The emergence of the cloud as a data storage device for business has been a leading driver of the convergence of the privacy and security worlds, and Paul Milkman, senior vice president, head of technology risk management and information security at TD Bank is glad to see the two worlds finally colliding. The company manages its assets for security and privacy under a single common framework, despite the fact that there are myriad regulations to worry about.
During his keynote yesterday here at the IAPP Privacy Academy and CSA Congress, he told attendees working in both the privacy and cloud computing worlds that the cloud doesn’t change that approach.
The bank has about 24 million customers globally and operates in 50 or 60 jurisdictions. It owns its own data centers and all of its own applications and treats them as assets that must be managed. Those assets are subject to controls such as the Generally Accepted Privacy Principles (GAPP), the Personal Information Protection and Electronic Documents Act in Canada, a number of U.S. state regulations and the UK’s Financial Services Authority, as just a start. In the end, Milkman and his team comply with some 2,300 control statements: an impossibility if each business asset was to be looked at individually.
So the bank looks at all of its requirements as a subset of more general operational risk management: the controls it needs to have in place to support privacy, security, reporting accuracy, cloud service management and so on.
TD set up a council and began its work of translating language in nuanced, slight ways that could apply broadly.
“If we saw something in GAPP and something in PCI-DSS that meant the same but used different words, we figured out what we would do to get them close enough to be a single statement,” Milkman said. “We built controls that said, for any one of these, you use exactly the same survey.”
TD had its business associates do the grunt work, and Milkman said they don’t mind doing it if they’re doing one assessment for each asset instead of 10.
“You can manage this as a single framework,” he said.
The problem you might run into is a language barrier, he added.
“The lawyer will call it something, the security person something else, the privacy person something else. You have to build a small team of people in any industry, whether it be government, the public sector, the private sector, where you can actually reconcile these controls against themselves,” he said. “If you do it in an automated fashion, across all assets, you know what impact a change in any one of those standards is.”
The bank applied the same logic to the cloud. It took the most general cloud definition and applied it broadly. After all, it’s a bank, he said. Its focus is on customer satisfaction and customer value. It’s worried about spending time on things that don’t help business, and if it spends its time and energy focusing on how to run its email system or core infrastructure, it’s losing focus on what its end goal is, Milkman said.
The shift in thinking for the cloud goes something like this: Ten years ago, we might have thought about protecting data in terms of building a castle with big walls, but the cloud doesn’t really allow for that kind of security. Now the workload could be anywhere in the world, so it becomes a telecom problem.
While that “fundamentally changes your mindset, it doesn’t change the framework,” Milkman said. “The assessment’s the same; the risks are the same; the controls are just different.”