Is your company’s cloud ready for CCPA?

New Year’s resolutions aren’t the only thing you should be preparing for this time of year. January 1st, 2023, CCPA will come into effect. The CCPA (California Consumer Privacy Act) is, in a way, California’s version of the EU’s GDPR regulation with the purpose of protecting PII / customer data.

While there are some differences between the two regulations (for example, CCPA protects ‘consumers’ while GDPR protects ‘data subjects’), their goals are similar – protecting the data that could identify people and holding businesses accountable when storing it or using it.

After some delays, CCPA is almost here, so you better start preparing. Even if your business is not located in California, but you’re doing business there, CCPA applies. If you own, are owned by, or share branding with a company that the CCPA applies for, it might be applicable to you too.

For your business to comply with CCPA (or other similar regulations), you should have a good understanding of the type of data that you store, how it is stored, and who has access to it – should a customer ask to know more about it or ask to delete it.

While controlling data in large organizations is known to be a tough task, for organizations in the cloud it gets a little tougher. Usually, because there are more people with access to the infrastructure and the loss of control over some workflows.

For example, you could find dumps of your data in non-production environments because developers ran some tests and left them there. The security team doesn’t know it’s there, and therefore cannot guarantee that it’s well protected. If you don’t know it you can’t protect it and therefore might violate the regulatory requirements. Some people believe that if they are using the public cloud (AWS / Azure / GCP or others) they are protected and compliant, but this is far from the truth.

By now you’ve probably heard about the Shared Responsibility Model. It means that there are some things the cloud vendors are responsible for, like the hardware and the software that is used to run it. But you are responsible for how to use it and what it is used for.

So configurations, encryption and even patching the OS are some of your responsibilities. The basic principles of being compliant in the cloud are not very different from the on-prem. We just need to make some adjustments as to how we become and remain compliant in the cloud.

Here’s a list of a few things you should check and ask, to feel more confident when CCPA comes into effect:

1. Where are my data resources? Where is my data stored?

“In the cloud” is not the correct answer. You’re probably managing several cloud accounts, with different users having access to various accounts, some are production while some are not. So where did you say the data was? Most cloud users don’t even know how many blob storage components they have.

To have a good answer to this question, you need to have an understanding and control of your inventory. Data resources included.

How Solvo helps:
In the Solvo console, you can get a list of your data resources by type and per account. This way you can control any data resource one of your team members spun up.

If you want a general overview of the number of resources you own in the cloud and data resources being a part of that, you can check out Solvo’s dashboard and look at the inventory section.

Solvo is here to automate your cloud security.

Sign up today to improve your security posture.

Request a demo