Recent Data Breaches in Cloud Environments and Ensuring Data Security : Daily News Analysis

Date : 17/07/2023

Relevance: GS Paper 3: Internal Security- Cyber Security

Keywords: Cloud Security, COWIN, CERT-IN, Data Protection

Context-

  • A survey conducted in 2023 by Thales Cloud Security reveals that 35% of organizations in India experienced data breaches in cloud environments last year.
  • With 68% of businesses in India and 75% globally storing over 40% of sensitive data in the cloud, it is crucial to address the risks associated with cloud system misconfigurations and secure sensitive information effectively.

Cyber Threats: Serious Action needed

Data Protection: Safeguarding Information in the Digital Age

Data protection is the process of safeguarding important information from corruption, compromise, or loss. With the exponential growth of data creation and storage, ensuring data protection has become increasingly crucial.

The Need for Data Protection:

  • India has a significant online presence, with approximately 40 crore internet users and 25 crore social media users who spend a significant amount of time online. Data breaches in the country have become increasingly costly, with the average cost reaching Rs. 11.9 crore, a 7.9% increase from 2017. Additionally, the Supreme Court's decision in the KS Puttaswamy case recognized data privacy as a fundamental right under Article 21.
  • Given these factors, ensuring data protection in India is of paramount importance.

The following reasons highlight its significance:

  • Data Export: Many data storage companies are based abroad, including e-commerce companies that possess exabytes of data on Indian users. Exporting data to other jurisdictions makes it challenging to apply Indian laws to protect user data effectively.
  • Data Localization: Mandating data localization has faced resistance from private entities and their home governments.Numerous private players are involved in data dynamics, making it difficult to establish a uniform data protection framework.
  • User Consent: Applications often use pre-ticked boxes for consent when seeking users' acceptance of terms and conditions. This practice may not adequately ensure informed consent and control over personal data.
  • Privacy Breach: Identifying perpetrators involved in invading data privacy can be challenging, making it difficult to hold them accountable.
  • Privacy Laws: The usage and transfer of personal data are currently regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000. However, these rules apply only to private entities and not government agencies, creating gaps in data protection.
  • Data Ownership: As per TRAI guidelines, individuals own their data, while collectors and data processors act as custodians subject to regulations.
  • Increasing Online Presence: As per the IAMAI's Digital in India report 2019, India has about 504 million active web users, making it the second-largest online market after China. This extensive online presence generates a significant amount of personal information that needs protection to avoid privacy infringements.
  • Profit and Privacy Concerns: Companies, governments, and political parties find value in collecting and analyzing personal data for profit and targeted advertising. However, this collection raises concerns about the invasion of privacy and the potential misuse of personal information.

Concern With Data Protection

  • Inhibition of Innovation: Excessive data security measures may create barriers that impede innovation and limit corporate development. Strict regulations may deter companies from exploring new technologies or data-driven solutions due to concerns about compliance and potential penalties.
  • Impediment to Public Services: Stringent data protection rules can hamper the delivery of public services, as seen in challenges faced during the implementation of the Aadhaar Act in India. Balancing data privacy with the efficient delivery of essential services requires careful consideration.
  • Increased Compliance Costs: Placing excessive emphasis on data security can lead to increased compliance expenses for businesses, as seen in the compliance costs associated with GDPR in the European Union. Small businesses, in particular, may struggle to bear the financial burden of stringent data protection requirements.
  • Reduced Competitiveness: Overly strict data protection measures may hinder the competitiveness of Indian enterprises, especially small businesses that may lack the resources to comply with complex regulations.
  • Hindrance to Data Utilization for Social Benefit: Strict data privacy rules may limit the use of data, such as Aadhaar data, for social benefit initiatives.
  • Impaired Data Sharing and Cooperation: Excessive data protection measures can hinder data sharing and cooperation between corporations and governments, limiting opportunities for collaborative research and development.

While data protection is essential, it is crucial to strike a balance between data security and fostering innovation and economic growth. Excessive data protection measures can inhibit innovation, impede public services, increase compliance costs, reduce competitiveness, hinder data utilization for social benefits, hamper data sharing and cooperation, restrict analytics, and increase bureaucracy. Finding the right balance requires comprehensive and flexible data protection frameworks that consider the needs of various stakeholders while ensuring individual privacy and promoting responsible data use.

Laws for Data Protection across the Globe:

European Union (EU):

  • General Data Protection Regulation (GDPR): The GDPR gives individuals control over their personal data and sets guidelines for data protection, including consent, data breach notifications, and data transfer regulations.

United States (US):

  • Sectoral Laws: The US has several sector-specific laws addressing digital privacy, such as the US Privacy Act of 1974 and the Gramm-Leach-Bliley Act.

Data Protection Initiatives in India:

  • Information Technology Act, 2000: This act provides safeguards against breaches related to data from computer systems, including provisions to prevent unauthorized use of computers, computer systems, and stored data.
  • Justice K. S. Puttaswamy (Retd) vs Union of India 2017: In August 2017, a nine-judge bench of the Supreme Court in Justice K. S. Puttaswamy (Retd) Vs Union of India unanimously held that Indians have a constitutionally protected fundamental right to privacy that is an intrinsic part of life and liberty under Article 21.
  • B.N. Srikrishna Committee 2017: The government appointed a committee of experts for Data protection under the chairmanship of Justice B N Srikrishna in August 2017, which submitted its report in July 2018 along with a draft Data Protection Bill. The Report has a wide range of recommendations to strengthen privacy law in India including restrictions on the processing and collection of data, Data Protection Authority, right to be forgotten, data localization, etc.
  • Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021: IT Rules (2021) mandate social media platforms to exercise greater diligence with respect to the content on their platforms.
  • Proposal of ‘Digital India Act’,2023 to replace IT Act,2000:  IT Act was originally designed only to protect e-commerce transactions and define cybercrime offenses, it did not deal with the nuances of the current  cybersecurity  landscape adequately nor did it address data privacy rights. The new Digital India Act envisages acting as a catalyst for the Indian economy by enabling more innovation, and more startups, and at the same time protecting the citizens of India in terms of safety, trust, and accountability

Personal Data Protection Bill, 2019:

  • Background: In response to the Supreme Court's recognition of the right to privacy as a fundamental right, the government appointed Justice B.N. Srikrishna Committee to propose data protection legislation.
  • Objectives: The Personal Data Protection Bill aims to protect the privacy of individuals regarding their personal data and establish a Data Protection Authority of India for enforcement.
  • Concerns: There are concerns regarding the exemptions granted to the government, allowing the processing of sensitive personal data without explicit permission from data principals.

Way Forward:

  • Robust Data Protection Regime: In the digital age, data regulation is crucial. India should establish a strong data protection regime to safeguard individual rights and privacy.
  • Reformulating the Personal Data Protection Bill, 2019: The bill needs to be reviewed and modified to focus on user rights and privacy, with the establishment of a privacy commission for enforcement.
  • Balancing Privacy and Right to Information: The government should respect citizens' privacy while also strengthening the right to information.
  • Addressing Technological Advancements: Considering the rapid technological advancements, the data protection laws should be adaptable to avoid becoming outdated.

In an era where data is a valuable resource, ensuring its protection is of utmost importance. Countries worldwide have implemented data protection laws, such as the GDPR in the EU and sectoral laws in the US. In India, the Personal Data Protection Bill, of 2019, aims to safeguard personal data, although concerns regarding exemptions need to be addressed. To ensure effective data protection, it is crucial to strike a balance between user privacy and the right to information while keeping up with technological advancements.

Recent Examples of Data Breaches in Cloud Environments:

1. CoWIN Portal Data Leak:

  • In June, the personal data of Indian citizens who registered with the CoWIN portal was allegedly exposed on the messaging platform Telegram.
  • The Indian Health Ministry denied the data leak but initiated a review of the portal's security infrastructure by CERT-In.

2. myrocket.co HR Management Portal:

  • In January, the personal information of employees and job candidates was allegedly exposed through the HR management portal myrocket.co.

3. ICICI Bank and Leverage EDU:

  • In separate incidents in April and May, data breaches allegedly occurred at ICICI Bank and the university admission platform Leverage EDU.

Risks Associated with Cloud Storage:

1. Incompatible Legacy Systems:

  • Legacy IT systems with known vulnerabilities can be targeted by hackers to gain unauthorized access to cloud resources connected to these systems.
  • Inadequate support for advanced encryption techniques increases risks to cloud infrastructure.

2. Weak Authentication Practices:

  • The use of weak authentication practices and easily guessable passwords can allow unauthorized individuals to access sensitive data.

3. Insecure APIs and Inadequate Security Controls:

  • Insecure APIs and poorly designed or inadequate security controls can expose cloud-stored data to risks.

System Misconfigurations and Data Security:

1. Understanding System Misconfigurations:

  • System misconfigurations occur due to insufficient security configurations on devices accessing cloud data and servers or weaknesses in the software used.
  • Misconfigurations can lead to unauthorized access and compromise data security.

2. Ensuring Data Protection in the Cloud:

  • Companies are responsible for ensuring data security even when granting access to vendors and partners.
  • Key measures include thorough vendor assessments, compliance checks, two-factor authentication, access monitoring, data encryption, and firewall rules.

Data Migration Risks in the Cloud:

1. Risks Associated with Cloud Provider Switching:

  • Switching cloud providers without a proper migration plan and assessment can expose data to potential breaches.

2. Data Encryption and Backups:

  • Data should be encrypted during transit and proper backups should be maintained to enhance data security during migration.

Keeping User Data Safe:

1. User Actions after Data Breaches:

  • Users should change passwords, enable two-factor authentication, update security question answers, and monitor accounts for unauthorized activities.

2. Lifespan of Exposed Data:

  • Financial data exposed in breaches have a short lifespan, while personally identifiable data can have a longer lifespan on the dark web for potential illicit activities.

Conclusion:

To mitigate the risks of data breaches in cloud environments, it is crucial to address system misconfigurations, implement strong authentication practices, and ensure proper data encryption and security controls. Companies should take responsibility for data protection in the cloud and conduct thorough assessments when migrating data or switching cloud providers. Users should remain vigilant, follow security best practices, and promptly respond to potential breaches to safeguard their data.

Probable Questions for UPSC main exam-

  1. In the context of increasing data breaches in cloud environments, discuss the risks associated with system misconfigurations and inadequate data security measures. What steps should organizations take to ensure effective data protection in the cloud? (10 Marks,150 Words)
  2. Excessive data protection measures have been argued to hinder innovation and impose compliance burdens on businesses. How can countries like India strike a balance between data security and fostering innovation in the digital economy? Discuss the potential drawbacks of overly strict data protection regulations and propose measures to achieve a harmonious approach. (15 Marks,250 Words)

Source - The Hindu