At Orca, we have a particular way of talking about our approach to customers’ data privacy needs. 

We offer data privacy your way. 

Privacy remains top of mind for our customers and prospects—and rightfully so. The challenge of data protection continues to grow amid rising investments in cloud and an ever-expanding regulatory landscape. Data privacy is also drastically different from the days before cloud computing—when privacy considerations fit neatly within a well-defined security perimeter.  

In this post, I discuss five things to consider about privacy in planning for and implementing a cloud security solution. I also examine how Orca is forging a new path to ensure our customers gain the flexibility they need to thrive in the cloud confidently and securely. 

#1. Privacy in the cloud is unique

Let’s start with this fact: privacy in the cloud is much different from privacy in an on-prem environment. While both present challenges, the cloud requires more thought around how you manage, store, process, and transmit data. While on-premise environments operate according to Castle Doctrine, the cloud operates according to dynamic conditions at a macro and micro scale. These vary according to the nature of your business, including how and where you operate, what markets you serve, and much more. 

Included in these conditions is your supply chain. For cloud computing, you’re far more likely to be navigating the challenges of using SaaS platforms for key security services. This adds a new variable and multiplies the complexity. You’ll need to consider how to verify that your vendor is trustworthy and takes appropriate care of your data. You’ll also need to define your requirements so you can understand what you can and cannot accept from working with one. 

#2: Maintaining privacy in the cloud requires flexibility

Understanding how privacy works in the cloud, you can see that a one-size-fits-all approach won’t suffice. The nature of your business demands that you accommodate certain regulatory and cost constraints unique to you.

For example, operating in the European Union means you must comply with the General Data Protection Regulation (GDPR) which holds you to higher data privacy standards. Competing in highly-regulated industries like healthcare, finance, or government also exposes you to more stringent requirements. Yet how you approach adhering to mandated standards depends partly on how you interpret them and many interpretations are possible. It also depends on your cost sensitivity and appetite for risk.

Privacy is business-specific and your security vendor should accommodate you in this regard. That means they shouldn’t force you to accept more or less than you need from a service; instead, they should deliver what you require, how you want it—and at a reasonable price. 

#3: Orca offers three deployment options that deliver choice and flexibility

Privacy your way isn’t a catchline or slogan. At Orca, it means offering you a spectrum of privacy options where you can find the best choice from a cost, regulatory, and management perspective. 

We offer our customers three modes, or options, to deploy Orca. We allow you to combine modes if needed or switch from one to another as your circumstances change. We also ensure that all permissions are auditable and customizable. 

The three options include the following:

  • SaaS Mode: Most of our customers use SaaS mode to deploy and scale easily. We recommend it for most applications, as it’s easier to maintain and doesn’t incur the additional cost of hosting virtual machines (VMs) within your environment. In this mode, Orca’s scanning and backend are hosted in Orca’s cloud accounts. Our patented SideScanning™ technology takes snapshots of the block storage of all machines in your environment before sending this metadata to the Orca backend. The snapshots exist only for a short time before being deleted.  
  • In-Account Mode: With this approach, Orca generates ephemeral scanners (VMs), which run inside your cloud service provider account. The scanners perform the same actions as they do in the SaaS deployment mode, but they are logically hosted inside your account. The dedicated scanner account processes the raw data, such as VMs, storage buckets, etc., sending only metadata to the Orca backend. The Orca backend then analyzes and correlates the metadata to assets and alerts, producing a picture of the account’s security state. Our customers use this option to achieve a higher level of security and keep more data within their environment.
  • Bring Your Own Cloud Mode: In this mode, the backend and scanning runs entirely in your accounts, and no data or metadata ever leaves it. This achieves the highest level of data security for government and large enterprises. Private mode enables organizations to run Orca in their own FedRAMP High environment, which several of our customers do today. 

#4. Choosing the right deployment option 

When interacting with our customers and prospects, I often encounter some variation of this question: How do I know what deployment mode is right for me? To discover that answer, I find it helpful to use this decision-tree: 

  1. What’s my organizational risk for data (i.e., low, medium, or high)? 
  2. Am I running in the standard commercial cloud or a special cloud (e.g., AWS GovCloud)?
  3. What’s my cost sensitivity? 

For most organizations, the decision-tree leads them to choose SaaS mode, which ensures their data privacy meets industry standards, maximizes cost efficiencies, and optimizes ease of deployment and maintenance. 

Customers who choose this route assure me they feel confident in our commitment to data privacy and security. Orca is compliant with numerous regulations and industry standards across the globe, including GDPR, ISO 27001, PCI-DSS, SOC 2, and much more. These are all verifiable via our Trust Center, where you can access audit reports, policies, and other documentation that provide full transparency into our security posture.

For some Orca customers, In-Account mode serves as the best option. Their compliance requirements prevent them from sharing snapshots to Orca’s cloud account, and this constraint outweighs the cost of hosting their own scanner account. We most often see this coming from customers heavily regulated by GDPR, PCI-DSS, SOC 2, HITRUST CSF, and other frameworks. 

And for some organizations, Private mode best meets their needs. These organizations maintain a significant number of workloads (i.e., tens of thousands) and shoulder deep regulatory burdens.  

As you move from SaaS to Private mode, the cost burden naturally increases. At Orca, we continue to engineer efficiencies and optimize our cost-effectiveness regardless of the deployment method. Yet we can’t avoid the reality that the closer you move to a private tenant, the more it costs. 

#5. Vendor transparency is non-negotiable 

At the time of writing this blog, Orca is the only CNAPP to publicly disclose its deployment modes and the specifics of how it helps you meet your privacy needs. Visit any of our competitors’ sites and you won’t find that information.

Why is that the case? In the age of cloud, when your data privacy depends on your security vendors, shouldn’t full transparency be a given? 

It should be. And without question.

Learn more about Orca’s commitment to data privacy 

If you want to learn more about our commitment to data privacy, or see how the Orca Cloud Security Platform can help you thrive in the cloud securely, schedule a personalized demo with one of our experts.