Cloud infrastructure data protection services with lock showing cross-border data transfer

Using Public Cloud Infrastructure To Protect and Enforce Cross Border Data Transfer

Maintaining compliance with a growing set of data governance and privacy regulations has relied on rules and procedures, carefully architected plans for data residence and the overall protection using encryption. All of these are becoming insufficient to meet the complexity of laws and prevent the significant expense of fines and payment for damages and rectification. All of these measures are done from the outside in—technologies, policies, procedures and risk personnel all devoted to ensuring that the use, storage and transmission of data complies with regulations and requirements. These measures are increasingly expensive to perform, potentially impede business agility and efficiency and are dwindling in their effectiveness to minimize risk.

A long-sought dream has been for the protections to be built directly into data, so that compliance can be achieved from the inside out. “Baking” protections into data ensures consistency and minimizes human errors or missteps. With the widespread availability of hardware-based Confidential Computing in the public cloud, organizations can now lock down workloads and make them impervious to rogue insiders, third parties or external attackers. With Confidential Computing, organizations have the ability to achieve complete data lock-down in any geography to prevent access from any unauthorized party or curtail availability in any particular country or region. The designated managers of a cloud instance and workload retain complete control over who or what has access to the data, where it goes and what can be done to it.

The security, somewhat akin to the expensive and exotic Hardware Security Modules (HSMs) of the past, is incorporated into CPUs utilized by most servers in the public cloud. It closes the existing gap that data, algorithms and application code face when they must be unencrypted to be executed at runtime. Now, even someone with root access to a particular server is locked out of being able to see unencrypted data in computer memory.

With a data lock by default, cross border requirements can be implemented and enforced automatically using a type of governance built directly into the data. Data stored in a particular geography can be kept to that geography or only transferred to locations that are authorized for it to keep with compliance. For instance, EU data can be kept within the EU and not allowed to be moved out of those nations.

The lockdown actually provides two major benefits for managing risk and ensuring compliance. First, data can be controlled and made to comply with requirements—from the inside out—in a way that compliance is built into the data. Organizations can create a trusted environment within the public cloud and can carefully determine who can do what and where to data. Second, data can be made impervious to unauthorized parties that willfully or inadvertently put it at risk and out of compliance standards. In other words, both authorized and unauthorized or rogue or criminal parties can be prevented from subjecting the data to risk.

Another potential benefit to risk management is attestation to prove the tough security measures and compliance with privacy law. Attestation is a sort of active verification that is inherently built into the state of a workload. It is more useful than using logging, since it is always up to date and more truly reflective of the risk posture.

Risk and compliance teams can use Confidential Computing to create new policies and procedures to govern issues such as cross border data transfer. They can take advantage of the deterministic and more absolute means of protecting data to ensure better governance.

Until recently, the downside of using these Confidential Computing capabilities was the requirement of having to modify application code and IT processes to take advantage of the protections. Such disruption was time-consuming, complicated and expensive, making its use rather impractical. Now, go-between software can make the use of Confidential Computing transparent to code and processes without requiring any changes.

In addition, some technologies enable the same encryption for lock-down during execution to be extended to data in motion or data at rest, closing any potential gap in encryption coverage and protecting private keys. Confidential Computing and its new companion technologies can be combined with new ways of working to augment existing data governance and compliance mechanisms to close gaps, and technologically uphold important requirements. Cross border data transfer can be more stringently managed to lower risk and increase compliance. Organizations can gain new ground in the increasingly difficult challenge of securing and governing data.