In today’s times, one of the biggest issue in Cyber is that
of protecting data, especially those of customers, and employees. These can also be referred to as Personal
Identifiable Information (PII) datasets.
Just about every company, large and small, in Corporate America are
always scrambling to figuring out the best ways to not only protect them, but
also to make sure that they are not leaked out intentionally or not.
In this regard, many of these companies are also starting to
realize than maintaining databases On Prem is probably not the best way to go
in having databases. So, the mass
migration to the Cloud has begun, such as to the AWS or Azure.
The primary reason for this is that these Cloud providers
can offer customers the latest in cutting edge technologies when it comes to
creating databases, as well as free tools when it comes to protecting them.
But best of all, when compared to an On Prem database, these
solutions are a lot more affordable in terms of price, and it is up to the
Cloud provider to keep your databases updated and secure. But keep in mind that you are still
100% responsible for configuring any database that is deployed in the Cloud to
your own security requirements.
That is not the duty of AWS or Azure.
But despite this, there still remains a large issue. For example, what if a US based business also
has offices, employees, and even customers in another country, such as the
European Union? Who owns this data, and
most importantly, how will this business come into compliance with the data
privacy laws for that particular country?
This is where some serious problems come in. While once again, the Cloud is a great venue,
the lines become extremely blurred as to how the data is geographically
stored. While AWS and Azure does give
you a choice of the geographic area as to where you want to house your
database, it is very general in nature.
For instance, it will only ask you if you want to have it in
Europe, Australia, a certain part of the US, etc. You really do not know where the exact
physical location of your database server is at.
The Cloud providers do this primarily because of security
reasons, obviously. But it is no help to
the business, as they are trying to figure which data privacy law they need to
come into compliance with.
The most famous of these is the GDPR, and this was passed
and enacted five years ago. In fact,
this law remains as the de facto standard, and it is from this, that many of
the other data privacy laws have emerged, and as of today, there are well over
130 of them on a global basis.
Complicating this matter even more is that in order to get
the most affordable price for their Cloud deployment, many companies often
choose what is known as a “Shared Hosting Plan”.
Although you will have the look and feel of your own server
(you will get a dedicated control panel), the truth of the matter is that your
virtual server is actually stored on one physical drive, which houses many
other virtual servers, owned by other businesses (these are also known as “tenants”).
So how do you know that there is no cross talk or spill over
from one tenant to another? There is no
guarantee in this, and in this instance, you are left to the mercy of the Cloud
provider to prevent this from happening.
So, while you may think your database is being hosted in Europe, how do
you know which country it actually reside in?
Once again, the Cloud providers are very elusive in
providing this kind of information. In
the end, the business owner needs to know, so they will know which specific
data privacy law affects them, and how they need to come into compliance with
it as well.
Now while the Cloud can offer great cost savings upfront,
the rest is made up by the business having to shell out huge amounts of money
in order to make sure that they have implemented the right controls as mandated
by the data privacy law to protect the datasets.
But once again, if a business does not know at least the
general vicinity of where their data is being stored, how will they know which
law to follow?
One of the primary reasons why companies are in such a huge
rush to come into compliance is not only the damage to brand reputation in case
of a security breach, but also it is the fear of the audits. For example, if a regulator from the GDPR decides
to audit your controls, and finds that they are not adequate enough, the
company in question can be fined as much as 4% of their entire gross
revenue.
Now, that is a huge chunk of change.
The most recent example of this is Meta, the famous parent
company of Facebook. They were fined a
whopping $1.3 Billion because of not having the right controls in place to
protect the PII datasets of the customers in the European Union. More information about this can be found at
the link below:
https://www.darkreading.com/endpoint/meta-hit-1-3b-record-breaking-fine-gdpr-violations
And guess which data privacy law the fine was imposed
by? Yep, you got it, the GDPR. But now here comes a new problem: The advent of both AI and ML. For any kind of business, or no matter how
large or small they might be, harnessing datasets can be a very time consuming
and laborious task, if it is done by human beings.
Of course, nobody has that kind of time. So as a result, many businesses are now
relying upon AI and ML to automate the processes of going through the datasets,
and manipulating them to find any intelligence or unseen trends.
Because of this, not only does the storage of data becomes
an issue but even where it is being processed becomes a whole different
ballgame. For example, what if a US
business has the actual data stored in Germany, but the actual processing of it
takes place in California?
Now, they have to deal with two sets of data privacy laws,
not only the GDPR, but also the CCPA.
This not only adds more confusion, but even more expense as the business
tries to come into compliance with both sets of laws.
In the end, the technical term for all of this is
“Borderless Data”. For more insight into
this, click on the link below:
http://cyberresources.solutions/Blogs/Borderless_Data.pdf
My Thoughts On This:
This of course is by no easy means to resolve. Probably one of the best ways forward is for
the Cloud provider to be more transparent to the Cloud tenants into the
geographic location of where the databases are being hosted at. This does not have to be public information,
and the Cloud provider can (and should) disclose this to a trusted officer of
the tenant.
Another option would be to offer one location where all of
the databases created and processing will take place. For instance, if the business picks one
datacenter in the US, at least they will have a much better idea of which data
privacy law to follow.
But for the time being, what makes this matter even worse is
that each state is now coming up with their own data privacy laws, with
different provisions attached to them.
So, this once again brings up the question of centralizing
all Cyber efforts into one place, at least here in the United States. Is time
now for the Department of Cybersecurity to do this? It may very well happen. Stay tuned.
No comments:
Post a Comment