Managing Sensitive User & Customer Data in the Cloud

Companies of all sizes and industries manage sensitive information, including employee, user or customer data. Companies that keep their data in the cloud are required to do this with extra care and comply with existing data privacy laws.

The following article outlines the terminology of data protection and lists the different security measures and best practices that companies should consider when managing sensitive data in the Cloud.

We have also written about this topic in an Atlassian Community post.

What is sensitive data?

The term “sensitive data” refers to any information that could be used to identify or harm an individual or organization if it was accessed or disclosed without authorization. Sensitive data generally includes any information that is considered confidential, personal, or private, such as:

1. Personal Identifiable Information (PII): Any data that can be used to identify an individual, such as their name, address, phone number, social security number, or passport number.
2. Confidential Business Information: Any data related to a company’s trade secrets, intellectual property, financial information, or internal communications that could be used by competitors or other parties to gain an unfair advantage.
3. Personal Communications: Any data related to private communications, such as emails, chat logs, or social media messages.
4. Financial Information: Any data related to an individual’s financial situation, such as bank account numbers, credit or debit card numbers, tax identification numbers, or financial transaction records.
5. Health Information: Any data related to an individual’s physical or mental health, such as medical records, diagnoses, treatments, or prescriptions.

All sensitive data must be protected from third-party access using appropriate security measures and management.

What are the data protection laws?

Managing sensitive information has its compliance requirements. Different countries and regions have their own regulations regarding user data, also known as customer data. Here are a few examples:

1. European Union: The EU has strict regulations regarding user data, specifically the General Data Protection Regulation (GDPR), which was enacted in 2018. The GDPR requires companies to obtain clear consent from users before collecting and processing their data and also gives users the right to access, correct, and delete their data.
2. Switzerland: Switzerland has its own data protection laws, which are similar to the European Union’s GDPR. The Swiss Federal Act on Data Protection (FADP) governs the processing of personal data in Switzerland. It establishes rules and requirements for how organizations can collect, use, and store personal data. By September 2023, the new Act on Federal Data Protection (nFADP) with stricter guidelines must be implemented by Swiss companies.
3. United States: While the US does not have a federal data protection law, some states have data protection laws, such as California Consumer Privacy Act (CCPA).
4. Canada: Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA), which regulates how businesses can collect, use, and disclose personal information during commercial activities.
5. Japan: Japan has the Act on the Protection of Personal Information (APPI), which regulates the handling of personal information by private organizations.
6. Australia: Australia has the Privacy Act, which regulates the handling of personal information by Australian Government agencies and private sector organizations.
7. Brazil. The General Data Protection Law (LGPD) was enacted in August 2018 and became enforceable in August 2021. It regulates the collection, storage, use, and sharing of personal data by public and private entities within the country.

Data security: Best practices to protect your sensitive data in the Cloud

Protecting sensitive data, including business secrets and other important data, is critical for companies especially if the data is kept in the Cloud. Ensuring compliance with these regulations and laws involves implementing data security policies and software solutions. Here are some of the data security best practices you might want to implement.

Encryption

Encryption is a method for securing data through cryptography in a way that can only be read by authorized users who have the keys to decrypt it. 

For this reason, key management is vital for the security of encryption. Keys must be properly managed and stored securely. Choose encryption methods that are strong and up-to-date (like AES 256) so they cannot be bypassed with methods such as brute-force attacks.

Encryption prevents unauthorized access to sensitive data, even if the data is intercepted or stolen. This is important both in transit (being sent over a network) and at rest (stored on a device or server).

Access control & authentication

Companies should ensure that only authorized people can access sensitive data by implementing strict access controls. They can use access levels to limit access to sensitive data to only those who need it. They should also ensure that all users are properly authenticated before accessing any data.

Data backup

Data backup provides a way to recover from any data loss or corruption. Regular data backups can help organizations avoid data loss or downtime due to hardware failure, natural disasters, or other unexpected events.

Backups should be stored securely off-site or in the cloud to ensure that data can be recovered even if the primary location is inaccessible. Similarly, an organization should set up a backup strategy based on the type and amount of data, the frequency of data changes, and the amount of time and resources available for backup and recovery. Additionally, backup data should be regularly tested to ensure it is accessible and not corrupted.

Incident response plan

An incident response plan (IRP) provides a framework for responding to security incidents and data breaches. IRPs should outline the steps to be taken, including the roles and responsibilities of different individuals and teams. This can help ensure a prompt and effective response to minimize the damage caused.

An Incident response plan should be regularly reviewed and updated to ensure that it remains relevant and effective in the face of changing threats and technologies. It should be tested through tabletop exercises or simulated incidents to ensure that all parties understand their roles and responsibilities and that the plan is effective in practice. Finally, incident response plans should be reviewed and updated after each security incident to identify areas for improvement.

Awareness training

Companies should help employees understand the importance of data security and data protection. Employees must know the policies and procedures to protect sensitive data in practice. Security awareness training can include information about the types of sensitive data, the risks associated with handling this information, and how employees can protect it.

Effective security awareness training should be regularly provided to all employees, including new hires, and should be updated to reflect changes in technology, laws, and regulations. Awareness training can take various forms, including online training modules, in-person training sessions, and ongoing communications to keep employees informed and up-to-date. 

Security assessments

Regular security assessments help organizations identify and address vulnerabilities in their systems and processes. Security assessments can take various forms, including internal audits, penetration testing, and vulnerability scanning. Qualified and experienced personnel should perform these security assessments using recognized industry standards and guidelines. 

Regular assessments should be performed to ensure the organization stays ahead of emerging threats. Moreover, the results of security assessments should be used to update the organization’s security policies and procedures.

Using a VPN

Another way to enhance data security and access control is by using virtual private networks (VPNs)—especially for remote teams. VPNs are a reliable way of securing a company’s network and data. A good VPN can help companies secure their data while they are on the move and protect their data against cyberattacks. Using a VPN can help protect sensitive data when accessing cloud services and applications by encrypting the traffic between the employee’s device and the cloud provider’s servers. 

Software updates

Security software updates fix known vulnerabilities, improving systems and applications’ security. Keeping software updated keeps attackers at bay since these often target vulnerabilities in outdated software to gain access to sensitive data.

Software updates may include patches, new features, and performance improvements. As such, organizations should have a process in place for regularly updating software. This includes:

• a schedule for applying updates,
• a testing process to ensure that updates do not disrupt normal operations
• a backup process to ensure that systems can be quickly recovered if an update failure occurs.

Enhance your sensitive data management with the right tools

Companies and industries relying on the cloud for data management must manage (save, handle and access) sensitive user and customer data responsibly. To do so, they must understand and comply with different regulations and laws. Companies can help protect sensitive data from unauthorized access and data breaches by encrypting data and implementing various security policies.

💡 If your company uses Jira Cloud to handle sensitive data (employee, customer or confidential company data), bitvoodoo recommends using Confidential Fields with Data Residency for Jira. This app ensures that data in custom fields is fully encrypted and protected from unauthorized access. It also allows storing confidential field data in the data residency of your choice.

❓If you want to know more about the app, please contact our support team.