Saturday, June 17, 2023

The Problem With Borderless Data: How To Come Into Compliance

 


In today’s times, one of the biggest issue in Cyber is that of protecting data, especially those of customers, and employees.  These can also be referred to as Personal Identifiable Information (PII) datasets.  Just about every company, large and small, in Corporate America are always scrambling to figuring out the best ways to not only protect them, but also to make sure that they are not leaked out intentionally or not.

In this regard, many of these companies are also starting to realize than maintaining databases On Prem is probably not the best way to go in having databases.  So, the mass migration to the Cloud has begun, such as to the AWS or Azure. 

The primary reason for this is that these Cloud providers can offer customers the latest in cutting edge technologies when it comes to creating databases, as well as free tools when it comes to protecting them.

But best of all, when compared to an On Prem database, these solutions are a lot more affordable in terms of price, and it is up to the Cloud provider to keep your databases updated and secure.  But keep in mind that you are still 100% responsible for configuring any database that is deployed in the Cloud to your own security requirements.  That is not the duty of AWS or Azure.

But despite this, there still remains a large issue.  For example, what if a US based business also has offices, employees, and even customers in another country, such as the European Union?  Who owns this data, and most importantly, how will this business come into compliance with the data privacy laws for that particular country?

This is where some serious problems come in.  While once again, the Cloud is a great venue, the lines become extremely blurred as to how the data is geographically stored.  While AWS and Azure does give you a choice of the geographic area as to where you want to house your database, it is very general in nature. 

For instance, it will only ask you if you want to have it in Europe, Australia, a certain part of the US, etc.  You really do not know where the exact physical location of your database server is at.

The Cloud providers do this primarily because of security reasons, obviously.  But it is no help to the business, as they are trying to figure which data privacy law they need to come into compliance with. 

The most famous of these is the GDPR, and this was passed and enacted five years ago.  In fact, this law remains as the de facto standard, and it is from this, that many of the other data privacy laws have emerged, and as of today, there are well over 130 of them on a global basis.

Complicating this matter even more is that in order to get the most affordable price for their Cloud deployment, many companies often choose what is known as a “Shared Hosting Plan”. 

Although you will have the look and feel of your own server (you will get a dedicated control panel), the truth of the matter is that your virtual server is actually stored on one physical drive, which houses many other virtual servers, owned by other businesses (these are also known as “tenants”). 

So how do you know that there is no cross talk or spill over from one tenant to another?  There is no guarantee in this, and in this instance, you are left to the mercy of the Cloud provider to prevent this from happening.  So, while you may think your database is being hosted in Europe, how do you know which country it actually reside in? 

Once again, the Cloud providers are very elusive in providing this kind of information.  In the end, the business owner needs to know, so they will know which specific data privacy law affects them, and how they need to come into compliance with it as well.

Now while the Cloud can offer great cost savings upfront, the rest is made up by the business having to shell out huge amounts of money in order to make sure that they have implemented the right controls as mandated by the data privacy law to protect the datasets. 

But once again, if a business does not know at least the general vicinity of where their data is being stored, how will they know which law to follow?

One of the primary reasons why companies are in such a huge rush to come into compliance is not only the damage to brand reputation in case of a security breach, but also it is the fear of the audits.  For example, if a regulator from the GDPR decides to audit your controls, and finds that they are not adequate enough, the company in question can be fined as much as 4% of their entire gross revenue. 

Now, that is a huge chunk of change.

The most recent example of this is Meta, the famous parent company of Facebook.  They were fined a whopping $1.3 Billion because of not having the right controls in place to protect the PII datasets of the customers in the European Union.  More information about this can be found at the link below:

https://www.darkreading.com/endpoint/meta-hit-1-3b-record-breaking-fine-gdpr-violations

And guess which data privacy law the fine was imposed by?  Yep, you got it, the GDPR.  But now here comes a new problem:  The advent of both AI and ML.  For any kind of business, or no matter how large or small they might be, harnessing datasets can be a very time consuming and laborious task, if it is done by human beings. 

Of course, nobody has that kind of time.  So as a result, many businesses are now relying upon AI and ML to automate the processes of going through the datasets, and manipulating them to find any intelligence or unseen trends.

Because of this, not only does the storage of data becomes an issue but even where it is being processed becomes a whole different ballgame.  For example, what if a US business has the actual data stored in Germany, but the actual processing of it takes place in California? 

Now, they have to deal with two sets of data privacy laws, not only the GDPR, but also the CCPA.  This not only adds more confusion, but even more expense as the business tries to come into compliance with both sets of laws.

In the end, the technical term for all of this is “Borderless Data”.  For more insight into this, click on the link below:

http://cyberresources.solutions/Blogs/Borderless_Data.pdf

My Thoughts On This:

This of course is by no easy means to resolve.  Probably one of the best ways forward is for the Cloud provider to be more transparent to the Cloud tenants into the geographic location of where the databases are being hosted at.  This does not have to be public information, and the Cloud provider can (and should) disclose this to a trusted officer of the tenant. 

Another option would be to offer one location where all of the databases created and processing will take place.  For instance, if the business picks one datacenter in the US, at least they will have a much better idea of which data privacy law to follow. 

But for the time being, what makes this matter even worse is that each state is now coming up with their own data privacy laws, with different provisions attached to them.

So, this once again brings up the question of centralizing all Cyber efforts into one place, at least here in the United States. Is time now for the Department of Cybersecurity to do this?  It may very well happen.  Stay tuned. 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...