KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
How do you prepare for the increasing regulatory challenges in a time of ongoing cloud migrations with global service providers? The invalidation of the EU-US privacy shield and the enforcement of the NDAA Section 889 will require a thorough review of existing controls and a swift management of stakeholder interests. This key note will provide practical experiences and guidance to ensure you meet your compliance goals.
How do you prepare for the increasing regulatory challenges in a time of ongoing cloud migrations with global service providers? The invalidation of the EU-US privacy shield and the enforcement of the NDAA Section 889 will require a thorough review of existing controls and a swift management of stakeholder interests. This key note will provide practical experiences and guidance to ensure you meet your compliance goals.
Okay, thank you very much. So let's let's get started. So I already introduced myself. So in this presentation, I wanna highlight a few of them, of the main challenge we faced in 2020. And I guess most of them will not be a new topic for you. So we will talk about, of course, the big elephant in the room, which is the cancellation of the S privacy shield. From GDPR perspective, we will briefly talk about the NDA section 8 89.
Of course, remote working and cloud migration is a huge topic and this conference as well. So I wanna highlight a few points. I wanna give you some insights about what I would suggest, how to address those ongoing challenges in 2020 and beyond, and some practical advice and lessons learned. And I hope we will have some time for questions as well. So let's start with the U us privacy shield in validation. So basically the EUP S was a framework that was created to enable personal data transfer from EU into the us for commercial purposes.
It was a successor of the, of the safe Harbor before that was also invalided. And unfortunately, in this year, in July, 2020, the court of justice of the EU, invalided this privacy shield due to a decision that it would not provide adequate protection to EU citizens and their personal data. And basically in this decision, there were two main reasons why this was actually the perspective of EU.
One was that there's a national laws in the us regulations that allow federal agency basically unlimited access to data of use citizens when they are started transferred to the us, or in case of the cloud act are being processed by us cloud service providers. Also, the second big topic was that there was no real contact person with any kind of authority in the us that us citizens could address and approach for their data subject rights.
And this was in combination, the reason why this was invalidated for, I think for everyone who, who followed the GDP implementation and this framework, I think nobody was really surprised about this decision. Some already decided was a bit surprised that it took so long to invalidated right now, unfortunately, this happened, and this has a pretty serious impact to most global companies. First of all, it puts us into the category of now unsecured third country from GDPR perspective.
It also means if any data transfers solely based on this privacy shield, and this is considered to be unlawful and should be stopped immediately. And while in general, GDPR provides alternative means to transfer data into certain countries. And we will talk about some of them briefly later. And unfortunately those are not clear yet if they are sufficient, considering that they will not fix the underlying problem. And that is that whatever you arrange as a company with your other business part in the us, it will not be above the us regulations and, and the local laws.
So this is not solving the, the underlying issues, why this was canceled with the potential election result in the us, that we probably were all following the last, the last couple of days, there might be some hope that there will be movement in this direction to look for follow up to this privacy shield, to put us in a, in a better position, but this is really unclear yet. And it will for, for sure, take several months. So I'm not expecting any quick resolution of this issue.
So if you are affected by this, which means if you, if you need to transfer any use citizen, personal data into the us, I highly suggested you. And probably most of you're already doing this, consult your DPO, getting contact with subject matter expert data protection lawyers validate each process or processing you have. It's always a case by case decision and then find the best solution for your scenario. I think I was, I was consulting a lot of lawyers together with our DPO, whether they were in the us or whether they were situated in Germany or in the U.
And usually the, the main answer always get, seems to be well, it depends. And that's unfortunately the truth.
There, isn't a, like a general solution to this issue. You have to look at your process, understand what is a legal basis can be avoided, can be mitigated. And there is no general solution for this topic.
So yeah, it's, it's one of the things that will probably keep us busy during the, the full next year I would, would assume. So the next one is the NDA section 8 89. So basically NDA is the national defense authorization act. That is another us regulation that basically aims to protect us agencies and governmental entities from espionage of any sort. So what happened is that there was a list of in this case, Chinese manufacturers, hardware providers for telecommunications equipment, there were blacklisted.
And now this section eight at nine in general, probe bids, any us governmental entity for doing any contract or business with whoever is using this sort of blacklist telecommunications equipment. So this might affect you if you do business in the us with governmental entities, but it might also affect you if your company provides services to, to another company who is actually doing business with, with the us. And that's mainly because this includes the full supply chain. So what most likely happens in this case is you will get an audit request.
That's usually self-assessment from your business partner, and this goes down to the hardware level. So, and, and that's a bit of, of a novelty.
If, if you look at compliance of, you know, and the requirements for your inventory, in most cases, it's a bit difficult to understand what type of, of hardware you have actually in place in your data centers. If you look at cloud providers and so on. So it also means if you get this, this assessment from someone else, you would have to assess all your supply chain as well, and try to figure out if anyone is using blacklisted equipment of this sort. And this basically is still like most of the new regulations, it's still a bit unclear. What is the direct impact to businesses around the globe?
What might be the direct impact if you, for example, use tablets or phones from who or I, or any other blacklisted entity. So what are you going to do so far?
It's, it's a self-assessment from our experience. So you have to report it, and then you have to find a common solution with whoever is, is requesting this for you. So there's something else that came up in the middle of this year, and it just shows you that, that it is really important to understand all the fundamental requirements that is, that, that is really needed from, from business. Nowadays, if you wanna do global business, whether GDPR or this NDA, section eight at nine, or any other regulation that might be on the horizon.
And, and we have a few coming there, there's, there was just another add on the CCPA, which is the California consumer privacy act. We know that a lot of other legislations are working on, on data protection regulations that are similar to GDPR. So it's always important to kind of understand what is the basis process or what could be a basic solution for your company to actually deal with these requests now and in the future. So also another very big topic due to the crisis of, of, you know, we are all in right now, and this is again, also a big, big agenda item for this cybersecurity summit.
And I think it's really important to look at this. So we have a kind of a, a combination of remote working cloud migration in many companies due to social distancing and, and, and different regulations in each country, how they respond to this crisis. And basically what it means is that the way how we work and collaborate and share and access data. And that's a good example is how we actually, you know, have this conference today. Like in the past a year ago, we would be sitting in, in some Congress center and have this, you know, in a, in a meeting room.
So this has, has changed and it put a lot of stress on it, on how your company can enable this, but also for security and governance perspective, this is really changing the whole way of how you look at your data and how you look at your access. So what happens is the old traditional way that you have control over basically your physical environment. Everybody was in the office, you have magnetic carts everywhere.
So, you know, who's coming in, you have a reception, you have security guards. This is not the case right now, in most cases when people are working from home, for example, like I do. And also it means that the way, how, if you think about cloud migration on top of it, the way how people access the data, they might circumvent your technical security measures completely. They could just, you know, go to office 365, use a web, Porwal get online email from whatever a computer.
And it's, it's really difficult to understand the data flow. It's difficult to understand the input and output of where your data is actually moving to. And this is another challenge that was just under horizons already.
Like, like, like I think the last couple of years, everybody was talking about cloud migration as well. So it's not a big surprise, just was accelerated a lot with the COVID 19 crisis. And depending on how prepared your company was, this might have caught you with offguard, hopefully not, but it's another topic we have to look at.
Also, if we think about GDPR in cloud, it's also not, not a very, you know, easy topic for us and, and the governance or security departments. Okay.
So, however, right. I just wanna talk about challenges. Also wanna provide some sort of, of advice. And I think you're all familiar with this short phrase and there's actually one framework, right? We can use to bind everything in compliance, hopefully if we do it right, at least. And that's of course our precious ISO 27 K framework.
So our, I, I picked this specifically as a good example, and that's mostly because it pretty much gives us everything we need in, in, in times for governance. And this was also through way before the COVID crisis. Of course. So in gen the general advice, it doesn't really matter if your, if your company really aims to certify or not.
I mean, you can get the ISO certification. If you think this is helpful for you, you know, doing business B2B and so on, but even if you don't plan to do so, it's still a very good blueprint to look at at governance from, from holistic perspective, if you scope it. Right. Of course. So basically it offers a full set of about 114 control objectives over several categories. They are defined in a sub document, the oh two, you can scope it fully, which means it covers your whole company, all your processes, your departments.
It does cover GDPR as well because personally, just data category within the IMS. So the IMS is the information management system. This is how you, how you manage the ISO 27 K framework. It's very flexible. And that's what I like most of the ISO framework in general, it works with objectives. So it doesn't tell you in how you have to implement the control. You have full flexibility in achieving those control objectives.
And, and this is what makes it very, I would say preferable to, to maybe a bit of, of the most stricter frameworks that are out there. And that's why I would highly recommend it as well. You have to control of, of how you do it. And it also provides documentation for guidance.
Like, how do you implement it? How does this all work?
And, and what are the, the key issues you have to take care of? So ISO 27 K also has a lot of substandards cause specific topics. We have a standard for risk assessment and so on, and you can see the full list available as well. So my opinion, this is, this is one of the, of the best approaches you can adopt, and this will make you fit well for today's challenges. And also for the future.
However, implementing an isms, it's not an easy challenge. It, it will take quite some time and also it will require some of the, of the main fundamental basics we will talk about next. So now whether you wanna go for IMS, or if you just wanna look at it as a general blueprint, I think it's really important to have a strong foundation for your company and to understand exactly what's going on, which means you need to have sophisticated asset inventory.
This means prefer be down to hardware level, to understand who are your manufacturers, just looking at NDA section eight at nine, for example, in this case you wanna have very defined responsibilities and asset ownership. Asset ownership is really important also for the, let's say non-tangible assets. Like you need to understand the good example is URLs and top level domains. How is it managed in your company? Can like every department just, just get one, do you have a policy around? Is it it? Who is the contact person? If there is an exploration of, of your certificate, things like this.
So having all of this in an, in a sophisticated inventory is a fundamental requirement actually, to, to think about governance and to actually deal with those challenges on top of it, it's data flow diagrams. So this means including cloud services, understand how your, how your data moves between your applications, your services, who's responsible who can access, what APIs you actually use. Think about third party assessments, check your SLAs again. If you move into the cloud, whether it's IASS or software as a service, understand what, what is the responsibility in case of incidents?
What is the responsibility in case of GDPR related issues? Like if we talk about data compliant and so on retention times, this is really critical to understand who is responsible for what documented and also understand in regards of contract management. If you do a lot of B2B business, what are the security requirements? You agree to do your work data processing on behalf, for example, and how is it defined with your customers if there is any kind of incidents or any kind of compliance request where they might be affected. So be prepared, work on the fundamentals. That's really important.
Look, look out for, for it. And, and also for, for business, who can help you with this quite, quite intense task.
Next, I also thought about like, what are the key success factors for implementing anything that will help you in, in, in managing your governance at your company? And all of those three points are actually really connected, right?
You need, first of all, to understand who are the stakeholders for governance, for your assets, for controls you want to implement, get in touch with them, really be very open in communication, build strong communication habits, ask frequently, get get input from business units that know the processes and the tools they use much better than, than normally you would be from, from an external perspective. Keep people interested in what you do.
And also when you understand and collaborate, not only your control implementation will be better, but you will also work on reducing resistance towards implementation. And that's the critical factor.
If you, if, if you just design controls or policies or put any kind of measure into place without, you know, involving your stakeholders and whoever will be affected, the resistance to change is usually quite big, but if you involve them in time, get their input, maybe you get, you will for sure get better controls. And the resistance will also be a lot less present than, than yeah. What you would expect otherwise. So this is connected. I think communication and collaboration is key nowadays to implement this one final advice before we have some time for questions.
So if you look at GDP on third countries, I try to put it in a very simple three step process to evaluate. If you have to do anything, first of course, you always need the legal basis for processing. That's defined in article six of GDPR. Then you need to check whether the transfer into a third country. So out that the U is permitted and it's usually permitted if there's an decision or if the country is, you could say whitelisted by the U, if that's not the case, then you as a controller, responsible to provide alternative means for protection. This could be standard contractual clause.
It could be binding corporate rules could be content. Whereas content is a very critical thing to do because it can be withdrawn easily, or maybe some of the exceptions might apply for you.
But again, in this case, look for professional advice, evaluate all the data processing activities and ensure you, you have a well, a mature setup to deal with this. You can put, you can run this through the risk management of the ISO 27 or five treated as a risk look at avoiding or mitigating the impact.
And yeah, I think that would be the best approach. So I think we do have a little bit time for some question. Thank you.
