Data privacy is defined by an organization’s ability to determine what data in a computer system can be shared by third parties. IT leaders are increasingly concerned with enterprise data privacy and protection, and they need ways to maintain control of what data is being accessed.
What kinds of data are subject to privacy concerns in an enterprise context?
- Regulated data, such as patient’s health records, customer information, or accounting records; often industry-specific and protected by laws and treaties such as HIPAA, ECPA, or the EU-US Privacy Shield
- Employee data, such as Social Security numbers, payroll information, or personal details, such as phone numbers and home addresses
- Unregulated data, such as the email conversations, presentations, and reports that are constantly produced by employees
- Competitor-sensitive data, such as intellectual property documents, business metrics, planning and strategy documents, and financial documents
- Credentials, such as user passwords, encryption keys, and access tokens
The Cloud Dilemma
A couple of decades ago, IT leaders could reasonably control their enterprise data by keeping everything on-premises. Data privacy was manageable as long as the data was under full control on the enterprise’s servers.
Then IT infrastructure and software costs started going down, and networks became faster, more reliable, and more secure. Soon, the cloud arrived and changed everything.
Suddenly, enterprise users were being offered great services over the internet with promises of speed and efficiency that their IT departments couldn’t match. Enterprise data started leaking over the internet through a myriad of SaaS services. For most users, “the cloud” was a mythical place—viewed as being more or less the same thing as the Internet—where they could find anything and get more stuff done.
However, as the joke says, “There’s no cloud. It’s just someone else’s computer.” Realizing that they were giving away enterprise data caused many IT leaders to forbid their users to rely on cloud services at work.
On the other hand, cloud computing is appealing to IT leaders because it’s flexible and cost effective. Today, the question for most IT leaders is not whether they should ignore the cloud but how they can deal with it properly without compromising their business objectives.
In terms of the security aspects, the main cloud providers all offer security compliance levels that would be more costly than most enterprises could afford if they had to implement it themselves.
Does this mean enterprises are better off moving everything to a public cloud and relying on Amazon, Google, or Microsoft’s data privacy policies? Of course not. Ensuring data privacy in the cloud is probably achievable for most enterprises. However, just like when using a private on-premises infrastructure, it’s still necessary to implement security controls on top of a cloud provider solution.
Can Open Source Help with Data Privacy and Protection?
Over 78% of all enterprises use open source software, and there is a trend showing that it is spreading widely since more enterprise software types now have viable open source alternatives. As the adoption of open source software has grown, the concerns voiced by open source skeptics have progressively shifted from licensing to security matters.
Although closed source software approaches security through obscurity while open source relies on transparency, nothing makes one intrinsically more secure than the other.
The most active open source projects benefit from a large community that detects and responds to issues rapidly. This works because the internet runs largely on open source software.
That said, companies that want to rely on open source software remain responsible for vetting its security and keeping up with security updates. The good news is that there are online databases and tools that track vulnerabilities in open source libraries.
With a measurable effort, it’s possible to remain safe when using open source software. Most enterprise software vendors that embed open source libraries are proactively protecting their customers via patches and security advisory programs.
Data privacy is pretty much a matter of control. Whether IT leaders choose to offload some work to a cloud service provider or to a third-party software vendor, they’re always conceding some control over their data. But by deploying open source software, IT leaders get a few advantages:
- More control of data
- The ability to audit a system fully to inspect data manipulations
- The ability to adapt a system to comply with their data privacy policies
In any case, data privacy is not effortless. Complete safety is hard, if not impossible, to achieve for most enterprises. As is always the case for security, it’s all about setting the cursor to balance risk and flexibility.