Risk

10/6/2015
04:05 PM
Michael Fey
Michael Fey
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

What The EUs Safe Harbor Ruling Means For Data Privacy In The Cloud

The European Court of Justice today struck down the 15-year-old data transfer agreement between the European Union and the US. Here's how to begin to prepare for the fallout.

The Snowden effect has caused the European Court of Justice to strike down a 15-year-old data transfer agreement, known as Safe Harbor, between the EU and the U.S. that allows multinationals to store Europeans’ data in the U.S. if the companies agree to comply with Europe’s data privacy laws. U.S. corporations with operations in Europe are paying close attention to the ruling, which was announced today, Tuesday, October 6.

This turn of events certainly causes operational angst for thousands of U.S. businesses that, for example, need to understand and act on global trends. Scrapping Safe Harbor restricts the free flow of data organizations rely on, in part, to do mission-critical analysis for business decision-making. While this decision immediately affects EU and companies doing business in EU countries, it will spread. Countries with either follow suit, or “retaliate,” so the expectation is that all companies should be prepared for this to become a much larger issue over time.

Tightening data privacy regulations carry potentially dire consequences for businesses that can’t quickly adapt. In particular, the Safe Harbor ruling puts Cloud Service Providers (CSPs) in a tough spot as they depend on the framework to do business in Europe, specifically using it to authorize them to store data on behalf of European companies and mobile application developers. This will have a large impact on investment and financial performance. Not only will companies need to build new data centers in countries in which data must now reside, but it will impact could providers’ ability to sell services to entire regions.

 As organizations aggressively push cloud adoption, it’s a given that more sensitive and regulated data is ending up in the hands of outside service providers and solutions like SaaS application systems. As a result, recent survey findings show most IT security professionals believe they don’t have full visibility into where all their organization’s sensitive data truly resides. When it comes to dealing with these types of data privacy and residency challenges facing multinationals, the advantage certainly falls to the infosec community and the vendors whose products and services can help businesses manage through regulatory changes like this Safe Harbor case.

Organizations need actionable advice for instituting proactive means and mechanisms to ensure data privacy and regulatory compliance while they run the business – a significant piece of guidance that is lacking from the Safe Harbor legislation. As a starting point, here are five tips for companies to control cloud data and access in light of the Safe Harbor ruling and evolving regulatory landscape:

  • Get visibility into exactly what data is moving outside of your network and where. Discover shadow clouds, inventory (potentially) sanctioned clouds, and determine where all the data centers are and which ones need to get compliant.
  • Take proactive steps to tokenize data to ensure compliance with prevailing EU data privacy regulations. Tokenization is considered by many to be the de facto standard to address data privacy and compliance since tokens have no mathematical relationship to the original clear text sensitive data and no possibility of back doors/trap doors.
  • Try to leverage CSP’s local EU datacenters where you can, but be mindful that Cloud providers often maintain the right to move data between datacenters, and your primary and back up datacenters may be located in different countries/regions.  
  • The regulatory and data privacy landscape will continue to change, so future proof your IT and cloud infrastructure to allow you the flexibility to quickly adapt to evolving regulations, for example, by parsing, anonymizing and encrypting data. As an enterprise, make sure you are taking responsibility for implementing ways to share data in an anonymized fashion that still allows you to get the insights you need without violating individual privacy specifications.
  • When encrypting data, sole physical encryption key ownership and custody are mandatory for data protection. Also make sure that your encryption approach ensures that data is protected in all three phases of the cloud data lifecycle: in transit, at rest and in use.

Michael Fey is Blue Coat's president and chief operating officer. With a proven track record in operational and go-to-market strategies, Fey is focused on driving revenue growth and further extending the reach of Blue Coat in the market. Reporting to Blue Coat CEO Greg Clark, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12959
PUBLISHED: 2018-07-19
The approveAndCall function of a smart contract implementation for Aditus (ADI), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all contract balances into their account).
CVE-2018-14336
PUBLISHED: 2018-07-19
TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.
CVE-2018-10620
PUBLISHED: 2018-07-19
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code t...
CVE-2018-14423
PUBLISHED: 2018-07-19
Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in lib/openjp3d/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).
CVE-2018-3857
PUBLISHED: 2018-07-19
An exploitable heap overflow exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain...