Investing in a local data residence, or partnering with a vendor that already has a local data storage facility, offers many benefits for organisations. Simon Godfrey, EMEA Senior Sales Director, Secureworks, explores why EU businesses prefer to have their security telemetry data stored locally so that it complies with GDPR and other regulations.
The location of data is extremely important to businesses in the EU. Concerns around data sovereignty and compliance with GDPR and other associated regulations mean that many insist on working only with partners with data centre and data storage facilities in the EU.
Time and time again, though, this has proven to be a stumbling block for international security and storage providers looking to serve European customers, despite using secure cloud infrastructure that complies with EU regulations. With a need for more autonomy from EU organisations over where their security telemetry data is stored, as well as for safeguards for securing that data while in transit, having a local storage option is essential.
Taking responsibility for data
Data security is integral to business operations throughout the world. In the EU in particular, regulations around the usage of citizens’ personal data continue to evolve. Businesses are constantly looking to more tightly govern where this data is stored and how it is used to ensure the privacy and protection of their customers.
With threat actors increasingly exploiting gaps in defences and vulnerabilities in software supply chains, organisations are looking to adopt simplified, integrated and holistic cybersecurity solutions. Threat detection and response services are core components of this new approach. They provide organisations with the ability to identify and respond to attacks quickly across cloud, endpoint and network environments. It puts organisations on the front foot, enabling them to actively deal with a live threat by tracing it back to its point of entry, nullifying its impact and repair any damage caused, while maintaining Business Continuity.
There has been a rapid adoption of extended detection and response (XDR) platforms and services that are able to analyse, correlate and visualise telemetry data from multiple security controls. XDR is at its most effective when it’s able to provide predictive, continuous and responsive protection based on the latest threat intelligence. This automated process enables businesses to tackle new and emergent threats before they take a foothold. It’s an extremely useful tool and one that provides organisations with reassurances at a time when data breaches and ransomware attacks are constantly in the public eye, increasing consumer awareness of the risks to personal data.
A cloud-based XDR solution, hosted within a European data centre, will ensure that any personal data encapsulated in an organisation’s security telemetry data will be stored locally in the EU, thereby satisfying local data privacy regulations.
Indeed, the consequences of not doing so are significant. Failure to comply with GDPR, for example, can result in financial penalties of 4% of a company’s global turnover or €20 million, whichever’s the highest. Reputational risk can impact an organisation’s growth opportunities, too, if it’s found to have been lax in its data privacy policies.
However, in addition to GDPR, last year’s Schrems II ruling by the Court of Justice of the European Union makes it the responsibility of each organisation to ensure it has tight security postures in place, especially for the transfer of data from the EU to the US or other overseas entities. It is up to those organisations with EU citizens as customers to properly control and manage their personal data policies, and select locally-based vendors with proper controls for enforcing these policies to reduce reputational or security risks. Consequently, security platform vendors must treat the protection of the personal data that their customers hold as a core responsibility.
Evaluating data security policies
The spate of recent supply chain cyberattacks, such as that experienced by SolarWinds in 2020, has exposed potential vulnerabilities in providers across the globe. It’s imperative that organisations should evaluate the data security policies of all vendors as part of the procurement process. Ideally, they should be looking for security platforms capable of detecting and responding to such security threats, supporting and informing their own data security policies. In addition, EU-based organisations should be looking to select vendors that can help them from both a compliance and security perspective.
The overriding issue here is the protection of personal data, where it’s located and where it’s transported throughout the EU, and if it complies with regulations. Most large enterprises, regardless of whether they are based inside the EU, are international businesses, with cloud and IT infrastructures that span different geographies. They’re sensitive to the needs of their customers and appreciate the need to comply with the data regulations of the regions and markets they operate in.
When it comes down to managing the data of EU citizens or customer data within the EU, businesses need to ensure they have the correct legal frameworks and data provisioning services in place. This includes the ability to monitor and track data as it flows from one cloud infrastructure to another across the region. They need to be aware of its location and if it’s secure. All these points support the need to invest in a local data residence, or partner with a vendor that already has a local data storage facility in place.
Keep data closer to home
The privacy and protection of personal data is becoming increasingly important, especially for businesses in the EU. With the Court of Justice of the European Union and other regulatory bodies continuing to tighten controls on the storage and usage of EU citizens’ personal data, data security is now – undeniably – everyone’s responsibility.
Organisations need to ensure their data is compliant – held within the EU’s borders and adequately protected. Vendors need to step up and offer the security, assurance and autonomy their customers need for data sovereignty and regulatory compliance. This can be achieved by having a local data storage facility in place to manage the provisioning and processing of personal data. With the addition of XDR, it’s possible to add another layer of security, one that allows organisations to tackle threats head on, reduce risk and protect personal data.