To meet changing privacy regulations, regularly review data storage strategies, secure access to external networks, and deploy data plane security techniques.

Chad Tindel, Field CTO & VP of Worldwide Solution Architecture, ngrok

March 28, 2024

5 Min Read
Hand putting a block with the word "DATA" on it into a collection of other blocks with a picture of a padlock
Source: Andriy Popov via Alamy Stock Photo

COMMENTARY

In 2023, significant data privacy regulations and legislation unfolded at the federal, state, and international levels. The US Federal Trade Commission adopted a comprehensive approach to safeguarding health, biometric, and children's data; seven US states enacted privacy laws; and the European Commission adopted the EU-US Data Privacy Framework to regulate data flows from the European Union to the United States.

To meet these standards, enterprises must evaluate their data privacy policies and improve security where needed. This includes reviewing data storage strategies, securing access to external networks, and deploying data plane security techniques.

Review Data Storage Strategies

A strong data storage strategy involves two key elements: data retention and access control. Enterprises should establish data retention policies that store information for the shortest possible time: Retain data only as long as legally necessary and then discard it securely.

While many organizations choose to keep valuable data indefinitely, it is important to determine which data should be disposed of once the retention period ends. Noncritical or obsolete data that serves no purpose should be discarded to maintain data efficiently and declutter storage systems.

To effectively manage data retention, ask yourself if it is necessary to keep specific data and whether data should be anonymized to enhance security (even when it's not legally required). Answering these questions helps identify and eliminate outdated or redundant data, preventing faulty insights that may lead to biased decision-making. Regularly reviewing stored data can help you maintain responsible data retention practices.

Controlling how data is accessed and by whom is just as important as how it's stored. To prevent unauthorized access, implement the following best practices:

  • Enforce role-based access controls to identify, verify, and authorize users based on their organizational access levels.

  • Monitor and log data access, tracking who accesses what information and when.

  • Adhere to strong password policies and ensure that users never share credentials.

  • Implement least-privileged and just-in-time access.

  • Automatically revoke user permissions after task completion.

Organizations must continuously assess their storage strategies to maintain the integrity and security of stored data. Balancing the need for data retention with stringent access controls safeguards sensitive information and promotes trust and reliability in data management practices.

Secure Access to External Networks

Enterprises often need to grant data access to various software-as-a-service (SaaS) products to enhance data processing and analysis for informed decision-making. However, some may hesitate to do so out of concern for data security. To meet security and compliance standards, enterprises require both complete control over their data and a secure method for granting access to their network.

To address this issue, an architecture known as "bring your own cloud" (BYOC) has emerged. BYOC allows enterprises to deploy the data plane of a vendor's software stack within their environment. This removes the need to send data to a third-party vendor's cloud for processing, reducing your attack surface and keeping your data's security under your own control. Meanwhile, the control plane manages back-end services and operates within the vendor's cloud environment. To achieve a high level of security, it uses application programming interfaces (APIs) to establish secure connections to the BYOC data plane.

However, BYOC presents some challenges. Enterprises are often reluctant to open inbound ports and make configuration changes to virtual private networks (VPNs), virtual private cloud (VPC) peering, private link services, and firewalls to grant vendors access to the BYOC data plane on their networks. Such changes require thorough security reviews and approval from various stakeholders, including the enterprise's NetOps and SecOps teams, which often takes weeks to months to complete.

To simplify network access, vendors need to connect securely without requiring enterprises to change any network configurations. To help accomplish this, they need to define access to data planes with clear authentication policies, including mutual Transport Layer Security (mTLS), Internet protocol (IP) restrictions, OAuth, SAML, OpenID Connect, and JSON Web Token (JWT) authentication. And they must make sure enterprises restrict network access to authorized traffic from their environments.

Implement Data Plane Security Techniques

The data plane processes and forwards data packets within and between cloud environments. It efficiently manages packet forwarding, routing decisions, and data flow across the network to meet the demands of cloud applications. Strong security measures within the data plane are necessary to prevent data breaches and unauthorized access. Encryption, an intrusion detection system (IDS), and packet-level authentication (PLA) are three core security measures that help maintain data integrity and confidentiality in cloud networking.

Encryption is a core security measure that encodes data, making it accessible only to those with the correct encryption key. Encrypting data keeps it confidential during transmission within cloud networks and protects against unauthorized access attempts.

An IDS monitors network traffic and identifies potential threats by analyzing patterns and behaviors in network activity and promptly alerting administrators to suspicious activity. To perform this task, it can use predefined signatures to identify known patterns of malicious activity or anomaly detection to identify deviations from normal network behavior, enabling quick responses to protect data.

PLA uses public key cryptography to digitally sign large data flows, allowing nodes in the network to verify packet authenticity, even if they don't have a preestablished trust association with the sender. It prevents potential damage to the network by quickly detecting and discarding modified, delayed, or duplicated packets.

Meet Data Privacy Challenges Head-On

Complying with regulatory changes will remain a top priority for organizations as those regulations evolve. Gartner projects that by 2025, privacy regulations will extend to cover personal data for 75% of the global population. To adapt to this changing landscape, enterprises must take proactive measures to improve the security of their data. Using secure data storage strategies, strengthening access points to external networks, and implementing data plane security techniques can bring them into compliance and future-proof their data privacy efforts.

About the Author(s)

Chad Tindel

Field CTO & VP of Worldwide Solution Architecture, ngrok

Chad Tindel is the field CTO and VP of worldwide solution architecture at ngrok, the unified ingress platform for developers. He is a seasoned solution architect who has spent his career at leading companies, including Amazon, Elastic, MongoDB, and RedHat. Chad's expertise is multifaceted, encompassing customer engagement and technical pre-sales, with a strong foundation in operating systems, including notable contributions to the Linux kernel bonding driver. He has also played a key role in high-availability solutions, as evidenced by his architectural work on HP's Serviceguard product. Renowned for his technical acumen and unwavering dedication to innovation in the tech industry, Chad specializes in many domains, including cloud computing, high-availability distributed computing, application security, NoSQL databases, storage, analytics, and big data. Tune into his podcast, Can I get the software in blue?

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights