Overcoming data residency issues
Dave Anderson looks at how organizations can overcome a common barrier to cloud computing adoption.
The benefits of adopting cloud technologies have been widely reported, and are commonly understood. However, the decision to adopt a cloud strategy brings with it many questions and concerns about jurisdictional and regulatory control over the privacy and protection of sensitive data. For instance, data residency and sovereignty requirements often insist that certain types of sensitive and private data are stored where the government will have legal jurisdiction over it. More often than not, this means within its borders. But the cloud allows providers to possibly store, process or back-up data across several global locations, as well as allowing organizations to freely move data outside of national borders. So, how does this impact compliance to data residency requirements?
Addressing data residency, protection and privacy concerns requires an understanding of both international and domestic regulations. Companies that do business in Europe must understand the implications of regulations such as the European Data Protection Law, as well as local data mandates. The EU’s Data Protection Directive is an example of this, as it prohibits personal data that can be linked to an individual from moving outside the EU, sometimes even outside of a specific country’s borders. Data residency is also particularly concerning for multi-nationals that have offices all over the world, covering several jurisdictions.
It's no wonder people are confused. In fact, in a survey my company conducted of nearly 300 IT professionals, 60 percent admitted that concerns over data residency kept them from putting data in the cloud. A possible reason for this hesitation is that a staggering 48 percent of survey respondents said that they didn't know which countries their data resided in once in the cloud, leading to uncertainty when it comes to complying with regulations. While 70 percent of people surveyed said that they were aware of data residency requirements or laws, an alarming 30 percent did not know and 23 percent believed they didn't abide by them- attesting to the fact that these jurisdictional issues are proving a serious stumbling block for organizations that wish to store or process data in the cloud.
And as protecting data becomes an increasingly onerous task, due largely to the fact that every new approach to security is eventually met with an even more sophisticated attack from cyber criminals, it can become time consuming and expensive. Therefore, questions regarding privacy and compliance must be addressed as data moves to the cloud: Which information can and cannot be collected? Where and how can data can be stored and transmitted? Which security practices must be applied? What to do in the event of a data breach?
In order to stay ahead of the dynamic security and data residency regulations and to leverage the current market trends around cloud, many organizations are adopting strategies such as having data centres/centers in all the countries they operate in as a of way keeping data confined within legal boundaries. However, this is woefully inadequate, as the data can still be accessed from anywhere in the world, while still not addressing data residency compliance. Not to mention the skyrocketing costs and overheads involved with housing multi data centres.
Another approach is to try and protect data by a single gateway process. The issue with this approach, however, is the impossible latency issues. As an example, companies have tried database-oriented tokenisation strategies; however this, and other single gateway approaches, are really a step backward as they create a need to sync vast data repositories across long path networks.
So how do CISOs avoid falling foul of legislation when considering the myriad of complex rules and regulations governing how data is used, stored or moved?
To remove any risk or doubt of non-compliance altogether, and stay ahead of security and data residency regulations in order to be able to take full advantage of cloud computing, organizations must employ a strategy that secures data directly at the source, rather than trying to implement point technologies to corral the data within a defined boundary. This 'data-centric' approach means that information is protected, whether through encryption, tokenisation or data masking, and therefore remains completely secured from the moment it is created throughout the entire data lifecycle. Even as the data moves into and across a cloud environment, it remains in a protected state and not “in the clear”. This means that data can now be securely moved into and throughout the cloud, while remaining in compliance with data residency and privacy requirements.
The simplest way to ensure compliance is to obfuscate data as it is captured, rendering it useless to cyber criminals and unreadable to outsiders, regardless of where it lives. Any sensitive information, including financials, customer and employee data or intellectual property, needs to be protected across the entire lifecycle and wherever it goes. Any loss or exposure of that data can result in compliance or regulatory fines, loss of brand reputation and a loss of privacy.
A successful data-centric security approach can be applied to any type of data, and deployed across corporate systems, and does not require the deployment of multiple point solutions which are difficult to integrate and still leave security gaps as data moves across and outside of the organization . These criteria are vital, and relevant to all solutions, whether mainframes or mobile technologies, and regardless of whether they are deployed on-premise or on-demand.
There are five critical data protection requirements that any company should consider:
1. Organizations must build security policies around the technologies they use. Individual, point solutions are generally insufficient to meet a company’s unique security requirements, and don’t allow organizations to secure sensitive information while at-rest and in-transit.
2. Businesses must recognise the reality of data lifecycle. Data travels across and outside of an organization, across borders and geographies to users internal and external to the organization. This reality requires a data protection program that supports the needs of how the business is using information today.
3. Data protection solutions need to be scalable to meet business and IT requirements and architected to match the growth of the business and its data.
4. Simpler is better. The adoption and use of the technology can’t be too complex for the user, otherwise the technology won’t be utilised across the enterprise and risks will increase. A data protection program that is too complex, or lacks usability, will not be fully and readily adopted across an enterprise, which could leave sensitive data exposed and the company at risk.
5. IT environments today are heterogeneous, with new technologies working alongside legacy systems. Data protection solutions need to work with all data types, both structured and unstructured, across the entire IT infrastructure, without the need for extensive and complex re-engineering of systems and applications that manage sensitive information.
By adopting a data-centric security strategy, companies can be confident in migrating to the cloud and leverage the associated business benefits, while removing any uncertainty around compliance with data residency and privacy requirements.
Dave Anderson is senior director, Voltage Security.
•Date: 25th October 2013 • World •Type: Article • Topic: Cloud computing