As more and more telcos migrate services to the cloud (e.g., IaaS, PaaS and SaaS), their customers’ data goes with it, which creates multiple new risks to customer privacy and – ultimately – their security.
To add to it, the ever-growing world of connected devices and the IoT ecosystem makes things even riskier. This is particularly true as most connected devices reside in what are called “unmanaged networks” – meaning, not monitored by someone in a CISO-type role. Unmanaged network are almost exclusively homes and micro-SMB / SOHOs and obviously constitute the lion’s share of an ISP’s customer base.
Consider then that the “average” smart home has around 20 connected devices and that ISPs are handling large amounts of personal data, including browsing history, search queries, and location information. As such, ISPs have growing concerns about privacy when it comes to using cloud services. For example, they may have concerns about the security of their customers’ data when it is stored in the cloud and additional concerns about their own legal obligations to protect that data, such as those described in the “GDPR” style regulations that have been introduced around the world in recent years.
In order to address these concerns about, for example, illicit third-party access to their customers’ data, ISPs should seek out cloud service providers that offer robust security measures and have strict privacy policies in place. However, there is also action to be taken on the home front, as ISPs must implement their own internal policies and procedures to ensure compliance with relevant privacy regulations – and one way to achieve that is through data anonymization.
When it comes to selecting cloud service providers, ISPs need to start by reviewing if the provider will store and/or traffic any personally identifiable information (PII) or information that may be identifiable by association.
If the cloud service provider will be storing such information, their different security controls may need to be reviewed as well, including:
1. Data encryption: verify that the cloud vendor implements proper encryption of the data, preferably hashing of the data where possible. For example you can review this guide to GDPR.
2. Access controls and auditing logs: verify that the vendor uses proper access control mechanisms, limiting access to the data as well as using secure authentication methods (strong password policy, multi-factor authentication, etc.). Also, validate that the vendor is keeping access, changing logs, and monitoring those logs closely. Monitoring access logs can help you and your vendor to identify any unusual or unauthorized access to your customer’s data, so that you can take appropriate action to protect it. In fact, leading vendors offer a security operations center (SOC) that can monitor logs for the customers upon request. For more details on proper access controls see: ISO27002 Page section 11.
3. Regularly update security protocols: Keeping your security protocols up to date can help to protect against new threats and vulnerabilities.
By taking these steps ISPs can ensure that their customers’ data is being handled responsibly and securely by the cloud vendor. Properly reviewing the vendor’s risk mitigations can help to ensure regulatory compliance, particularly if you are in an region with strict data privacy regulations. By choosing a vendor that meets these requirements, you can avoid any potential fines or penalties for non-compliance. Additionally, properly reviewing the vendor’s risk mitigations can help to protect against data breaches and other security threats, which can save your business time, money, and reputation in the long run. Overall, thorough assessment of a cloud service vendor’s risk mitigations can provide peace of mind and help service providers to make an informed decision about their data privacy needs.
Cloud-based vs. premises-based privacy protection
And when it comes to privacy risk management, the two most common approaches are cloud-based and premises-based. The following section describes the benefits of using a cloud service provider as compared to on-premises solutions.
First, using a cloud service provider can often offer great security measures and protection for your data. Cloud providers often have dedicated security teams that are responsible for monitoring and maintaining the security of their systems, which can provide an extra layer of protection. That removes the need for additional resources that may be required around the infrastructure and management of the solutions.
Another advantage of using a cloud service provider is that it can offer greater regulatory compliance. Many industries have strict regulations around data privacy and security, and using a cloud service can help you to meet these requirements more easily. By outsourcing the management and security of your data to a trusted provider, you can ensure that your data is handled in a way that meets regulatory standards.
Finally, using a cloud service provider can also provide greater scalability and flexibility. With an on-premise solution, you are limited by the resources and capabilities of your own servers. In contrast, a cloud service provider can scale up or down to meet your changing needs, without the need for additional hardware or infrastructure. This can be especially useful for businesses that experience seasonal fluctuations or rapid growth.
As a reputable cloud-native security service provider, SAM Seamless Network’s solution was designed with privacy in mind, facilitating compliance with the stringent regulations and standards required by leading tier-1 service providers. We have implemented robust controls to verify and protect network and customer data and privacy. These include access controls, secure patch management processes and procedures, a Security Operations Center that monitors security incidents and event management, endpoint detection and response and other services. SAM’s solution portfolio provides a secure, privacy-oriented and effective solution to ISPs around the world, covering more than 5 million subscriber networks.