Meeting your Data Obligations in the Cloud After Brexit
Meeting your Data Obligations in the Cloud After B...
Meeting your Data Obligations in the Cloud After Brexit
Whilst the dust on how firms operate after the UK’s exit from EU may have settled, there is still some confusion on how enterprise data, moving between jurisdictions and regulations, is being stored and managed. In this article, we speak to data and RegTech experts from Synechron and Citihub Digital about the future of data in the Cloud in a post-Brexit world.
After Brexit how can I ensure that I meet the requirements for Cloud data storage for UK & EU clients and citizens when I use a Cloud Service Provider (CSP)?
Anand Chandra, Synechron: The main data consequence of Brexit is that the UK officially became a third-party country to all member states of the EEA. That means the UK needs to apply for an adequacy decision from the European Commission before data can be transferred freely across borders. In reality, UK GDPR compliance is much different to the EU GDPR compliance guidelines. There are ways of getting around this with Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and other similar agreements/arrangements. However, all needs to be put in place individually and cannot be assumed as-is.
The way in which you mitigate these risks is dependent on the nature of the business, e.g., where you are based, your customers and their location, etc. Those most urgently in need to address their data infrastructure are those with bi-directional data sharing. For example, financial organizations with European counterparts, with flow of data subject to EU regulations.
Below are two key parameters for ensuring cloud storage compliance:
Data Residency: Location of your Cloud hosting — where your data is hosted is more important than your organisation’s country of domicile. For example, an organisation based in Hong Kong whose data is hosted in the UK must abide by UK data legislation. However, if an organization’s data resides in the UK, then most likely you will not need to drastically change your Cloud strategy or data protocols. Therefore, it would be best as an organisation to check your data residency and leverage Cloud providers’ hosting services in an EU member state.
Data Adequacy: A status that is granted by the European Commission to countries outside of the European Economic Area (EEA) – such countries must prove that they have a level of personal data protection that is equal to that of European Law. Countries with Data Adequacy have free movement of data between themselves and the EU. The UK government welcomed the European Commission’s draft data adequacy decisions recently and is awaiting the complete technical approval process. This will provide certainty for businesses, enable continued cooperation between the UK and the EU, and will ensure law enforcement authorities can keep our citizens safe.
What framework will help keep me in compliance?
Anand Chandra, Synechron: An important area to focus on is the level of security and data control various Cloud providers offer and can guarantee. Proper due diligence should be carried out when choosing a CSP because a strong marriage between a business and the limitless scale of Cloud can make for an optimum data storage and protection arrangement.
Google Cloud offers Standard Contractual Clauses or Model Contract Clauses (MCCs) to customers, which will automatically apply in the absence of any alternate transfer solution made available by Google. Although placing one’s trust into a CSP instead of operating everything in-house may seem like a leap of faith, it shouldn’t be avoided.
Below is a five-component compliance framework that should be put in place to drive a higher level of security on Cloud:
- Governance: Asset management involves organizations taking stock of all Cloud services and data contained, then defining all configurations to prevent vulnerability. Cloud strategy and architecture includes characterizing Cloud structure, ownership, and responsibilities in addition to integrating Cloud security.
- Change Control: Two of the Cloud’s biggest advantages, speed and flexibility, make controlling change more difficult. Inadequate change control often results in problematic misconfigurations in the Cloud. Organizations should consider leveraging automation to continuously check configurations for issues and ensure successful change processes. Identity and access management (IAM) controls often experience multiple changes in the Cloud, specifically around (i) Continuously monitoring root accounts (ii) Utilizing role-based access and group level privileges, and (iii) Disabling dormant accounts and institutionalizing effective credential and key management policies.
- Continuous Monitoring: The complexity and dispersed nature of the Cloud makes monitoring and logging all activity extremely important. Capturing the who, what, when, where, and how of events keeps organizations audit-ready and is the backbone of compliance verification.
- Vulnerability Management: Effectively managing vulnerability starts with a comprehensive knowledge of your environments and identifying potential risks. Smart organizations analyze all software for known weaknesses and watch for the introduction of third-party entities with potential vulnerabilities. Identifying and remediating vulnerabilities is central to any security platform and plays a major role in meeting regulatory requirements.
- Reporting: Reporting provides current and historical proof of compliance. Think of these reports as your compliance footprint and these will be very handy come audit time. A complete timeline of all events, before and after an incident, can provide critical evidence should your compliance ever be questioned. How long you’re required to keep these records depends on the individual regulation requirement—some want only a month or two, while others require much longer. Your team must keep all files in a secure, independent location in the event of an on-site system crash or natural disaster.
What tools can I use to demonstrate compliance?
Bob Mudhar, Citihub Digital: If an effective data governance regime has already been implemented, including the capture of relevant metadata (learn more here), then demonstrating compliance with regulation should be reasonably straightforward.
The glossary will define key items of data in your estate. The more sophisticated metadata platforms allow this to be mapped to the regulations, policies and standards so that it is clear what standard of control is expected. The glossary should also identify which items of data are considered ‘Personally Identifiable Information’ (PII) which is particularly sensitive data under GDPR.
The data catalogue will map the physical estate, detailing which applications contain the sensitive information and the InfoSec classification that has been applied. This provides a heatmap that can be used to explore and demonstrate compliance and controls environment: is the in-country Client data on a platform that is outside the national boundary?, is the data retention period correct, or are the elevated encryption and access controls in place when the application holds PII data, etc.?
If data lineage is captured and reported then you have another line of defence — not only is the data inside each application understood, but also the route it has taken from the mastering source. This should demonstrate compliance with data privacy and residency obligations.
The tooling space for data governance is richly served by IT vendors, and considerable investment is taking place to develop these as the marketplace matures.
How will the CSPs help to achieve compliance?
Bob Mudhar, Citihub Digital: The CSPs are providers of compute, storage and productivity services. They should provide the tools and transparency to achieve the necessary controls, but the obligation to meet data regulations rests with the buyers of their service. Only their clients know (or should know) what obligations are to be met for their specific data on the CSP.
Firms should be creating and enforcing their own policies and guardrails around landing zones, residency and reach-back services. For example, the CSP will not, by default, prevent you from triggering a cross-border failover, from configuring a hub-spoke model that does not respect residency regulation, from using a CSP-provided encryption key, or from creating international network routes.
The CSPs are working to give their clients the controls and levers to build compliant environments. However, the exclusions and limitations to these policies need to be carefully understood – they are certainly useful, but not a panacea. Note that this becomes even more complicated when PaaS services are included, and once again a high level of client scrutiny is required: are the backups encrypted?, in what region are the support teams located?, where is the DR environment?, are some features actually run out-of-region (AI services, for example)?, etc.
What audits do I need to run?
Bob Mudhar, Citihub Digital: Audit in technology never has a great reception amongst technologists. Auditing transient Cloud resources for data obligations is going to be difficult, but that also means that it is even more important to do so. There are many audits you could perform. However, the following will define the scope of your obligation:
- Data, where art thou? Knowing where your data is (physically, logically, geographically) is much harder than it sounds. However, it is almost the first thing a regulator/internal audit will ask about if it wants to ask questions. Have your catalogue ready!
- Data, what art thou? Knowing the categorization of that data (confidential, public, etc.) should be the next audit once you know where it is. Knowing what type of data it is will help define your retention and storage strategy. Update the catalogue.
- Data, let’s tag you. Ensuring everything is tagged with a usage and retention policy, especially tagging for defensible disposal, is a vital auditing exercise. All data should have a disposal policy set against it. This is also useful for data loss prevention, where the tag can be used to prevent accidental transmission of the data.
- Data, who owns you? It sounds obvious, but data should have an owner. All data should be tagged with a group/person/function/sub organization that owns it for completeness, content and accuracy. Sometimes this becomes mired in organizational politics with no group or person wanting ownership. Equally too, many can view certain pieces of data as theirs and there can be contention for ownership.
JOINING FORCES is a blog series aimed to showcase the synergies between Synechron’s and Citihub Digital’s SMEs.
Synechron’s October 2020 acquisition of Citihub Digital allows for multiple complimentary offerings across the combined firm. This acquisition expands Synechron’s existing digital, consulting, and technology capabilities across the global financial services and insurance industry’s landscape. Together, the firms provide a targeted focus on digital transformation, architecture/operating model and application modernization, cloud enablement, critical cybersecurity, and other strategic business solutions.
About our SMEs
Bob Mudhar, Partner, Citihub Digital
Bob manages the firm’s regulatory/compliance & eTrading practices. With more than 25 years’ experience in blue chip investment banking institutions, his career has spanned a variety of business facing technology roles, helping support, enhance and migrate systems.
Anand Chandra, Sr. Director – Capital Markets, Synechron
Anand is presently pursuing his passion at Synechron by building trading systems in his capacity as head of Technology for Synechron UK, Europe & APAC. Anand has been associated with Digital Transformation & Regulatory Change for the financial services industry for 19+ years. Anand has led Modernization & Cloud Engineering programs for large Tier-1 banks across the US, UK, Europe, APAC & MENA.
FT Names Citihub Digital as one of 2021’s Leading Management Consultants
“We’re thankful to be recognized for the 4th successive year for our leadership in financial ser...
Cyber security and the growth of untrusted infrastructure and hybrid workforces
Joining forces with Synechron, our Dev & Sec SMEs talk about the increasingly important role of clou...
In the press
How Brexit will affect RegTech investments in the UK and the rest of Europe
Bob Mudhar talks about how the UK became a concentration of talent for investment banking technology...
In the press
GDPR and Brexit: How will leaving the EU affect UK data regulation?
Dave Levy, Associate Partner at Citihub Consulting, says that if this is the case, “a Brexited Bri...
MiFID II Brexit: Life After
It’s no secret that many firms are struggling with progress on their MiFID II programmes. Many spe...
15 Minutes with: Utsav Ratti on Smashing the silos between IT and business teams
Has the pandemic made the divide between IT and business teams worse or has it presented an opportun...
In the press
Secrets Management in the Financial Industry
Associate Partner Joshua Burns, CISSP has been invited by Financial Information Forum (FIF) to t...
In the press
FinTech: Continuous Verification & Declarative Delivery; Common Fallacies & Anti-Patterns in Continuous Delivery
In this webinar, Cithub’s Eddie Knight and Armory’s Lee Faus will look at defining consistent po...
Using Githooks to DRY out Github Actions
Frustrated that GitHub Actions does not support YAML anchors, Senior Consultant Eddie Knight set-up ...