Data Residency

as a Tool in the Cyber Security Arsenal

Cloud has created a new attack vector, as data has moved to public servers, and networks and infrastructure have become virtual. Covid-19 made things worse. Beside the zero-trust concept there is data residency. This article explains how this tool works.

Cybercriminals have recognized there’s much to be gained by stealing or ransoming personal information in lieu of taking down an organization’s servers. Financially motivated attacks continue to be the most common according to Verizon’s 2021 Data Breach Investigations Report. (1)

Cloud has created a new attack vector, as data has moved to public servers, and networks and infrastructure have become virtual. Covid-19 made things worse: the growth in home working resulted in an “alarming” (2) increase in cyber-attacks as criminals attempted to exploit security and system vulnerabilities. The blurring of boundaries has broken the traditional model of security, giving rise to the concept of zero-trust (3) where every device and user on the corporate network must prove themselves.

But there’s another tool in the cyber arsenal – data residency. It is useful because it provides a way to tackle cloud computing complexities, a factor highly likely to be exploited by attackers.

Complexity increases risk

Despite its many benefits, there are at least three ways in which cloud computing can introduce greater complexity and therefore more vulnerabilities into a system:

Multi-cloud

Multi-cloud is set to dominate enterprise technology according to IDC, who reckon 90% of organizations will have relied on it by 2022. Securing data and applications running across different providers’ platforms, data centers and zones is increasingly difficult.

Cloud native architectures

Adding to the complexity and therefore the difficulty are cloud-native architectures: monolithic systems are being re-written as microservices across IT teams managing their full lifecycle. Microservices can be built using different languages, frameworks and storage and communicate through a variety of techniques – HTTP, events, gRPC, WebSockets.

Integration of cloud-based services

One of the major benefits of Cloud-based services is that public interfaces and open APIs make them easy for other systems to find and consume. To illustrate the scale of integrations we are talking about, Pandium’s State of Product Integrations at the SaaS 1000 (4), found cloud-based business applications had an average of 98 integrations. Slack chief executive Stewart Butterfield (5) reckons one customer had 500 integrations to Slack plus “an extensive set of internally developed integrations”.

Unfortunately, despite their many benefits, integrations and APIs (6) can sometimes provide an “in” for hackers using stolen, brute-forced credentials and exploiting vulnerabilities and misconfigured systems.

What’s really troubling is that while some cloud challenges get easier the more time you spend in the cloud – as IT teams gain greater experience – security does not. According to Flexera’s annual State of Cloud report (7), security is difficult because it’s a moving target: “Hackers continue to increase their sophistication, requiring constant attention to cloud security. Also, new legislation and regulations continue to appear, particularly in industries such as financial services and healthcare, as legislators attempt to catch up with technology.”

Data residency can help

This is where data residency can help as part of a planned system of response for security. An operational infrastructure that satisfies the demands of regulators will mean putting in place the kinds of procedures that cut through this complexity – thereby helping to promote better cyber security.

GDPR, in the EU, does not place rules on data residency but data processors in the EU do comply with GDPR. While GDPR does not specify a set of cyber security measures, it does set clear rules on the security of data and of data processing. It requires that “appropriate” technical and organizational measures are taken in meeting these rules.

The general idea is organizations should track where data is held, protect data and be ready to delete the data on demand. This means protecting personal data against cyber-attack, detecting security events and minimizing their impact and letting people move and delete their data.

The emphasis is on the level of risk an organization is willing to stomach and having the “appropriate” level of response to mitigate that risk.

According to Malwarebytes Labs director Adam Kujawa (8), data residency is a good thing: “It makes it easier to secure information if you know where it is.”

Satisfying regulators means putting in place the tools and processes that not only keep you compliant – but that let you prove it. GDPR means having to define and implement policies and processes that direct your approach to securing systems involved in processing personal data. It also means implementing the appropriate technical and organizational measures to protect systems, technologies and digital services that process personal data from cyber-attack.

Conclusion

There isn’t a silver bullet for attackers bent on stealing data – effective cyber security takes a multi-layered, corporate-wide approach. In multi-cloud, that means working at a platform level – installing a planned system of detection and response built using consistent, automated processes and procedures. This will reduce detection times and sharpen your response to incidents.

The necessary policies and practices that accompany data residency will help you master the complexity of multi-cloud, serving as a tool in your cyber arsenal.

Sources
1. https://www.verizon.com/business/resources/reports/2021-data-breach-investigations-report.pdfx
2. https://abcnews.go.com/Politics/alarming-rate-cyberattacks-aimed-major-corporations-governments-critical/story?id=72164931
3. https://www.globenewswire.com/news-release/2020/02/04/1979531/0/en/Survey-Reveals-72-of-Organizations-Plan-to-Implement-Zero-Trust-Capabilities-in-2020-Yet-Nearly-Half-of-Cyber-Security-Professionals-Lack-Confidence-Applying-the-Model.html
4. https://info.pandium.com/hubfs/Product%20Integrations%20at%20the%20Fastest%20Growing%20SaaS%20Companies.pdf?utm_medium=email&_hsmi=88553004&_hsenc=p2ANqtz–jm5ue2uVLWYzwTjLoF8SSkdlve0S_dviFiym-vV4HcXP2ye7IZKz-2TXy98_cJGB6Nc4WciBLXDNijcIsyQU2u00omEWABEh98Y9wGyGyBKEFYRVk&utm_content=88553004&utm_source=hs_automation
5. https://techmonitor.ai/techonology/hardware/slack-european-data-residency
6. https://www.moesif.com/blog/technical/api-security/API-Security-Threats-Every-API-Team-Should-Know/
7. https://fxb-buyer.com/cloud/cloud-computing-trends-2021-state-of-the-cloud-report/
8. https://www.datacenterknowledge.com/security/privacy-and-security-are-converging-data-center

Jill Brennan

Jill Brennan is vice president, EMEA at PagerDuty, a leading digital operations platform, where she leads the organization’s expansion across Europe. Based in Switzerland, Jill is a seasoned software sales veteran with over 25 years of experience. Previous roles prior to joining PagerDuty include SVP of EMEA Sales at Medidata and leading the analytics and hybrid cloud software group businesses for IBM across 26 countries and a team of 1000+ employees in EMEA.