Personal identifiable information (PII) data breaches have risen significantly, posing challenges for enterprises storing PII on cloud. There are five critical aspects to protecting PII data: data classification, security controls, encryption, loss prevention, and regulatory compliance. TCS recommends classifying data using tools and predefined criteria. Then applying security controls like access management and monitoring. Data should be encrypted at rest and in transit. Loss prevention controls like monitoring network traffic can prevent data leakage. Assessing regulatory risks and enforcing policies helps ensure compliance. Combining TCS and AWS security services provides a comprehensive approach to protecting sensitive user data on cloud.
Protecting Sensitive Personal Data in the Enterprise
1. Protecting sensitivepersonal
data in the enterprise
Powered by TCSAWS business unit
24 August2021
RajiKrishnamoorthy
Head, AWS Security and Compliance
AWS Business Unit, TCS
2. 2
Challenges in protecting PII data on cloud
*Source: Cyware.com
Nearly 80-90% of the data breaches involve personally identifiable
information (PII); ransomwareattackswitnessed a rise of 57%.*
Enterprises storing PII data on the cloud need to secure data at
rest and in transit from intruders. They needto:
• Set-upcomplex monitoringsystemsto identifyandthwart
maliciousor unauthorizedaccess
• Track complex and sensitive dataexchangesforsource,
structure, quality,lineage andusage
• Ensure compliance to global privacyregulations
• Choose a combinationof native servicesand third-partytools
to protect data
3. 3
Five critical aspects for protecting PII
Data classification
Leveragedata classification toolsandpre-defined criteria
to categorizedata
Data security controls
Protectdata and infrastructurewith in-builtfraud
detection controls
Data encryption
Cipher dataatrestandinmotion makingdata
unintelligibleto eavesdroppers
Data loss prevention
Preventdata loss,leakageor misuseof datathrough
breaches,ex-filtration transmissions andunauthorized use
Regulatory compliance
Equip organizationsto continueoperationsandmeet
obligationsdespitedisruption
In a world of ever-increasing
compliance andprivacyconcerns,
building PII guardrails helps enterprises
uphold customertrust and adhere to
regulatory standards. We recommenda
five-foldapproachto build guardrails
forenterprise PII data.
4. 4
Data classification | First step to protect PII data
TCS Confidential
Categorize data basedon predefined
criteria to efficientlymanage and
protect data
Combine manual and automated
techniquesto optimallyclassifydata
Leverage cloud service providersto
search for storage volumesand match
data against pre-definedpatterns
Implementthe right securitymeasures
based on data sensitivityusing
data classificationstools
5. 5
Data security controls | Using domain and configurability
TCS Confidential
Applythe rightidentityand access
management(IAM) mechanisms to manage
and log accesses across users and groups
Detect unauthorizedtrafficproactively,
monitor deviationinconfigurationand
facilitate auditsof databases
Secure cloud environmentsagainstattacks
such as distributeddenial of service,prevent
threats to applicationlayerand bring-in
secure networksegmentation
Enable layeringof multiple controlsfor
securityredundancy and eliminate single
pointsecurity failure
6. 6
Data encryption | Making PII data indecipherable
TCS Confidential
• Enforcesecurity measures that comply
with dataprivacy laws
• Prevent datafrombeing manipulated
by unauthorizedusers
• Protect databoth at rest and in transit
• File/folder encryption
• Full-disk encryption for cloud workload
storagevolumes
• Specialized encryption (database,email)
• Cloud-nativestorageencryption
• Encrypting the data before transmission;
authenticatingtheendpoints;and
decryptingand verifyingthe data on
arrival
Data at rest Data intransit
7. 7
Data loss prevention | Prevent PII data leakage
TCS Confidential
Classify PII databased on natureof business and
regulatory standards
Implement monitoringatthe boundary of network
egress,on all internetdevices
Install a data lossprevention (DLP) agent on hosts
that process production data
Enforce security policies rules -- based on the
content and context of the data classification --
when certain types of data is accessed or leaked
8. 8
Regulatory compliance | Establish user trust
TCS Confidential
Assessthe regulatoryrisks by identifying
the gaps inthe existingsecuritysetup
Enforce securitypoliciesto meetthe
compliance requirements
Buildauto-remediationcompliance
capabilities
Remediate the identifiedweaknessbased
on the risk assessment
9. 9
The combined synergy of TCS Cloud Foundation Designer and
AWS Security Services
TCS Confidential
• PII data security design
patternsfor five elements of
sensitive user information
• 40% reduced efforts to build
security guardrails
• Aligned with AWS well-
architectedframework
principles
• Compliant with Center for
Internet Security (CIS) AWS
foundation benchmark
• Role-based access control to
workloads on AWS cloud
• Advanced encryption
engines
• End-to-end, AI-driven data
protection
Amazon Macie AWS IAM AWS KMS AWS Security Hub AWS Certificate
Manager (ACM)
AWS CloudHSM
AWS Secrets
Manager
AWS Shield
10. 10
A quick recap on protecting PII data
TCS Confidential
Protectingdata onAWScloudis easier witha host of security services at
organization’s disposal
MonitoringPII data access andstorage canbe achievedusinga combination
of AWS-native security services,AI services andthird-party tools
Compliance to industry standards is paramount to continue business and
privacy assurance to customers
Building security foundations forAWScloudis supportedby an
automatedparadigm
By minimizing storage anduse of PII,enterprises cansignificantly reduce the
risk for data breaches andmisuse of data,andlower compliance costs.