In the first use case of this series, Stay in Control of Your Data with a Secure and Compliant Sovereign Cloud, we looked at what data sovereignty is, why it’s important, and how sovereign clouds solve for jurisdictional control issues. Now let’s take a closer look at how data privacy and sovereignty regulations are driving security, privacy, and compliance.

Data Privacy and Security

The EU’s GDPR has formed the basis of data privacy regulations not just in EU but around the world. A key principle of the regulation is the secure processing of personal data. The UK GDPR states that security measures must ensure the confidentiality, integrity, and availability of data (known in cybersecurity as the CIA triad) and protect against accidental loss, destruction, or damage.1

Restricting access to sensitive and restricted data is a crucial aspect of data security, along with ensuring trust and flexibility for portability needs. 

Sovereign clouds are built on an enterprise-grade platform and customized by partners to meet local data protection laws, regulations, and requirements. Locally attested providers use advanced security controls to secure applications and data in the cloud against evolving attack vectors, ensuring compliance with data regulation laws and requirements to safeguard the most sensitive data and workloads.

Protected data should employ micro-segmentation with zero-trust enforcement to ensure workloads cannot communicate with each other unless they’ve specifically been authorized and are encrypted to secure them from foreign access. A multi-layered security approach secures data and applications in the sovereign cloud, keeping them safe from loss, destruction, or damage.

Sovereignty and Compliance

Data residency – the physical location where data (and metadata) is stored and processed – is a key aspect of data privacy and sovereignty regulations Data residency laws require that companies must operate in a country and that data should be stored in that country, often due to regulatory or compliance requirements. For companies that have customer data in multiple countries, it becomes a challenge to keep data secure. A sovereign cloud helps minimize risk and offers more robust controls and trusted endpoints needed to keep data secure and compliant.

In addition, data residency requirements continue to evolve and vary by country or region. Multi-national companies frequently rely on in-country compliance experts to help ensure they’re following the latest rules correctly and to avoid significant fines and legal action. 

With VMware, we provide best-in-class enterprise-grade cloud, security, and compliance solutions that provide the ultimate platform for data choice and control.

“A law can change, and it can change your entire way of doing business,” one Fortune 500 CISO said.2  And with the ever-changing geopolitical landscape, platform flexibility is needed to minimize risk with self-attested, trusted code. VMware provides simpler lift-and-shift portability and interoperability, as well as greater compliance with local laws and regulations.

Faced with changing regulations, it’s not surprising that compliance is a top cloud challenge according to 76% of organizations.3  One reason is a lack of skilled personnel. A recent survey from ISACA found that 50% of respondents said they experienced skills gaps in compliance laws and regulations, as well as in compliance frameworks and controls. Another 46% are dealing with a gap in privacy-related technology expertise.4

With these challenges, it’s not surprising that 81% of decision-makers in regulated industries have repatriated some or all data and workloads from public clouds.5  Some have moved data back on-premises, whereas others are using hybrid cloud architectures. 

With VMware Sovereign Cloud, solutions are provided by locally attested partners who provide full-service, sovereign solutions and ensure that compliance is achieved, implemented and configured. Sovereign cloud meets data residency requirements with local data centers to contain all regulated data, including metadata, and you can respond faster to data privacy rule changes, security threats, and geopolitics with a flexible cloud architecture and knowledgeable local experts.

Learn more about VMware Sovereign Cloud:

Download the Security and Compliance 1 pager

Watch the Sovereign Cloud Overview video  

Find and connect with a Sovereign Cloud Provider in your region

Join the conversation on Sovereign Cloud on LinkedIn

Next, we’ll explore data access and integrity, and how that can ignite innovation.

Sources:
1. UK information Commissioner’s Office, Guide to the General Data Protection Regulation (GDPR) Security, accessed June 2022
2. CSO, Data residency laws pushing companies toward residency as a service, January 2022
3. Flexera 2022 State of the Cloud Report
4. ISACA, Privacy in Practice 2022, March 2022.
5. IDC, commissioned by VMware, Deploying the Right Data to the Right Cloud in Regulated Industries, June 2021

Cloud Management, IT Leadership

Hyper competition, globalization, economic uncertainties — all of it converging to drive a C-suite impetus for the business to become more data-driven. Organizations invest in more data science and analytical staff as they demand faster access to more data. At the same time, they’re forced to deal with more regulations and privacy mandates such as GDPR, CCPA, HIPAA, and numerous others. The outcome? The current methods meant to serve them — usually an overburdened IT team — end up failing, resulting in an alarming amount of friction across the entire organization.

The heart of the friction

Friction across the enterprise ecosystem impacts every part of the value chain. It’s driven by three primary dynamics:

Increasing number of analysts and data scientists asking for data.More regulations and policies required to enforce.A tectonic shift of data processing storage to the cloud.

Analytical demand

Over the last two to three decades, analytics have gone from the domain of IT to business self-service analytics. For the traditional financial and summary type reports, this is easy since data comes from curated and structured data warehouses. The newer self-service demand is for non-curated data for purposes of AI and machine learning.

Regulatory demand

More regulations result in more policies, but the bigger impact is going from passive enforcement to active enforcement. Passive enforcement relies on training people and hoping they’ll follow proper protocol. Active enforcement establishes a posture where systems proactively stop people from hurting themselves or the company. For example, a zero trust framework would assume you should only have access to the data you need and nothing more.

Moving to the cloud

With the move to the cloud, we don’t just move data outside our traditional perimeter defenses. The platforms separate storage from processing or compute with different styles of compute to serve different analytical use cases. The result is an exploding number of policies applied across dozens of data technologies — each with its own mechanism for securing data.

A use case for balanced data democratization

Privacera worked with a major sports apparel manufacturer and retailer on its data-driven journey to the cloud. The client’s on-prem data warehouse and Hadoop environment turned into a massive set of diverse technologies: S3 for storage and a host of compute and pressing services like EMR, Amazon Web Services (AWS), Starburst, Snowflake, Kafka, and Databricks. GDPR and CCPA emerged as critical mandates that had to be enforced actively. Hundreds of analysts excitedly tried to get access to the new data platform, outnumbering the IT support staff. The result was more than 1 million policies, and they only managed to get around 15 percent of their data into the business’s hands.

The solution: Centralized policy management and enforcement for their entire data estate. Here are the elements of their centralized data security governance:

Real-time sensitive data discovery, classification, and tagging to identify sensitive data in newly onboarded data sets from trading partners.Build once, enforce everywhere. Policies are built centrally in an easy to use, intuitive manner. Those policies are then synchronized to each underlying data service where the policy is natively enforced.Built-in advanced attribute, role, resource or tag-based policies, masking and encryption to define fine-grained controls versus the previous coarse-grained model.Real-time auditing of access events, monitoring, and alerting on suspicious events.

The result: The client reduced the number of policies by 1,000-fold, onboarded new data 95 percent faster, and got 100 percent of the data into the business’ hands. 

The new way forward

Gartner’s State of Data and Analytics Governance suggests that by 2025, 80 percent of analytical initiatives will be unsuccessful because they fail to modernize their data governance processes. The challenge for CIOs and data and privacy leaders is these mandates are often not owned by a single person. CISOs often feel they own the security posture but not the enforcement. The data leader focuses on the analytical output and insights. The CIO is often left holding the bag and needs to pull it all together. In its recent Hype Cycle for Data Security 2022, Gartner suggests 70 percent of the investment in the data security category will be toward broad-based data security platforms that can help organizations centralize data access and policy enforcement across their diverse data estate.

Learn more about balancing performance and compliance with powerful data democratization. Get your free copy of the Gartner Hype Cycle for Data Security 2022.

Data and Information Security

Companies and organizations are experiencing the first stage of a new digital support: GDPR management tools. We analyzed some of them.

As for all previous cases of new business compliance processes there is today a growing number of tools in the market addressing the all new European privacy law, the General Data Protection Regulation, which came into force on May 25, 2018. Our main conclusion: these privacy tools have design limitations.

Il problema

In alcuni casi l’approccio della soluzione è tecnologico -sistemi progettati come se fossero indipendenti o di natura statica- mentre in altri casi è funzionale, quindi tecnico in materia di compliance, ancora specifico.

Classifichiamo entrambi gli approcci come principalmente orientati al marketing; non per criticare la qualità di questi strumenti in quanto tali, ma il fatto che le soluzioni sono principalmente opportunità commerciali guidate dallo slancio per una domanda improvvisa, il cui mercato non è ancora esperto in materia. Questa pratica solleva problemi, anzi.

Parlando con gli esperti di GDPR emerge che alcuni imprenditori e dirigenti hanno adottato una visione che limita la conformità al GDPR a una gestione – burocratica – dei documenti o, peggio ancora, sembrano un’operazione one-shot che non richiede manutenzione. Il tutto nonostante i tanti e ripetuti avvertimenti e rischi di incorrere in enormi sanzioni amministrative.

Inoltre, ci è stato confidato che le aziende apparentemente preferiscono processi di business del mondo reale non corrispondenti rispetto alla presentazione di “processi ufficiali” e continuano con quelli abituali. Conclusione: il rischio e lo scopo dell’audit di conformità vengono dissipati nonostante si spenda tempo e denaro e allo stesso tempo con un costo di rischio elevato.

Ritorno al passato

Notiamo un notevole parallelo con gli anni ’90, quando la certificazione di qualità ISO era di moda. Non era raro trovare imprenditori che inseguivano in modo contingente una serie di certificati, senza tuttavia alcuna seria intenzione di cambiare la loro cultura aziendale.

Abbiamo lavorato con un bel po ‘di loro in quel momento e, purtroppo ma non a caso, nessuno di loro aveva illuminato il proprio futuro dopo tali scelte. (Nessuno di loro esiste più sul mercato, ma questo è solo un account personale.)

Tre decenni dopo, la qualità in generale, infine, sembra diffusa in molti ambienti aziendali e la mappatura e la reingegnerizzazione dei processi non sono più una novità. I vantaggi che ne derivano sono riconosciuti come parte della nostra cultura aziendale.

Un approccio innovativo: un’opportunità

Sottovalutare gli interventi necessari per soddisfare il GDPR o non sfruttare tutte le azioni necessarie durante questo processo, può portare le aziende a scegliere strumenti sbagliati che richiedono un serio impegno di conformità. Spesso questa strada porta anche all’impossibilità di collegarsi ad altre aree di competenza fondamentali come Legale e Operativo. Considerato tutto quanto sopra, solleviamo una domanda cruciale:

Perché le aziende e le organizzazioni dovrebbero mappare i propri processi solo ai fini del GDPR? Perché gli strumenti GDPR non partono dai processi gestiti?

Sono disponibili standard di scambio, come IDEFx, FFBD o BPMN 2.0 per la modellazione o standard universali come XML o Json, solo per fornire alcuni esempi. Allora, quanto è comune l’adozione di strumenti di mappatura dei processi?

Questa mancanza di integrazione delle migliori pratiche e degli investimenti precedenti porta a un costoso logoramento.

Companies and organizations are experiencing the first stage of a new digital support: GDPR management tools. We analyzed some of them.

As for all previous cases of new business compliance processes there is today a growing number of tools in the market addressing the all new European privacy law, the General Data Protection Regulation, which came into force on May 25, 2018. Our main conclusion: these privacy tools have design limitations.

The problem

In some cases the approach of the solution is technological -systems designed as if they were independent or of static nature- while in other cases it’s functional, thus technical in compliance matters, still specific.

We classify both approaches as mainly marketing-oriented; not in order to criticize the quality of these tools as such but the fact that the solutions primarily are momentum-driven commercial opportunities for a sudden demand, which market is still not well versed on the subject. This practice raises issues, indeed.

Talking with GDPR experts it emerges that some entrepreneurs and executives have taken a vision which limits GDPR compliance to – a bureaucratic – document management or, even worse, they seem a one-shot maintenance-free operation. All despite the many and repeated warnings and risks of running into huge administrative fines.

Moreover, we have been confided that companies apparently prefer a non-matching real-world business processes above the presenting of  ‘official processes’ and carry on with their usual ones. The bottom line: the risk and the purpose of the compliance audit is dispelled although time and money is expended, and at a high risk cost at the same time.

Back to the past

We note a remarkable parallel to the 90’s when ISO quality certification was fashionable. It was not uncommon to find entrepreneurs chasing contingently after a series of certificates, however without any serious intention to change their company culture.

We have worked with quite a few of them at that time and, unfortunately but not by chance, none of them had enlighten their future after such choices. (None of them exist anymore in the market, but this is just a personal account.)

Three decades later quality at large -finally- seems widespread in many business environments, and process mapping & re-engineering is nothing new anymore. The resulting benefits are acknowledged as part of our business culture.

An innovative approach – a golden opportunity

Underestimating the interventions required to meet the GDPR or not taking advantage of all actions needed during this process, may lead companies to choose wrong tools that require serious compliancy efforts. Often this road also leads to the impossibility to become connected with other fundamental areas of competence such as Legal and Operations. Given all of the above, we raise a crucial question:

Why should companies and organizations re-map their processes only for GDPR purposes? Why do GDPR tools not start from managed processes?

Exchange standards are available, such as IDEFx, FFBD or BPMN 2.0 for modeling or universal standards like XML or Json, just to provide some examples. Then, how common it is actually the adoption of process mapping tools?

This lack of integration of best practices and previous investments leads to a costly attrition.