Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/6/2015
04:05 PM
Michael Fey
Michael Fey
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

What The EUs Safe Harbor Ruling Means For Data Privacy In The Cloud

The European Court of Justice today struck down the 15-year-old data transfer agreement between the European Union and the US. Here's how to begin to prepare for the fallout.

The Snowden effect has caused the European Court of Justice to strike down a 15-year-old data transfer agreement, known as Safe Harbor, between the EU and the U.S. that allows multinationals to store Europeans’ data in the U.S. if the companies agree to comply with Europe’s data privacy laws. U.S. corporations with operations in Europe are paying close attention to the ruling, which was announced today, Tuesday, October 6.

This turn of events certainly causes operational angst for thousands of U.S. businesses that, for example, need to understand and act on global trends. Scrapping Safe Harbor restricts the free flow of data organizations rely on, in part, to do mission-critical analysis for business decision-making. While this decision immediately affects EU and companies doing business in EU countries, it will spread. Countries with either follow suit, or “retaliate,” so the expectation is that all companies should be prepared for this to become a much larger issue over time.

Tightening data privacy regulations carry potentially dire consequences for businesses that can’t quickly adapt. In particular, the Safe Harbor ruling puts Cloud Service Providers (CSPs) in a tough spot as they depend on the framework to do business in Europe, specifically using it to authorize them to store data on behalf of European companies and mobile application developers. This will have a large impact on investment and financial performance. Not only will companies need to build new data centers in countries in which data must now reside, but it will impact could providers’ ability to sell services to entire regions.

 As organizations aggressively push cloud adoption, it’s a given that more sensitive and regulated data is ending up in the hands of outside service providers and solutions like SaaS application systems. As a result, recent survey findings show most IT security professionals believe they don’t have full visibility into where all their organization’s sensitive data truly resides. When it comes to dealing with these types of data privacy and residency challenges facing multinationals, the advantage certainly falls to the infosec community and the vendors whose products and services can help businesses manage through regulatory changes like this Safe Harbor case.

Organizations need actionable advice for instituting proactive means and mechanisms to ensure data privacy and regulatory compliance while they run the business – a significant piece of guidance that is lacking from the Safe Harbor legislation. As a starting point, here are five tips for companies to control cloud data and access in light of the Safe Harbor ruling and evolving regulatory landscape:

  • Get visibility into exactly what data is moving outside of your network and where. Discover shadow clouds, inventory (potentially) sanctioned clouds, and determine where all the data centers are and which ones need to get compliant.
  • Take proactive steps to tokenize data to ensure compliance with prevailing EU data privacy regulations. Tokenization is considered by many to be the de facto standard to address data privacy and compliance since tokens have no mathematical relationship to the original clear text sensitive data and no possibility of back doors/trap doors.
  • Try to leverage CSP’s local EU datacenters where you can, but be mindful that Cloud providers often maintain the right to move data between datacenters, and your primary and back up datacenters may be located in different countries/regions.  
  • The regulatory and data privacy landscape will continue to change, so future proof your IT and cloud infrastructure to allow you the flexibility to quickly adapt to evolving regulations, for example, by parsing, anonymizing and encrypting data. As an enterprise, make sure you are taking responsibility for implementing ways to share data in an anonymized fashion that still allows you to get the insights you need without violating individual privacy specifications.
  • When encrypting data, sole physical encryption key ownership and custody are mandatory for data protection. Also make sure that your encryption approach ensures that data is protected in all three phases of the cloud data lifecycle: in transit, at rest and in use.

Michael Fey is Blue Coat's president and chief operating officer. With a proven track record in operational and go-to-market strategies, Fey is focused on driving revenue growth and further extending the reach of Blue Coat in the market. Reporting to Blue Coat CEO Greg Clark, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...