Protecting PII in the Cloud

What is PII?

PII (Personally Identifiable Information) is any information about an individual that can be directly tied to that person’s identity. PII can be used with or without other data to identify an individual. 

Examples of Personally Identifiable Information are: 

• name, 
• social security number, 
• biometric records, 
• unique personal document numbers such as passport or driver’s license number, 
• medical, educational, financial history, and many others. 

PII information can be categorized into two parts: 

1. Linked information. This type of data can on its own single out an individual. 
2. Unlinked information. A person cannot be directly traced based on it, but if combined with another piece of information it could identify an individual. Some examples are: 

• city, 
• gender, 
• age range, 
• race. 

What data is considered non-PII? 

Data that cannot be used to pinpoint a person is considered non-personally identifiable information (non-PII). 

Some examples of non-PII information are: 

• data collected by browsers and devices such as device type, browser type, language preference, screen size, 
• aggregated statistics, 
• IP addresses. 

What happens if PII is breached? 

Identity theft is one of the biggest threats involving PII.  

What can an attacker do with a target’s PII? They can, in their victim’s name: 

• Open accounts, 
• File for tax refund, 
• Claim unemployment benefits, 
• Use health insurance, 
• Take out loans, and many others. 

These actions are very serious and can occur without the victim’s knowledge. 

PII in the Cloud 

There are several standards that regulate the management of PII in the cloud: 

• NIST, 
• HIPAA, 
• GDPR, 
• ISO 27002, and others. 

A few safety guidelines regarding PII have been established by these standards, according to Investopedia: 

1. Some of the sensitive information must be stored only in extreme situations. 
2. Delete PII if it is not needed for its stated purpose. 
3. Do not share PII with parties that do not guarantee its protection. 
4. Report if a PII breach occurs. 

How do you safely handle PII in the Cloud? 

According to IBM, PII was the most costly type of data lost in data breaches in 2021, averaging at around 180USD/record lost. 

There are a few safety precautions that can be taken to increase the safety of private data in the cloud. 

1. Implement strong password policies 

Make sure that your organization only allows strong passwords and that they are not re-used. This best practice helps prevent someone from gaining access to the PII in the cloud. 

2. Encrypt the data 

Encryption is an essential step to securing the PII. Use industry-recommended encryption algorithms and robust key management.  

This reduces the risk of a data breach in case an attacker gains access to the data stored in the cloud. 

3. Tokenize PII 

Alongside encryption, tokenizing personally identifiable information is another measure to keep it secure.  

Tokenization works by mapping the PII to a token (which can be, for example, a unique string of characters) that on its own does not mean anything, and storing that token instead of the data. 

If the token is leaked, the attacker has to obtain its pair, the PII. However, the actual information is usually stored in a tokenization manager that will only disclose the data to authorized entities. 

4. Only keep necessary information 

Another obvious way to keep data secret is to simply not store it; make sure you’re not keeping any non-essential PII and correctly dispose of it.  

5. Comply with The Least Privilege Principle 

Make sure no employee has more privileges than they need; this helps keep the PII exposure at a minimum, thus increasing its safety. 

Who is responsible for PII? 

Every person should be very cautious when asked to provide any kind of PII. 

When we’re discussing PII stored in the cloud, the organization storing it is responsible with the safety of the private data they are holding. 

If GDPR compliant, companies assign a Data Protection Officer (DPO), who oversees the manipulation of data and ensures compliance.  

The DPO is responsible with making sure that PII is stored correctly. 

How can Cyscale help you with protecting PII in the cloud? 

Here’s how: 

• It uses controls that automatically alert you if you’re not implementing the rules, guidelines, and best practices recommended by international standards, 
• It provides you with remediation steps to fix misconfigurations regarding PII in the cloud, 
• Cyscale helps you become compliant with international standards and prove to your customers that you’re responsible and handling PII safely.