By Joe Bombagi, Director of SteelFusion, EMEA & APJ at Riverbed Technology
The benefits of cloud adoption – including increased employee productivity, and reduced operational costs – are enabling businesses to become more global and interconnected. Organisations large and small are rolling out an increasing number of cloud applications, enabling employee access to sensitive data from branch offices located all over the world. However, increasing reliance on cloud technologies has also compounded businesses’ data security concerns. According to a recent Unisys survey, 42% of respondents named security as the most challenging aspect of cloud management, far outweighing all other concerns. With employees accessing and sharing sensitive data from worldwide locations and though an array of devices, organisations face the challenge of protecting valuable intellectual property, customer data, and ultimately their reputation and bottom line.
As a result, different countries are putting in place their own set of compliance requirements. For example, the European Union’s General Data Protection Regulation (GDPR) will have a major effect on all companies managing personal data within the EU, whether they are based in Europe or not. Similarly, organisations have to comply with local data protection laws if operating in the US, Russia, or the Middle East, to name just a few. This could be particularly diffiult for companies with branch offices located worldwide, who will have to ensure compliance with the regulations governing in each of the regions in which they operate. Non-compliance brings the risk of facing harsh consequences.
As a result, most organisations will need to adopt entirely new behaviours in the way they collect and use sensitive data. With that in mind, here are a few actions organisations can implement to ensure they comply with current regulations, no matter where they operate.
- Understand the flow of personal data
Businesses across the world will need to take a long, hard look at their security measures and adapt to regional laws. Businesses will have to strike the right balance between protecting customer information and making sure users of that data can continue to operate the way they need to. This could be a challenge especially when considering that, until recently, businesses often collected employee and customer information with only a vague sense of how the data might eventually be stored and used.
So, the first step towards compliance is for businesses to have a full understanding of where their information resides, and where it travels. Businesses need to create maps describing the flow of personal data within their network. This is a core requirement because many companies collect user data and process it in the cloud, in a different region than where it originated.
- Conduct risk assessments on a regular basis
There are lots of tools dedicated to providing network security, including vulnerability scanners, intrusion detection and prevention, and firewalls, among many others. Every company has its own ideas and approaches when it comes to securing their corporate network. No matter which tools they choose to implement, it is important to recognise that no one tool is failsafe. A firewall will help keep people outside your network from getting in, but does nothing to help once someone is on the inside. An intrusion device will help identify when someone intrudes, but does nothing to secure the perimeter.
This is why it is imperative for companies to regularly perform and document risk assessments. Using new technologies, IT teams can easily monitor the network, report on access violations, prove or disprove access concerns, identify areas where issues occur, and help remediate those issues. They can then leverage this information to ensure they know what is happening throughout the network, ensure no one is doing things they shouldn’t, and in the worst-case scenario of an intrusion or other violation, determine what happened and identify proper mitigation factors.
- Hiring a Data Protection Officer
A Data Protection Officer (DPO) is an expert in data-privacy law, responsible for conducting data privacy assessments and ensuring appropriate policies are in place.
Companies operating in the EU will need to do one of two things: Either name a DPO, and equip them with all the tools they need, or provide a personal data map that explains why their business qualifies for exemption. Though not all countries stipulate the need for a DPO, having a person on hand who is responsible for the efficient management of information can help companies to ensure compliance with global information-related laws and regulations.
- Develop strong privacy protections
Organisations should look to have privacy protections built in throughout their operations. This requires paying special attention to every detail around what is happening in the cloud, as well as an understanding of how different applications interact. By establishing holistic, real-time, end-to-end visibility into cloud and on premise application performance across the entire network, IT can establish a clear line of sight into how apps are performing. Using application monitoring tools, IT can then identify the cause of performance issues, fix them immediately, and proactively improve performance. This improved visibility into application performance will ensure compliance with data security regulations and will result in increased productivity and revenue for the organisation, as well as improved customer service, product quality and employee engagement.
As more and more organisations move to the cloud for day-to-day operations, visibility across public, private and hybrid clouds will become critical. A dramatic increase in network complexity, and new, highly distributed application architectures demands a radical new approach to how IT looks at the network and its application performance infrastructure.
With many of today’s organisations going global in the cloud, achieving increased visibility, optimisation and control for networks and applications is a must. Fortunately, they and the decision-makers behind them have the time and tools needed to capitalise on the cloud without being held back by regulations.