The golden rules to solving data residency, sovereignty issues

By   ISBuzz Team
Writer , Information Security Buzz | Jul 22, 2013 01:41 am PST

The benefits of adopting cloud technologies have been widely reported and are commonly understood. However, cloud brings with it many questions and concerns about jurisdictional and regulatory control over the privacy and protection of sensitive data.

Data residency and sovereignty requirements often insist that certain types of sensitive and private data are stored where the government will have legal jurisdiction over it. More often than not, this means within its borders.

Addressing data residency, protection and privacy concerns requires an understanding of both international and domestic regulations. Companies that do business in Europe must understand the implications of regulations such as the European Data Protection Law, as well as local data mandates. The EU’s Data Protection Directive is an example of this, as it prohibits personal data that can be linked to an individual from moving outside the EU, sometimes even outside of a specific country’s borders.

Another instance occurs within the United States, where several states have applicable data protection and privacy laws and regulations.  Although these can vary widely, the intent is to ensure sensitive data is protected as it is managed and analysed within state, and can be secured from exposure across state boundaries.

Questions regarding privacy and compliance need to be answered: Which information can be collected? Where and how can data can be stored and transmitted? Which security practices must be applied? What to do in the event of a data breach?

These jurisdictional issues are proving a serious stumbling block for organisations that wish to store or process data in the cloud, as cloud providers could more than likely store, process or back up data across several global locations. Data residency is also particularly concerning for multinationals that have offices all over the world, covering several jurisdictions.

Another serious problem is the potential effect on the adoption of cloud computing generally, particularly on the adoption of hosted message and other services that lean heavily on storing personal data.  In fact a recent survey, conducted by Voltage at Infosecurity Europe, of 300 IT professionals  showed that more than half (56%) of the respondents admitted that security concerns have kept them from starting or finishing cloud or big data projects.

In fact, protecting data is an increasingly onerous task, and is time consuming and expensive. Every new approach to security is eventually met with an even more sophisticated attack from cyber criminals. Growing regulatory challenges and the growing sophistication of attacks have seen CSOs investing in multiple security disciplines in order to combat attacks and protect themselves.

In addition, protecting data grows increasingly complex when bearing in mind the trends of bring-your-own-device (BYOD), mobility, cloud-computing and big data. The flood of consumer devices that access both business and personal information has invaded the enterprise, delivering both value to the employee and company, but also introducing enormous risk.. Mobile devices such as tablets and smartphones are starting to overtake conventional technology, and organisations are mobilising functions from CRM and BI, to workflow that demand an effective data protection solution.

In order to stay ahead of the dynamic security and data residency regulations and to leverage the current market trends around cloud, big data and mobility, many organisations are adopting strategies such as having data centres in all countries in which they operate, as a of way keeping data confined within legal boundaries. However, this is woefully inadequate, as the data can still be accessed from anywhere in the world, while still not addressing data residency compliance. Not to mention the skyrocketing costs and overheads involved with housing multi data centres.

Another approach is to try and protect data by a single gateway process. The issue with this approach, however, is the impossible latency issues. As an example, companies have tried database-oriented tokenisation strategy, however this, and other single gateway approaches  are really a step backward, as they creates a need to sync vast data repositories across long path networks.

So how do CSOs avoid falling foul of legislation, when considering the myriad complex rules and regulations governing how data is used, stored or moved, whether on data centres, the cloud, or mobile devices?

One solution that skirts the issue of data residency, security and privacy at the same time, is data obfuscation, and one way of doing this is encrypting data at the source, and keeping it encrypted across its entire lifecycle. Doing this allows an organisation to migrate their data to the cloud, ensuring the data is completely protected at all times, and while being compliant with all sovereignty and residency requirements.

All organisations looking to adopt cloud solutions, whether private, public or hybrid cloud, should adopt data-centric strategies. Data-centric solutions protect data at the moment of creation, as it is used and moved across an enterprise, through the cloud, over mobile devices, and within big data environments. In this way, data remains not only protected but private, anywhere it moves, lives, and however it is used.

However, to be effective, businesses must keep it simple and consistent. A successful data-centric security approach can be applied to any type of data, and deployed across corporate systems. These criteria are vital, and relevant to all solutions, whether mainframes or mobile technologies, and regardless of whether they are deployed on-premise or on-demand.

There are ten critical data protection requirements that any company should consider:

1) Organisations must build security policies around the technologies they use. Bolt-on solutions are generally insufficient to meet company’s unique security requirements, and allow organisations to secure sensitive information at-rest and in-transit.

2) Businesses must recognise the reality of data lifecycle – data travels, among states and countries, users, within the value chain and outside it, and across different IT systems and end-user devices.

3) The technology and solutions used must be able to stand up to scrutiny, as without published proof of security, protected data is not necessarily as secure as the company believes. Moreover, unproven methods could mean violation of data security compliance requirements.

4) In addition, data protection solutions need to be scalable to meet business and it requirements, and architected to match the growth of the business and its data. Failing to do this could have a negative impact on the business.

5) Solutions must also have a low impact and a low total cost of ownership.  A company and its data protection solution’s success are largely dependent on ease of deployment and low cost of operation, which translate into faster time to production.

6) Simpler is better. The adoption and use of the technology can’t be too complex for the user, otherwise the technology won’t be utilized across the enterprise and risks will increase.

7) Structured and unstructured data must be secured, while providing access to the authorised parties as needed.

8) IT environments today are heterogeneous, with new technologies working alongside legacy systems. Data protection solutions need to work with all data types, across the entire IT infrastructure, without the need for extensive and complex re-engineering.

9) At the same time data protection solutions must be able to work the latest, cutting-edge technologies, including cloud and mobility, without rip-and-replace.

10) Data protection solutions have to support the existing compliance processes. Organisations have archiving and e-discovery processes that must not be disrupted due to compliance requirements. These processes must be enabled without wide and complex re-engineering.

A data-centric approach addresses all of these requirements by protecting data at the source. The best defence is after all, the best offence.  As data is captured, data-centric security steps in, obfuscating the data through encryption, tokenisation and masking. This renders it worthless to cyber criminals, and removes the risk of non-compliance, as the data is unreadable to outsiders, regardless of where it is stored.

About the Author:

VoltageDave Anderson | @Voltagesecurity | Voltage Security

Dave Anderson currently serves as the Senior Director for Voltage Security, where he is responsible for developing market strategy, delivering new technology solutions to market, and managing global campaigns and programs for Voltage’s data protection and encryption solutions. Prior to Voltage, Dave led marketing and program strategy for McAfee, SAP, and VeriSign.

Dave has 20 years of experience within business strategy, marketing, and product development at leading technology and services firms, including SAP, ArcSight/HP, KPMG, and VeriSign, and has worked extensively across Asia and Europe in delivering market and industry security solutions. His expertise focuses on strategy and planning, marketing, and operational governance.

Dave received his MBA from Duke University, the Fuqua School of Business in 2010. He has been published in multiple industry and technical journals, and is a frequent speaker on risk management, corporate governance, security, and strategy.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x