The recent European Court of Justice’s invalidation of the US-EU Safe Harbor as complying with the EU Directive on the protection of personal data is a foreboding precursor to the passing of the European Commission’s pending General Data Protection Legislation (GDPR).
Both rulings have huge implications for how businesses around the world use, store, and move people’s private data, and there’s a lot of talk out there in the media about it. But there’s something missing: what this legislation means given the uncontrolled growth of cloud apps and shadow IT.
Here’s the issue: Every line of business and every individual in every organization is using cloud apps. OK, that’s a slight exaggeration, but not by a lot. Here’s what we know. The average organization has 755 cloud apps in use (in Europe, it’s slightly lower, at 608). And we’re not talking eBay and Candy Crush.
The apps we’re talking about include finance, marketing, human resources, supply chain, customer relationship management, enterprise resource planning, and more. Every line of business has adopted or is adopting a plethora of easily-integratable, best of breed apps to address today’s productivity, workflow, and even competitive challenges. In fact, so many of our customers view these apps as critical to their new initiatives that I’d go so far as to say that any organization undergoing a new technology initiative that isn’t cloud-based is probably making a mistake.
It’s not just apps. It’s data. Last year we commissioned The Ponemon Institute to conduct a survey and develop a framework that measures the financial impact of cloud in data breaches. One of many fascinating findings is that IT and security respondents believe that they have 30 percent of their business data in the cloud (the estimate in Europe was 10 percent). Our data tell us that IT underestimates the number of cloud apps in their organization by about 90 percent. If they’re underestimating apps by that much, we believe that 30 (or 10) percent number is low too.
So with hundreds of apps and at least a third of organizations’ business data in the cloud, how can any company that does business in the European Union even THINK about complying with this legislation?
At Netskope, we have been hard at work addressing cloud security and compliance challenges, including this one. You’ll see more from us on this topic, and as the GDPR legislation gets solidified, ensure compliance using Netskope. But you can get started today; here are four practices cloud-consuming organizations can do to prepare for this legislation:
Know what cloud apps you have. Knowing what cloud apps (or “processors,” in the parlance of the pending legislation) you have running in your environment is a critical first step. You cannot begin to protect privacy data if you don’t even know where those data are being stored. If you have not performed a Cloud Risk Assessment, do it now.
Know what data are in those apps. Once you know which cloud processors you’re using, you need to know whether you have privacy data (or any sensitive data) in them. Get started with Netskope’s granular app categorizations to triage the most likely candidates. For example, HR, Finance, and Cloud Storage are good places to start. Identify the most used processors, and use Netskope’s thorough descriptions and ratings in the Cloud Confidence Index to know which are the most likely to contain privacy data. Where you do have administrative control, scan for content containing privacy data using Netskope Introspection. For other processors, inspect cloud traffic to identify privacy data en route to an app or app category using the Netskope Active Platform, the industry’s only solution with noise-cancelling DLP for accurate, efficient detection and protection.
Ensure privacy data are stored in the EU. Identify the location of the cloud processors to find privacy data being hosted outside of a country (even temporarily, in the case of a processor whose headquarters and primary data center, for example, are in an acceptable country, but whose data are temporarily being hosted in an unacceptable one). Ensure those data are stored in the EU, or even within a particular country such as Germany, by enforcing granular policies by country in the Netskope Active Platform. For example, if data are being hosted by an app outside of Germany, enforce a policy disallowing upload of sensitive privacy data (or any data, for that matter) to that app. Or disallow the app altogether.
Protect privacy data in the cloud. For cloud processors that you believe, or have found, to house privacy data, take measures to protect those data. That may involve disallowing the upload of content containing privacy data using a granular cloud DLP policy. Or it may involve the protection of those data in the cloud using cloud encryption. Both of those can be performed in the Netskope Active Platform. If the data already exist in the processor – irrespective of when they were uploaded or created there – you can scan for privacy data and then encrypt. And if you do use a technology such as encryption, make sure you retain control over the encryption keys so only you can gain access to the data.
Whether you’re a European organization or one serving European customers, both the Safe Harbor ruling and the pending GDPR legislation will have sweeping effects on your use of cloud. Take these four steps to get ahead of the curve so you can maintain the competitive advantage you’ve gained by using the cloud while also protecting privacy data and complying this legislation.