An essential part of protecting your data is knowing where it is all the time. Changes in privacy laws around the globe impact how you and your service providers manage your data. Stephen Lawton reports.
This editorial product was produced by the SC editorial team and underwritten by Informatica. It is part three of a four-part series.
The CISOs of multinational corporations with data centers outside the United States, or frankly anyone who engages a cloud provider for data storage, has probably asks themselves this question daily: Is my data safe? For businesses that are not bound to compliance regulations, the question is more about privacy and lawsuits than it is about than it is about violating government regulations and accruing non-compliance fines.
Government and industry regulations often dictate how and where data can be stored. This applies to companies that do business with cloud providers or multinationals which have data centers in various countries. Knowing where your data is stored and making sure that it is not leaking through vulnerabilities in the network is one of those issues that CISOs say keep them up at night.
If your company has offices in the European Union or Canada, you likely are familiar with the regulations that require data to be stored within the political borders where the data was created. The United States laws governing the responsibility of data management is causing some issues for US-based companies such as Microsoft, Apple, Google and others that own data centers around the world. Ultimately, however, the CISO and chief risk officer must find a way to meet both compliance regulations.
One approach to overcoming this challenge, the 15-year-old “Safe Harbor” pact, recently was struck down by the European Court of Justice. Safe Harbor was used by some 4,500 companies that store personal data on both sides of the Atlantic without violating the European Union's strict privacy laws.
Safe Harbor, similar to most compliance rules and standards, provided a baseline by which CISO's operated, says Vikas Bhatia, CEO of the New York-based cyber security consultancy Kalki Consulting. Now that the EU court has overturned that rule, “it is recommended that CISO's perform a data mapping exercise in order to manage (and) maintain a data asset inventory. By using a risk-based approach and following standards such as ISO27001/2, they will be able to manage risks regardless of the geographic region, and likely exceed most compliance mandates in both the EU and the U.S.,” he says.
Christopher Burgess, CEO of the Woodinville, Wash.-based security consultancy Prevendra and a 30-plus-year veteran of the Central Intelligence Agency, says that if a multinational company has user visits from the US and Europe and the company is represented in or sells through a portal in a European country where the customers reside, the company must make sure that the data associated with the European accounts are stored in the EU.
“If you are a EU company with both U.S. and EU customers, you will either have to divide (your records) or relocate all to the EU,” he adds.
Get proactive in protecting data
Compliance rules are just the tip of the data security iceberg. CISOs that use cloud providers to manage their data stores should be proactive in ensuring that the service providers are making every effort to protect the corporate data.
Auditing your cloud provider is an important component to ensuring your data is safe.
“You should have the conversation no less than once a year for the small to mid-size business, and the enterprise should be having a quarterly discussion (with their service provider),” says Burgess. “You want to be sure to keep an eye on their SOC-1 and 2 and the self-attestation contained in the SSAE-16 report.”
SSAE-16 is the Statement on Standards for Attestation Engagements No. 16 issued by the American Institute of Certified Public Accountants. It also establishes a new Attestation Standard called AT 801 that contains guidance for performing the service auditor's examination. SOC-1 is a report on the controls at a service organization addressing financial reporting, while SOC-2 is a report to evaluate a company's information systems concerning security, availability, processing, integrity, confidentiality and privacy.
Bhatia says that audits should be based on risk. “Organizations should include the right to audits for every vendor that processes sensitive data, including cloud providers,” he says. Third-party security consulting firms can be used for such analysis, or the CISO can leverage resources provided by the Cloud Security Alliance or other industry organizations.
Every organization should start by conducting a benchmark assessment, Bhatia continues. Leveraging logging and monitoring products can help to identify anomalies, but “some of the biggest breaches of recent times have had these systems, which are nothing without the people or the processes that support them.”
Additionally, he notes, regular vulnerability scans and penetration testing of your environment by a third party can help identify issues the company might not have recognized.
Internal testing also is essential, Burgess agrees. “Every system is different. For the SMB you can put a data loss protection (DLP) monitor on your pipe exiting your router and watch (for anomalies). For the enterprise or large SMBs you will want to bring in some more robust DLP tools,” he says.
It all comes down to doing the basics, experts agree. If you use a third-party provider for storing or processing data, make sure you understand where their data centers are located, how they protect the centers, and what actions they take on your behalf to ensure data security. Make sure you know about the providers' supply chain and who has access to your data. And for multinational companies, make sure you keep up with the latest court cases and laws both domestically and internationally to ensure your data remains in compliance. This way, even at 2 a.m., you will know where your data is.