The Snowden effect has caused the European Court of Justice (ECJ) to strike down Safe Harbor. This 15-year-old data transfer agreement between the EU and the U.S. allowed multinationals to store Europeans’ data in the U.S. if the companies agreed to comply with Europe’s data privacy laws.
This turn of events certainly causes operational angst for thousands of U.S. businesses that store data overseas. Tightening data privacy regulations carry potentially dire consequences for businesses that can’t quickly adapt.
In particular, the Safe Harbor ruling puts Cloud Service Providers (CSPs) in a tough spot as many of them depend on the framework, or closely related approaches, to do business in Europe as it acts as the mechanism to authorize them to store data on behalf of European companies.
This ruling will have a large impact on some corporation’s investment focus and their financial performance. For example, companies like CSPs may need to build new data centers in countries in which data must now reside, and in the meantime, it will impact their ability to sell services to entire regions if their lack of a local presence precludes them from complying with data privacy regulations.
As organizations aggressively push cloud adoption, it’s a given that more sensitive and regulated data is ending up in the hands of outside service providers and solutions like SaaS application systems. Organizations need actionable advice for instituting proactive means and mechanisms to ensure data privacy and regulatory compliance while they run the business – a significant piece of guidance that is lacking from the Safe Harbor legislation.
As a starting point, here are five tips for companies to control cloud data and access in light of the Safe Harbor ruling and evolving regulatory landscape:
Get visibility into Shadow IT
Today, almost every CIO is dealing with a significant growth around Shadow IT. Shadow IT is hardware or software within an enterprise that was not procured through sanctioned approaches and is not supported by the organization’s central IT department.
The phrase often carries a negative connotation because it correctly implies that the IT department has not approved the technology or doesn’t even know that employees are using it. One of the biggest areas this impacts is cloud application adoption (apps like Box, Evernote, etc.).
The reality is that if CIOs aren’t seeing much Shadow IT cloud use within their organization, it usually means that they are not looking for it or are looking in the wrong place.
The growth of Shadow IT cloud adoption is a result of current changes in workplace culture, technology and the nature of modern day work. For example, the organizational demand from employees to access more applications to do their jobs is outstripping many IT teams’ capacity to meet the requirements.
At the same time, business users feel that it has become too complex to source business applications through traditional IT processes. The digital transformation occurring in our society also plays a role in the rise of Shadow IT as business users are drawn to new apps and many of the business stakeholders have a ‘let’s just do it’ mentality.
In order to ensure this form of enterprise cloud adoption is done in a controlled way, IT teams need to leverage the proper tools, such as a new category of solutions called Cloud Access Security Broker (CASB) offered by a selection of technology providers, to gain visibility into what Shadow IT is being used.
Gartner has written extensively on the importance of these CASB solutions for enterprises and have recently predicted that by year-end 2018, 50 percent of organizations with more than 2,500 employees will use a CASB product to control Cloud SaaS usage. Once they have this insight, they can then put the proper tools in place that not only protect the business but also allow employees to continue working in a secure and compliant way in order to drive business results.
Tokenize data to ensure compliance with prevailing EU data privacy regulations
Tokenization is a process by which sensitive data fields, such as a patient’s medical information, are replaced with surrogate values called tokens. De-tokenization is the reverse process of redeeming a token for its associated original value.
While various approaches for creating tokens exist, frequently they are simply randomly generated values that have no mathematical relation to the original data field. This underlies the security of the approach – it is nearly impossible to determine the original value of a sensitive data field by only knowing the surrogate token value.
Since tokens have no mathematical relationship tying them back to the original clear text sensitive data, there is no possibility of back doors/trap doors.
Because tokens, unlike encrypted values, cannot be reversed back to their original values through the use of a cipher algorithm and a key, tokenization is a popular approach to solve market requirements associated with data residency, which are regulations specifying that certain data types need to remain within a defined geographic border. Data residency is a similar issue to the EJC ruling on Safe Harbor, which is why many are looking to it as a potential solution to the Safe Harbor issue.
Leverage CSP’s local EU datacenters
For businesses operating in Europe, leveraging a CSP’s local EU datacenter makes a lot of sense, however there are a few things to take into consideration. For example, enterprises need to determine where the data will reside – within the broader EU, within a specific country or within a specific state/province/region of a specific country. Knowing this information is critical when selecting the right data center location to store data.
Since CSP’s often maintain the right to move data between datacenters, it is important to understand whether the CSP maintains this contractual right. Just because an enterprise’s primary data center is in the region or country they need it to be in, does not mean the back-up one is. It could be in another country or region all together.
In addition, enterprises should have a clear understanding about whether or not other cloud apps will “dip into” their primary cloud’s datacenter. For example, a cloud that does complicated product pricing and quoting estimates may access data from another cloud service that manages customer information in order to perform its function.
Regardless of where the cloud provider’s datacenter sits, executives may also need to be concerned about the location and/or citizenship of the CSP’s employees that have access to the data. Some vertical business sectors, like defense-related manufacturing, frequently have additional restrictions placed on them about the citizenship of individuals that can access data.
If the cloud provider has employees located in various countries around the world that have access to data for routine maintenance and data hygiene purposes, make sure to understand data requirements carefully to avoid compliance and audit flags down the road.
Future proof IT environments and cloud infrastructures
The regulatory and data privacy landscape will continue to change, so future proofing IT and cloud infrastructure allows for flexibility to quickly adapt to evolving regulations. For example, enterprises can make sure they take steps to share data in an anonymized fashion and still make it usable within the business.
By parsing, anonymizing and encrypting data, insights can be gained and actions taken without violating individual privacy.
The Safe Harbor ruling in October is a perfect example of how the shifting sands of changing regulations work. Security and Compliance professionals went to bed on October 5th knowing they were in compliance, and then found themselves with a compliance problem by the afternoon of October 6th. And even since then, the sands have shifted even more.
Many CSP’s have pivoted to using Model Clause language as a means to show compliance with EU data privacy requirements, but many Compliance and Advisory firms, and now some Data Privacy Authorities in Europe, have weighed in since saying that the same issues cited in the ECJ’s ruling as the reasons why Safe Harbor was deemed inadequate also plague the Model Clause approach.
A quick search on the message boards of the International Association of Privacy Professionals (IAPP) reveals the extent of the issue and the depth of the challenge.
Instead of solely relying on mechanism like the Model Clause, savvy executives are finding smart ways to use technologies to ensure that data deemed sensitive or regulated stays within their IT environment whenever possible. If it needs to be shared with third parties – like CSP’s – they can anonymize it via tokenization or encryption to make sure only trusted authorized parties have the means to bring any sensitive or private information back into the clear.
Encryption best practices
Analyst firms like Gartner and associations like the Cloud Security Alliance have been clear in their best practice guidelines on securing data. For example, if enterprises are going to encrypt information, they need to use strong, well-vetted algorithms and ensure that their enterprise retains sole physical ownership of the encryption keys.
The same concept on ownership holds for tokenization – maintain sole ownership of the token vault that is used to unlock tokens and bring data back into the clear.
In addition, enterprises need to recognize data heading to the cloud as having a three-phase lifecycle: data in-transit to the cloud, data at-rest being stored in the cloud, and finally data in-use being processed in the cloud. As a result, if they are only using encryption solutions that protect data at-rest, their data is only protected for one third of its full lifecycle. Steps need to be taken to protect the other two-thirds of their data’s life.
This is especially important because these two areas, data in-motion and data in-use, are arguably the riskier portions of the lifecycle as many of the most famous hacks from the last five years stole data in these life-cycle phases. Enterprises treating incomplete data encryption as a panacea leave themselves at major risk of sensitive data exposure — especially as this data makes its way into the cloud.
The good news is that there are technologies that can be used to protect cloud data across all of its phases. For example, platforms exist that act as an encryption or tokenization point before data leaves the control of the enterprise and goes to the cloud provider.
The data itself – on the way to the cloud, while being stored in the cloud, and while being processed in the cloud – is always encrypted and protected and only the enterprise can bring the information back into useable form. These Cloud Data Protection products are part of the emerging CASB category and should be on every CIO’s list of technologies to consider for ensuring secure and compliant cloud adoption in their enterprises.
Image credit: Shutterstock