A recent Washington Post article highlighted the extent of communications intercepted by the NSA. The communications, files and messages accessed by the NSA contained the full gamut of personally identifiable information (PII), health records and other confidential information. This is the very information that organizations have an obligation to protect. Broad government espionage such as this forces organizations around the world to step back and ask: who is accessing our data, what compliance and governance problems does this cause and what should organizations do about it?
Previously, concerns around content access were connected to proper authorizations – you didn’t want personnel files accessed by someone outside of the HR team, and the finance and executive groups should be the only ones who could access legal contracts. However, the revelations brought about by Edward Snowden force organizations in all industries to realize that the NSA and other government agencies, such as the UK Government Communications Headquarters (GCHQ), were accessing and collecting communications, files and metadata from a variety of third-party vendors, including Google, Microsoft, Yahoo! and Dropbox. With wholesale government snooping now a fact of our lives, it is increasingly difficult to manage exactly who has access to your information, especially as the volume of digital data continues to grow at exponential rates.
One way for organizations to avoid third parties from collecting and accessing their sensitive information without their knowledge is to utilize private cloud, on-premises solutions to share and access information. While a government warrant could be issued to your business, private cloud solutions protect you from unknowing government collection of your information stored with a third-party provider, such as Dropbox.
Keeping secure control over your data by storing and sharing it via an on-premises solution also ensures that information storage and access policies are in line with many international regulations around data storage and sharing, which require geographic sovereignty of information, including restricting personally identifiable customer data to the country where it originates. However, many enterprises should now be considering extending this capability to their sensitive business data to enhance the data security of proprietary information.
Under the Patriot Act, which is used to support the legality of U.S. government data collection programs, agencies can collect information from any U.S. owned company, no matter where the data lives, or what company created the content. Business leaders are often concerned about competitors getting their hands on information, from an economic security standpoint, but they should also be concerned about data being collected by government agencies, which could put them out of compliance with their own local government regulations.
Ensuring the data privacy and security of business information is paramount to the continued trust in enterprises by their customers. To stay within the legal boundaries of national and international regulations, as well as comply with security laws, companies need to consider deploying solutions that offer total control over data, such as private cloud technologies, and use those solutions to separate data by region.
What this all comes back to is the importance of knowing who is monitoring your data and when it is accessed. Are you in control or is it a third party vendor, who may likely be allowing a government organization to monitor your information? The latter is not only an unsecure practice with sensitive data, it’s likely to cause compliance issues for your organization.