Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/6/2015
04:05 PM
Michael Fey
Michael Fey
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

What The EU’s Safe Harbor Ruling Means For Data Privacy In The Cloud

The European Court of Justice today struck down the 15-year-old data transfer agreement between the European Union and the US. Here's how to begin to prepare for the fallout.

The Snowden effect has caused the European Court of Justice to strike down a 15-year-old data transfer agreement, known as Safe Harbor, between the EU and the U.S. that allows multinationals to store Europeans’ data in the U.S. if the companies agree to comply with Europe’s data privacy laws. U.S. corporations with operations in Europe are paying close attention to the ruling, which was announced today, Tuesday, October 6.

This turn of events certainly causes operational angst for thousands of U.S. businesses that, for example, need to understand and act on global trends. Scrapping Safe Harbor restricts the free flow of data organizations rely on, in part, to do mission-critical analysis for business decision-making. While this decision immediately affects EU and companies doing business in EU countries, it will spread. Countries with either follow suit, or “retaliate,” so the expectation is that all companies should be prepared for this to become a much larger issue over time.

Tightening data privacy regulations carry potentially dire consequences for businesses that can’t quickly adapt. In particular, the Safe Harbor ruling puts Cloud Service Providers (CSPs) in a tough spot as they depend on the framework to do business in Europe, specifically using it to authorize them to store data on behalf of European companies and mobile application developers. This will have a large impact on investment and financial performance. Not only will companies need to build new data centers in countries in which data must now reside, but it will impact could providers’ ability to sell services to entire regions.

 As organizations aggressively push cloud adoption, it’s a given that more sensitive and regulated data is ending up in the hands of outside service providers and solutions like SaaS application systems. As a result, recent survey findings show most IT security professionals believe they don’t have full visibility into where all their organization’s sensitive data truly resides. When it comes to dealing with these types of data privacy and residency challenges facing multinationals, the advantage certainly falls to the infosec community and the vendors whose products and services can help businesses manage through regulatory changes like this Safe Harbor case.

Organizations need actionable advice for instituting proactive means and mechanisms to ensure data privacy and regulatory compliance while they run the business – a significant piece of guidance that is lacking from the Safe Harbor legislation. As a starting point, here are five tips for companies to control cloud data and access in light of the Safe Harbor ruling and evolving regulatory landscape:

  • Get visibility into exactly what data is moving outside of your network and where. Discover shadow clouds, inventory (potentially) sanctioned clouds, and determine where all the data centers are and which ones need to get compliant.
  • Take proactive steps to tokenize data to ensure compliance with prevailing EU data privacy regulations. Tokenization is considered by many to be the de facto standard to address data privacy and compliance since tokens have no mathematical relationship to the original clear text sensitive data and no possibility of back doors/trap doors.
  • Try to leverage CSP’s local EU datacenters where you can, but be mindful that Cloud providers often maintain the right to move data between datacenters, and your primary and back up datacenters may be located in different countries/regions.  
  • The regulatory and data privacy landscape will continue to change, so future proof your IT and cloud infrastructure to allow you the flexibility to quickly adapt to evolving regulations, for example, by parsing, anonymizing and encrypting data. As an enterprise, make sure you are taking responsibility for implementing ways to share data in an anonymized fashion that still allows you to get the insights you need without violating individual privacy specifications.
  • When encrypting data, sole physical encryption key ownership and custody are mandatory for data protection. Also make sure that your encryption approach ensures that data is protected in all three phases of the cloud data lifecycle: in transit, at rest and in use.

Michael Fey is Blue Coat's president and chief operating officer. With a proven track record in operational and go-to-market strategies, Fey is focused on driving revenue growth and further extending the reach of Blue Coat in the market. Reporting to Blue Coat CEO Greg Clark, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4662
PUBLISHED: 2020-08-14
IBM Event Streams 10.0.0 could allow an authenticated user to perform tasks to a schema due to improper authentication validation. IBM X-Force ID: 186233.
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...