept of data protection by design requires that data protection measures be embedded into the architecture and design of a company’s IT infrastructure. (No, they’re not add-ons or tweaks.)
So, where does one start? Here are three main areas developers should think about.
1.Understanding the Environments: Development, Testing, Staging, and Production
- Developers should have a clear understanding of how they’re securing their environments.
- They may need to limit the number of people who have access as a product moves from “Development” to “Live.”
- They should know how to manage the credentials needed in the different environments.
- Additionally, they should have a very clear understanding of whether any personal information is being used anywhere other than Production. (It definitely shouldn’t be!).
2.Data Flow Mapping
- Developers should have a very clear understanding of how data is collected through their applications, how it flows through the systems, gets duplicated, transformed, exported, and stored.
- Under GDPR, among many other regulations, it’s now a requirement to understand and classify the types of data a company collects.
- If any of that data is considered sensitive (like information related to racial or ethnic origin, political opinions, sexual orientation, religious or philosophical beliefs or trade union membership, genetic data, biometric data, health data), then the enterprises and their developers have heightened obligations in protecting this data under GDPR.
- Developers should take a risk-based approach while classifying the data and protecting it.
- Developers have to actively consider which data to store and where.
- When developing an application running in the cloud, developers should know where in the cloud this data will be stored.
- Given stringent data localization and residency laws in some countries, some type of sensitive data need to be constrained to a geolocation, even when in the public cloud.
Can SAP Help?
Among its other solution, SAP has developed SAP Data Custodian to help companies with the geolocation requirements. This solution is a turnkey SaaS-based application for visibility and control of data in the public cloud. Providing such end–to-end visibility into a customer’s public cloud landscape is a natural extension of SAP’s expertise in business processes software.
Overall, irrespective of whether a regulation requires it, data protection by design is a necessity for software development because it’s both cost-effective and more efficient than making changes to an existing piece of software after the fact. Additionally, this helps build trust with customers, which is a huge competitive advantage, especially when it comes to the cloud.
- Visit our SAP Data Custodian solution page, where you can find the solution brief and more.
- Read our other GRC Tuesday blogs for more on topics like this one.