Force 5: Government and Industry Regulations
Regulatory authorities are still trying to catch up with cloud computing let alone the revolution that business digitalization is causing as there is no longer a data center to audit or a firewall log to review.
Cloud Impact on Regulations
As the cloud reduces physical perimeters for organizations, the cloud also reduces and blurs the digital divide between countries and nations. For many organizations, knowing where their data is located should be a fundamental requirement, yet for many, it’s not always obvious. Responding to a government or a regulator request that our data “is in the cloud” is not perhaps the correct response. Instead, the regulator has made it clear in recent data protection law revisions, such as the EU GDPR, that organizations must know where their data is located. It is a legal requirement and as we see updated regulations introduced across the globe, this requirement will be mandatory for most organizations.
Geolocation Impact on Regulations
Not only is geolocation of the data a requirement but also an understanding of why the organization has this data, how long they can retain, what organizational and security controls are required, and what agreements are in place to transfer this data cross-border to other data controllers and data processors. These are all questions the organization should be able to easily answer. As we see a consolidation of these requirements, we also see an acceleration in consumers being aware of their rights under new data protection and privacy Laws. GDPR, LGPD, CCPA, and POPIA are just some national or state examples whereby the national authorities have made it clear that consumer data protection is critical and they are willing to take action against even the largest organizations that do not take their obligations seriously.
Across the globe, countries and unions have applied aggressive mandates to control and protect data in and out of the country. For these countries, cross border connectivity must be controlled with organizations relying on valid agreements to be in place. The complexity of the rules in place continues to impact both global data protection and security teams that need visibility and control over their network and systems and to not run foul of these laws. For many of these laws, there is no simple answer as rules and guidelines continue to be developed to best support the government’s intentions to support both their economy and their trade arrangements.
Recommendations to best manage these regulatory minefields include mapping the organizational data flows to truly understand where your organization may need to deal with these issues before they negatively impact the organization. Understanding where employees connect from and to cloud services, as an example, will help with maintaining a cross-border inventory of the locations that may need additional control and/or analysis. Sharing this information will provide greater visibility across the whole organization and can help support legal, risk, and audit teams in their understanding of the requirements. Building a strong coalition alongside the security team that factors into the location variable that cloud computing brings is a good first step to manage these forces.
Force 6: Global Social and Economic Forces
A security strategy should also be implemented to be aware of outside influences, such as global social and economic forces. Employees may not always give a second thought to these forces that may influence their favorite collaboration application. How would they know that they are using storage where the provider has terms that allow for this data to be used for secondary purposes? It is so easy to sign up for a new application completely unaware of the potential ramifications. Another aspect is the use of this data to train existing algorithms that can be used to enhance an understanding of behavior. All good vendor assurance and third-party risk assessments should uncover the potential of this, however, if the organization has embraced an acceptance of shadow IT, who is responsible for these checks and balances? These forces and influences should be considered and embedded into a strategy focusing on protecting both the employees from misguided information and to protect the organization from potentially losing value from their data.
The Shift in Security Budgets
The movement to cloud applications is also having a major impact on investment dollars of security budgets. By 2024 investments in cloud security will shift from the current ~20% of the budget to over ~60% of the security budget. Major investments will be moving away from on-premise appliance-based Secure Web Gateways (SWG) to software-based Next Generation SWGs that combine the functionality of data leakage prevention (DLP), web security, and Cloud Access Security Broker (CASB) into one platform. When implemented inline, the technologies can monitor and protect the information flowing to and from all critical business systems.
Global Events
Often global events will impact the security strat