Home Posts tagged privacy

Tag: privacy

Posted on Posted in Digital transformation, General topics Tagged with , , , , , , , ,

In the first use case of this series, Stay in Control of Your Data with a Secure and Compliant Sovereign Cloud, we looked at what data sovereignty is, why it’s important, and how sovereign clouds solve for jurisdictional control issues. Now let’s take a closer look at how data privacy and sovereignty regulations are driving security, privacy, and compliance.

Data Privacy and Security

The EU’s GDPR has formed the basis of data privacy regulations not just in EU but around the world. A key principle of the regulation is the secure processing of personal data. The UK GDPR states that security measures must ensure the confidentiality, integrity, and availability of data (known in cybersecurity as the CIA triad) and protect against accidental loss, destruction, or damage.1

Restricting access to sensitive and restricted data is a crucial aspect of data security, along with ensuring trust and flexibility for portability needs. 

Sovereign clouds are built on an enterprise-grade platform and customized by partners to meet local data protection laws, regulations, and requirements. Locally attested providers use advanced security controls to secure applications and data in the cloud against evolving attack vectors, ensuring compliance with data regulation laws and requirements to safeguard the most sensitive data and workloads.

Protected data should employ micro-segmentation with zero-trust enforcement to ensure workloads cannot communicate with each other unless they’ve specifically been authorized and are encrypted to secure them from foreign access. A multi-layered security approach secures data and applications in the sovereign cloud, keeping them safe from loss, destruction, or damage.

Sovereignty and Compliance

Data residency – the physical location where data (and metadata) is stored and processed – is a key aspect of data privacy and sovereignty regulations Data residency laws require that companies must operate in a country and that data should be stored in that country, often due to regulatory or compliance requirements. For companies that have customer data in multiple countries, it becomes a challenge to keep data secure. A sovereign cloud helps minimize risk and offers more robust controls and trusted endpoints needed to keep data secure and compliant.

In addition, data residency requirements continue to evolve and vary by country or region. Multi-national companies frequently rely on in-country compliance experts to help ensure they’re following the latest rules correctly and to avoid significant fines and legal action. 

With VMware, we provide best-in-class enterprise-grade cloud, security, and compliance solutions that provide the ultimate platform for data choice and control.

“A law can change, and it can change your entire way of doing business,” one Fortune 500 CISO said.2  And with the ever-changing geopolitical landscape, platform flexibility is needed to minimize risk with self-attested, trusted code. VMware provides simpler lift-and-shift portability and interoperability, as well as greater compliance with local laws and regulations.

Faced with changing regulations, it’s not surprising that compliance is a top cloud challenge according to 76% of organizations.3  One reason is a lack of skilled personnel. A recent survey from ISACA found that 50% of respondents said they experienced skills gaps in compliance laws and regulations, as well as in compliance frameworks and controls. Another 46% are dealing with a gap in privacy-related technology expertise.4

With these challenges, it’s not surprising that 81% of decision-makers in regulated industries have repatriated some or all data and workloads from public clouds.5  Some have moved data back on-premises, whereas others are using hybrid cloud architectures. 

With VMware Sovereign Cloud, solutions are provided by locally attested partners who provide full-service, sovereign solutions and ensure that compliance is achieved, implemented and configured. Sovereign cloud meets data residency requirements with local data centers to contain all regulated data, including metadata, and you can respond faster to data privacy rule changes, security threats, and geopolitics with a flexible cloud architecture and knowledgeable local experts.

Learn more about VMware Sovereign Cloud:

Download the Security and Compliance 1 pager

Watch the Sovereign Cloud Overview video  

Find and connect with a Sovereign Cloud Provider in your region

Join the conversation on Sovereign Cloud on LinkedIn

Next, we’ll explore data access and integrity, and how that can ignite innovation.

Sources:
1. UK information Commissioner’s Office, Guide to the General Data Protection Regulation (GDPR) Security, accessed June 2022
2. CSO, Data residency laws pushing companies toward residency as a service, January 2022
3. Flexera 2022 State of the Cloud Report
4. ISACA, Privacy in Practice 2022, March 2022.
5. IDC, commissioned by VMware, Deploying the Right Data to the Right Cloud in Regulated Industries, June 2021

Cloud Management, IT Leadership

Posted on Posted in Digital transformation, General topics Tagged with , , , , , ,

More countries are adopting laws designed to protect the privacy of citizens and local entities by defining how data can be securely collected, stored, and used. Many organisations are re-evaluating how to comply with the changing geo-political landscape and privacy/security regulations, which requires defining some relevant concepts:

Digital sovereignty – the ability to have full control over your own digital destiny – the data, hardware, and software that you rely on and create1…in other words individuals owning their own data and controlling it’s use.

Data residency – the physical and geographic location where data and meta-data is stored and processed.

Data sovereignty – data is subject to the privacy laws and governance structures within the nation or jurisdiction where data is collected, stored, processed, and used.

Jurisdiction – a legal authority over data centers and clouds aligned to national standards and supported by national government.

Data sovereignty laws are designed to protect the personal data of citizens or residents by controlling who can potentially have access. This keeps any sensitive data out of the hands of other countries and jurisdictions.

For example, the New York Times reports an executive order is in progress that is meant to prevent countries like China from gaining access to US data. Two other countries require that data on their citizens remain only within national borders.

To ensure data sovereignty, rules may require that all related data, such as metadata, also resides locally. But location of data alone isn’t enough to ensure that data is only subject to the local legal jurisdiction. Enterprises especially operating outside of the US in EU and other regions, are extremely concerned about the authority of the US Cloud Act. The 2018 US Cloyd Act allows US federal law enforcement to compel US-based technology companies to provide requested data stored on company servers, regardless of whether the data is stored in the US or on foreign soil.

That means complying with data sovereignty laws while using a US-based public cloud provider for sensitive data might not be possible or suitable to comply with local jurisdictional requirements. The Centre for European Policy Studies (CEPS) estimated that 92% of the Western world’s data is currently stored in the US and over 100 countries now have data sovereignty laws.

The European Union’s General Data Protection Regulation (GDPR) has inspired similar regulations in other jurisdictions. GDPR requires all businesses who operate in or have customers in the EU to change how they collect, handle, and store personal data.

With the ever-changing landscape of data protection laws, the increased risk of data breaches and evolving attack vectors there is growing concern about sensitive national, corporate, and personal data being subject to the control of foreign authorities and companies.

Organisations that run afoul of these laws risk fines or lawsuits. As of May 2022, over 900 fines have been issued for GDPR violations, the largest of which topped $877m (€746m).  The penalty for noncompliance can be steep, with fines of up to €20m (or 4% of worldwide turnover from the prior financial year).

Alongside protecting the way in which personal data is secured and used, many data sovereignty laws also restrict where data can go. For example, lawmakers in India are debating what types of citizen data are allowed to leave the country’s borders. This has caused issues for some multi-national companies who are unable to transmit data outside of a local jurisdictions. It can also impact international trade if data-sharing treaties between countries aren’t negotiated.

The effort to protect data as a new strategic asset is creating a clear need for sovereign clouds to secure and use data sensibly.

Customers want all the benefits of cloud but also need to meet the rapidly growing and changing data privacy laws while organisations need to protect data in the cloud against evolving cyberattacks.

As these laws impact business operations, organisations are seeking better ways to comply with data sovereignty laws and mitigate compliance risks. They need a way to store and process data locally and securely using a platform that is free from outside interference.

As a result of all this, the need for carefully architected sovereign clouds has gone mainstream and VMware is powerfully positioned to expand its multi-cloud strategy with VMware Sovereign Cloud.

The benefits of VMware Sovereign Cloud

A common benefit of sovereign clouds for cloud providers and customers is compliance. Cloud providers can obtain compliance with local regulations and their appropriate jurisdiction through the construction of sovereign clouds. Customers gain the assurance their privacy is maintained, and their data is stored, secured, and protected in their specific jurisdiction, by a partner with oversight and expertise in local laws and regulations.

Sovereign cloud providers can also accelerate local business growth by securely expanding into government data and developing a national capability for digital infrastructure and resilience. As the data economy becomes a vital national interest, sovereign states need a digital capability that prevents them from becoming dependent on foreign powers and operators for processing their own data.

VMware Sovereign Cloud providers can help customers fully unlock the true value of protecting their national, corporate, and personal data by ensuring:

ALL data (customer data and meta data) remains on sovereign soil

Compliance with established and constantly changing privacy laws

Autonomy with digital suppliers to guarantee continuity of digital services

All customer information is being managed appropriately with prevention from foreign access

VMware Sovereign Cloud providers offer a cloud service that is designed specifically to meet data sovereignty requirements. It provides flexibility and scale for data storage and processing while complying with residency and sovereignty requirements.

Find out more with the Sovereign Cloud Solution Brief or locate a VMware Sovereign Cloud provider today.

Cloud Management, Cloud Security, Data Management, Data Privacy, VMware

Posted on Posted in Digital transformation, General topics Tagged with , , , , , , , ,

One of the most important components of data privacy and security is being compliant with the regulations that call for the protection of information.

Regulators want to see transparency and controllability within organizations, because that is what makes them trustworthy from a data privacy and security standpoint. Ideally, organizations will deploy systems that provide compelling evidence to support their claims that they are meeting their requirements to deliver the protection and performance needed by stakeholders.

Protecting data from theft and improper use has long been the domain of cybersecurity and IT executives. But today, this is really a concern for the entire C-suite and, in many cases, the board of directors, all of whom are well aware of the repercussions of a data breach and failing to comply with regulations.

There is simply too much at risk when companies don’t ensure a level of control and trust in how they handle data. This is the case because of several converging trends:

The ongoing growth in the volume of business data, including a huge amount of information about customers and employees — much of it personal and personally identifiable.The importance this data holds from a strategic standpoint. Companies rely on the insights they gain from analyzing market data to provide a competitive advantage.An ever-expanding threat landscape, with increasingly sophisticated and well-financed cybercriminals going after this data for profit.A disappearing enterprise “perimeter” with the increase in cloud services, remote work and mobile devices used by employees in various locations. The idea of a fixed perimeter protected by a firewall no longer applies to most organizations.

In the midst of all this is the increase in government regulations designed to hold organizations accountable for how they gather, store, share and use data. An organization that fails to comply with such regulations can face stiff fines and other penalties, as well as negative publicity and damage to its brand.

Gaining trust and control

One of the challenges with establishing control and trust with data is a lack of visibility regarding the data: where it resides, who has access to it, how it is being used, etc. Organizations need to know their level of risk and how risk can be mitigated, as well as their level of progress in enhancing data security and privacy.

Endpoint devices present a particularly high level of cyber risk, because of the challenges of managing a large and growing number of mobile devices and apps in the workplace, as well as desktops and laptops used for remote work. Many threat actors target corporate data for theft and extortion, and endpoint devices present potential entry points into an organization.

The endpoint attack surface has expanded quickly over the past few years,

thanks in large part to the growth of remote and hybrid work. For many organizations, there is a sense that the attack surface is spiraling out of control, because of the challenge of gaining visibility and control of this environment. They realize that just a single compromised endpoint could result in an attack that causes significant financial and reputational damage.

Unfortunately, few tools on the market are designed specifically to monitor and manage cyber risk on a unified basis. Organizations have had to stitch together point solutions to get by. And in many cases, they lack data that is current, accurate, comprehensive, and contextual.

In addition, many organizations lack the ability to measure and compare corporate risk scores with industry peers; quickly take action after risk is scored; set goals for vulnerability remediation; and prioritize which areas to spend limited security resources on.

In order to build trust and gain better control of data, organizations need to leverage technology that gives them the ability to know how vulnerable their critical assets are, whether they are achieving their goals to improve security posture, how they measure up against industry peers; and what they should be doing to become more secure.

Ideally, technology tools should be able to provide organizations with real-time comparisons with industry peers in areas such as systems vulnerability, outstanding patches and lateral movement risk.

From a visibility standpoint, tools should identify vulnerability and compliance gaps across all endpoints used in an organization, enabling organizations to prioritize those issues that represent the highest risk, visualize complex relationships between assets and collect real-time feedback. They should be able to track each asset by collecting comprehensive data on all endpoints in real time.

In terms of control, security tools need to help organizations greatly reduce the attack surface by managing patches, software updates and configurations. Metrics should provide a clear sense of progress over time and indicate where improvements are needed.

From a trust perspective, tools should provide a single, accurate view of risks, enabling risk scoring and dashboards that give executives a clear sense of the level of risks and how they can be mitigated.

When it comes to ensuring compliance with data privacy regulations, IT and security leaders need to establish trust and control within their organizations’ environments. That’s the only way to demonstrate to regulators — as well as to customers, employees and business partners — that they are taking data privacy seriously and taking the necessary steps.

The most effective ways to be compliant and at the same time enhance data security are to gain greater visibility into the organization’s infrastructure, including every endpoint device, evaluate the effectiveness of security solutions and make needed improvements, and compare risk metrics with those of comparable organizations.

Assess the risk of your organization with the Tanium Risk Assessment. Your customized risk report will include your risk score, proposed implementation plan, how you compare to industry peers, and more.

Data Privacy

Posted on Posted in Digital transformation, General topics Tagged with , , , , , , , ,

One of the most important components of data privacy and security is being compliant with the regulations that call for the protection of information.

Regulators want to see transparency and controllability within organizations, because that is what makes them trustworthy from a data privacy and security standpoint. Ideally, organizations will deploy systems that provide compelling evidence to support their claims that they are meeting their requirements to deliver the protection and performance needed by stakeholders.

Protecting data from theft and improper use has long been the domain of cybersecurity and IT executives. But today, this is really a concern for the entire C-suite and, in many cases, the board of directors, all of whom are well aware of the repercussions of a data breach and failing to comply with regulations.

There is simply too much at risk when companies don’t ensure a level of control and trust in how they handle data. This is the case because of several converging trends:

The ongoing growth in the volume of business data, including a huge amount of information about customers and employees — much of it personal and personally identifiable.The importance this data holds from a strategic standpoint. Companies rely on the insights they gain from analyzing market data to provide a competitive advantage.An ever-expanding threat landscape, with increasingly sophisticated and well-financed cybercriminals going after this data for profit.A disappearing enterprise “perimeter” with the increase in cloud services, remote work and mobile devices used by employees in various locations. The idea of a fixed perimeter protected by a firewall no longer applies to most organizations.

In the midst of all this is the increase in government regulations designed to hold organizations accountable for how they gather, store, share and use data. An organization that fails to comply with such regulations can face stiff fines and other penalties, as well as negative publicity and damage to its brand.

Gaining trust and control

One of the challenges with establishing control and trust with data is a lack of visibility regarding the data: where it resides, who has access to it, how it is being used, etc. Organizations need to know their level of risk and how risk can be mitigated, as well as their level of progress in enhancing data security and privacy.

Endpoint devices present a particularly high level of cyber risk, because of the challenges of managing a large and growing number of mobile devices and apps in the workplace, as well as desktops and laptops used for remote work. Many threat actors target corporate data for theft and extortion, and endpoint devices present potential entry points into an organization.

The endpoint attack surface has expanded quickly over the past few years,

thanks in large part to the growth of remote and hybrid work. For many organizations, there is a sense that the attack surface is spiraling out of control, because of the challenge of gaining visibility and control of this environment. They realize that just a single compromised endpoint could result in an attack that causes significant financial and reputational damage.

Unfortunately, few tools on the market are designed specifically to monitor and manage cyber risk on a unified basis. Organizations have had to stitch together point solutions to get by. And in many cases, they lack data that is current, accurate, comprehensive, and contextual.

In addition, many organizations lack the ability to measure and compare corporate risk scores with industry peers; quickly take action after risk is scored; set goals for vulnerability remediation; and prioritize which areas to spend limited security resources on.

In order to build trust and gain better control of data, organizations need to leverage technology that gives them the ability to know how vulnerable their critical assets are, whether they are achieving their goals to improve security posture, how they measure up against industry peers; and what they should be doing to become more secure.

Ideally, technology tools should be able to provide organizations with real-time comparisons with industry peers in areas such as systems vulnerability, outstanding patches and lateral movement risk.

From a visibility standpoint, tools should identify vulnerability and compliance gaps across all endpoints used in an organization, enabling organizations to prioritize those issues that represent the highest risk, visualize complex relationships between assets and collect real-time feedback. They should be able to track each asset by collecting comprehensive data on all endpoints in real time.

In terms of control, security tools need to help organizations greatly reduce the attack surface by managing patches, software updates and configurations. Metrics should provide a clear sense of progress over time and indicate where improvements are needed.

From a trust perspective, tools should provide a single, accurate view of risks, enabling risk scoring and dashboards that give executives a clear sense of the level of risks and how they can be mitigated.

When it comes to ensuring compliance with data privacy regulations, IT and security leaders need to establish trust and control within their organizations’ environments. That’s the only way to demonstrate to regulators — as well as to customers, employees and business partners — that they are taking data privacy seriously and taking the necessary steps.

The most effective ways to be compliant and at the same time enhance data security are to gain greater visibility into the organization’s infrastructure, including every endpoint device, evaluate the effectiveness of security solutions and make needed improvements, and compare risk metrics with those of comparable organizations.

Assess the risk of your organization with the Tanium Risk Assessment. Your customized risk report will include your risk score, proposed implementation plan, how you compare to industry peers, and more.

Data Privacy

Posted on Posted in Digital transformation, General topics Tagged with , , , , , , , , , ,

Digitalization is a double-edged sword for banks, especially when it comes to security. A massive shift to cloud and API-based ways of working has made the sector become more agile and innovative, but it has also opened the floodgates for identity theft. As interactions and transactions become more interconnected, even the simplest processes like opening a new account or making a balance transfer become riddled with security concerns.

As financial services become more digital in nature, it’s important that banks think differently when using data analytics, security tools, and education to improve identity authentication and customer data privacy. Avaya’s research report reveals three critical ways to do so.

1. Make the Most of the Powerful Tool in Your Customers’ Hands

Almost every customer owns a smartphone, and they use that device to call into the contact center when they need to resolve an issue or complicated matter. Have you thought about what can be done with this device to enhance identity authentication? Older security methods like Knowledge-based Authentication (KBA) only prove what a person knows. By leveraging the sensors in a customer’s connected device, banks can go one step further to prove who someone is — and that makes all the difference.

These sensors, which include location services, cameras, and QR code scanning, make a customer’s smart device a valuable source of a vast amount of information and inputs that help banks create a trusted identity template for customers. Once this identity template is established, all transactions are tied directly to a customer’s verified identity. This allows simple but risky transactions like requesting a new debit card, ordering checks, or updating an address to be done simply, quickly, and with far lower risk to the bank and its customers.

2. Shield Sensitive Data from Agents Using Zero Knowledge Proof

When a customer calls into the contact center, all of that person’s information is made visible to the agent who needs to verify them: their address, their driver’s license number, their social security number, etc. What’s stopping an agent from using their cellphone to take a picture of a customer’s personally identifiable information? It’s a scary thought, especially with so many customer service jobs now offsite out of supervisors’ views. Customer service workers don’t need so much visibility into this data.

Zero Knowledge Proof is an advanced cryptographic technique that makes it possible for organizations to verify sensitive or personally identifiable information without revealing that data to workers. The agent doesn’t need to see the data to verify its accuracy or authenticity and will therefore have no knowledge of it — hence, “zero knowledge proof.” All employees will see are the results that matter to them (whether a payment went through, whether a document was signed, that a customer’s SSN checks out) with a green checkmark verifying its approval from whichever third-party company verified it.

3. Outbound Notifications for Fraud Protection

In a sea of scam callers, most customers immediately send unknown numbers to voicemail. This is a major challenge for banks trying to reach customers to perform a number of legitimate tasks and build relationships. By securely sending notifications across the channel of a customer’s choice (SMS, in-app message if the company offers a mobile app), banks can reach customers faster and with high veracity authentication. In this way, customers will receive a notification via text or in-app message before an incoming call asking them to “tap” and log in. They will be instantly authenticated and, if desired, can schedule the call for a convenient time.

These notifications can also be used to simplify routine interactions like checking an account balance or bill pay. For example, a customer can click on the link in a text message their bank sends them reminding them that a payment is due for their credit card. Notifications can be sent for non-payment interactions as well, such as post contact surveys and new customer eForms.  All of this can be done with full PCI compliance. In fact, banks can take their contact center out of the scope of compliance altogether.

Learn more from Avaya’s research about what banks should consider to digitally evolve. View the full report, Five Recent Trends Shaping the Banking Industry.

IT Leadership