Last month Safe Harbor, a 15-year-old agreement between the U.S. and the E.U. governing data storage and transfer, was struck down. This ruling could mean trouble for thousands of businesses on both sides of the Atlantic that relied on this framework to transfer and store EU data in the U.S. One of the immediate areas where businesses will feel the impact of this decision is in cloud computing.
With the rapid adoption of cloud applications by European companies, the reality is that many of these cloud services are based in the U.S. or have large American data centers. When they subscribe to these services, EU enterprises may end up sending data on European users to cloud infrastructures back in the U.S. for processing and storage. Under Safe Harbor, that was allowed, but the Court’s decision reverses that, and compels organizations dependent on Safe Harbor to react.
For many companies, especially Cloud Services Providers (CSPs), this decision has created a great deal of unease. Their business model depends on the ability to store and process data on behalf of European companies. Not only will these companies need to build new data centers in countries in which data must now reside, but it will impact providers’ ability to sell services to entire regions until they are compliant.
Striking down the Safe Harbor law has forced many multinational organizations to find new ways to share data in order to do mission-critical analysis for business decision-making. Interestingly enough, a number of these providers have turned to model contract clauses as a way to navigate EU data privacy requirements when moving data across borders. In a similar fashion to Safe Harbor, the European Commission had approved these model contract clauses as a way for companies to safely and legally transfer personal data of European Union residents outside of the European economic area.
Unfortunately, these model clauses are likely not a long-term viable solution. In fact, many in the industry believe these will be the next in the line of fire, as the Snowden effect continues to put regulators on edge when it comes to data privacy and security. The verdicts in the Court of Justice of the European Communities (ECJ) ruling found the Safe Harbor agreement to inadequate because of the issues that came to light in the Snowden revelations, and these same issues are likely to undermine the underpinnings of other data transfer mechanisms like the model clause and Binding Corporate Rules (BCRs).
The permanent solution for these companies can’t be found policy fixes alone. Instead companies need to incorporate technology-enabled data security measures to move their business forward. This sort of technology driven security and compliance approach has already proven to be an effective solution, when properly adhered to, in a number of highly regulated vertical industries. The example below can help guide regulators and cloud service providers as they make adjustments to better manage data security and individual’s privacy in the increasingly regulated global market.
The Health Insurance Portability and Accountability Act (HIPAA), in the healthcare industry, is a good example to examine. HIPPA requires healthcare organizations to maintain the confidentiality of electronic health information that can be linked to an individual patient (electronic Protected Health Information, or ePHl). Penalties and criminal enforcement of the HIPAA Security Rules were made stronger via several provisions in The Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, requiring healthcare organization to adopt the appropriate safeguards to protect the confidentiality, integrity and availability of patients’ protected health information.
Encrypting ePHI is an acknowledged best practice for complying with the requirements of the HIPAA Security Rule and providing cloud privacy. In addition, the U.S. Department of Health and Human Services (HHS) issued regulations requiring health care providers, health plans, and other entities covered by HIPAA to notify individuals when their health information is breached. This law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care. However if ePHI is already encrypted and a breach does occur, the enterprise does not need to go through the costly step of notification since the information is not usable to the hackers in its encrypted form. This is a nice business benefit for the company’s efforts to properly secure information.
In the financial sector there are a number of regulations that exist to help protect individual’s privacy and security. For example, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to establish standards for protecting the security and confidentiality of their customers’ non-public personal information. GLBA guidelines direct financial organizations to evaluate the use of encryption to secure electronic customer information while in transit or in storage.
Also, the Payment Card Industry Data Security Standard (PCI (News - Alert) DSS) mandates specify the steps that organizations storing and processing payment card details need take to secure and protect sensitive information. PCI DSS are technical and operational requirements set by the PCI Security Standards Council to protect cardholder data. The Council is responsible for managing the security standards, while the payment card brands enforce compliance. The standards include guidance around the use of encryption and tokenization technologies to secure data and apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions.
The FBI, collectively with other law enforcement officials, published new Criminal Justice Information System (CJIS) standards in order to address how CJIS information is accessed and shared across the country and world. All organizations that access the CJIS database must institute specific standards, including what the FBI calls “Advanced Authentication”, which specifically entails the need for multiple security measures for anyone accessing or administrating CJIS data. Other requirements include ensuring any data moved outside of a secure facility is properly protected via encryption or tokenization at all times.
As organizations aggressively push cloud adoption, it’s a given that more sensitive and regulated data is ending up in the hands of outside service providers and solutions like SaaS applications. Organizations need actionable direction for instituting proactive means and mechanisms to ensure data privacy and regulatory compliance while they run the business – and an opportunity exists as Safe Harbor is being reworked to provide just this sort of guidance in any new regulations that are proposed.
One area that regulators need to explore as they think about a new data sharing framework in the context of the cloud-age is a new category of solutions called Cloud Access Security Brokers (CASB). CASB’s are meant to address the data security and privacy issues that are uniquely associated with cloud adoption. The critical nature of the data compliance capabilities that these sorts of CASB solutions bring to enterprises is a key reason why Gartner recently published their belief that by year-end 2018, 50 percent of organizations with more than 2,500 employees will use a CASB product to control SaaS usage. It is my hope that these CASB technologies can, and will, play a critical role in the new framework for data sharing that the European Commission and the EU DPA’s will construct. Here are a few recommendations for areas they can help:
- Use CASB security technologies to gain visibility into exactly what data is moving outside of the network into cloud systems. Ensure enterprise IT teams have tools in place to discover shadow cloud usage in their environments and take steps to ensure that data going to these clouds is protected consistent with EU Data Privacy requirements.
- When required, take proactive steps to tokenize data heading to cloud environments to ensure compliance with prevailing EU data privacy regulations. Tokenization is considered by many to be the de facto standard to address data privacy and compliance regulations based in data residency requirements since tokens have no mathematical relationship to the original clear text sensitive data and no possibility of back doors/trap doors.
- If encryption of data is specified (like in the US guidelines on HIPAA), EU-based enterprises should be required to maintain sole physical custody of all encryption keys used to maintain the privacy of information. In addition, make sure that any encryption approach ensures that data is protected in all three phases of the cloud data lifecycle: in-transit to the cloud, at-rest in the cloud and in-use in the cloud.
Looking at the situation today, some businesses, particularly those in more heavily regulated industries with strong existing data protection requirements, are well positioned to respond to the strict data protection rules that are on their way for the cloud. By implementing CASB solutions and technology-enabled data security measures, like those modeled in the healthcare and financial sectors, enterprises adopting cloud-based solutions will be able to take full advantage of the power of cloud based solutions to drive their businesses forward while managing the unique data privacy and compliance challenges associated with the use of these systems.
Mike Fey Bio
Michael Fey is Blue Coat (News - Alert)'s president and chief operating officer. With a proven track record in operational and go-to-market strategies, Fey is focused on driving revenue growth and further extending the reach of Blue Coat in the market. Reporting to Blue Coat CEO Greg Clark, Fey is responsible for aligning the company's leading web security, encryption management, cloud offerings and advanced threat protection solutions with customer requirements. Additionally, he is responsible for field and customer-facing business operations.
Prior to joining Blue Coat, Fey was with the Intel Security (News - Alert) Group serving as executive vice president, chief technology officer, and general manager of corporate products. In this role he drove the company's strategic vision and security innovation. Fey also managed business operations and strategy for corporate product business units at McAfee (News - Alert), part of Intel Security. Previously, Fey was senior vice president of advanced technologies and field engineering with McAfee where he oversaw key corporate acquisitions, and engagement with global customer executives and prospects to develop, build, and implement strategic security solutions.
An industry veteran, Fey has held leadership positions with Opsware (News - Alert), Mercury Interactive, and Lockheed-Martin. He graduated magna cum laude from Embry-Riddle Aeronautical University with a Bachelor of Science in engineering physics and a minor in mathematics.
Edited by Kyle Piscioniere