DEV Community: Sanket Maheshwari

The Top 10 Data Privacy and Protection Priorities for Organizations in 2023

Sanket Maheshwari — Fri, 11 Aug 2023 17:25:48 +0000

Content Syndicated from: The Top 10 Data Privacy and Protection Priorities for Organizations in 2023

World Privacy Day, observed annually on January 28th, serves as a reminder of the importance of protecting personal data in today’s digital age. As technology advances and more personal information is shared online, individuals and organizations must take steps to safeguard their data.

New regulations, such as DORA (Digital Operational Resiliency ACT), mandate that organizations create plans for risk management, incident reporting, and resilience testing. These regulations outline policies for data management, including encryption, data locality, and data lifecycles. Gartner projects, “by 2023, 65% of the world’s population will have its personal data covered under various privacy regulations, and companies need flexible solutions that can adapt to the multitude of legislation.” Navigating this complex environment can be challenging for both individuals and companies.

Data Privacy is protecting personal information and giving individuals control over how their data is collected, used, and stored. On the other hand, data protection refers to the technical and organizational measures put in place to protect data (including personal data) from unauthorized access, use, alteration, or destruction. Data protection encompasses Data Privacy and other areas, including backup & recovery, disaster recovery, data security, and a host of other areas.

To help address that complexity, let’s spend some time reviewing the Top 10 topics to consider when managing Data Privacy and Data Protection.

Data Protection Strategy
Encryption
Multi-Person Authentication
Immutable Storage
Data Sovereignty
Data Governance & Discovery
Classification of data
Data Retention
Resilience plan testing & incident response
Risk Assessment

1. Data Protection Strategy

Organizations should start by creating or updating a Data Privacy, Backup & Recovery, and Disaster Recovery plan as part of an overall data protection strategy. There are many facets to a reliable data protection plan and how it specifically relates to protecting the private data your customers have shared with your organization.

2. Encryption

Encryption is a crucial feature of data protection and protecting private data. Allowing for data encryption at rest and in transit helps prevent unauthorized access to personal information. This is especially important for organizations that handle large amounts of private data, such as healthcare providers and financial institutions. Data no longer resides just in our corporate data centers, as most organizations have one or multiple public clouds with workloads and data stored in them. Securing, with encryption, for the life of the data helps mitigate potential attackers.

3. Multi-person authentication

Beyond protecting data with encryption, organizations must safeguard their systems from malicious attacks. Leveraging multi-person authentication (MPA) for your data protection systems ensures critical tasks require multiple approvals from pre-approved users. Often overlooked, this is one of the simplest ways to prevent tasks like data exfiltration or deletion.

4. Immutable Storage

Immutable storage allows for data, private or otherwise, to be written and unable to be further modified or deleted. Data that cannot be tampered with or altered ensures data integrity is maintained. Immutable storage requirements are quickly becoming a standard part of data governance regulations like GDPR, HIPAA, and others. When paired with MPA, you can create highly secure data storage tiers that are a perfect fit for storing confidential and private data.

5. Data Sovereignty

Organizations should consider regulations surrounding private data storage when developing a data protection strategy. This includes the location of data storage and compliance with regulations regarding data sovereignty. For example, a cloud-based workload on GCP in Europe or containing EU citizens’ data must comply with EU regulations. Anywhere that private data may reside, even if temporary, may be required to be in a specific region under regulatory requirements. Commvault helps to address this concern in its latest release, allowing customers to select which specific region they will leverage for snapshot & data protection storage vs. multiple regions that cost more and may have different regulatory requirements.

6. Data Governance & Discovery

In a recent survey, 57% of CISOs admit they don’t know where some or all their data is or how it is protected! As this amount of private data continues to grow, the sheer number of regulations expands exponentially, and we are confused about what and how we should protect our data. As a result, organizations need to understand their data, where it is, and what is at risk. Being able to prioritize data based on your organization’s policies, priorities, and applicable regulations is critical to protecting the data. You cannot protect what you don’t know about!

7. Classification of data

Knowing what data exists and where it resides is only part of the solution. Organizations must consider what data is private customer data, business-critical, etc., in terms of its importance to your business and your customers. Protecting only on-prem data may miss some critical customer data living in your SaaS-based CRM solution. Speaking of which, you must rely on something other than your SaaS vendor or even your IaaS cloud providers to provide data protection for your data. They may provide some SLAs and a level of redundancy, but that is not a replacement for a solid data protection plan. Managing data classification is no point in time operation, with data growing each year exponentially.

8. Retention

It is paramount to know what data exists and how important it is, but how long does it stay relevant? This is a hard question to answer for most organizations and one that can be seen every year when buying ever-increasing storage systems to house corporate data. The ability to assign an expected lifespan to data can significantly impact your organization’s bottom line AND protect your customers’ private data. Having systems in place to automatically find, classify, and set retention will reduce the likelihood of data sprawl, reduce the amount of time to recover unused data, and reduce costs. If you are looking for a great place to start efficiently managing your governance, risk, and compliance, read through Commvault’s unique approach to Unified Data Management.

9. Resilience plan testing & incident response

Resilience plan testing often referred to as a runbook, is an often-overlooked area of a data protection strategy. Creating or updating an outdated plan can take time and effort. Partnering with solution providers or strategic data protection companies with experience in creating a plan can significantly reduce the time it takes to get current. While it may be trivial to think runbooks are passe, I’ve found that when an actual DR event or ransomware attack hits, they are the GO-TO asset you want in your arsenal of tools. A regular cadence of updates creates an organizational posture that is ready to face data security threats head-on.

10. Risk Assessment

As mentioned with runbook, consider working with strategic vendors to perform a risk assessment semi-annually or annually. Scheduled reviews can help build the muscle memory for a solid data protection and data privacy mindset. The benefit of working with well establish data protection & data privacy vendors is they are up to date on the latest security threats and mitigation strategies.

By implementing this list of considerations and routinely refreshing your resilience plan, you can be confident that personal information is secure and compliant with the latest privacy regulations. If you aren’t sure where to start but need help from a company that can answer all these questions.

Commvault is here to help! We continually add new capabilities, including our latest enhancements to regional data sovereignty for backup snapshots, industry certifications, immutable storage capabilities, and more.

Head over to our community to learn more or take a test drive today https://www.commvault.com/request-demo

5 Essential Data Privacy Regulations for Businesses to Know in 2023

Sanket Maheshwari — Fri, 04 Aug 2023 15:58:30 +0000

Just as everyone started to get more or less cozy with the regulatory landscape in data privacy/protection and individuals and businesses learned to navigate the shallow waters of data subject requests, risk management, and impact assessments – BOOM 💥 – another tidal wave of regulatory requirements and new challenges rushed in!

2023 is the perfect moment to start internalizing new acronyms (get ready for #NIS2, #DORA, #DPDPB, #CPRA, #CCPA, #CPA, #CDPA, #UCPA, #VCDPA, #ADPPA, #PrivacyPenaltyBill) and legislative acts they stand for.

The underlying motive of the upcoming changes is to boost and enhance the cybersecurity postures of various organizations and manage evolving cyber risks more effectively.

Here is a helicopter view of selected legal developments around the world:

EU – Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2)
EU – Regulation on digital operational resilience for the financial sector (DORA)
US – State & Federal privacy laws
India – Digital Personal Data Protection Bill (DPDPB)
Australia – Privacy Penalty Bill & overhaul of the Privacy Act 1988

NIS2

According to ENISA, the general spending on cybersecurity is 41 % lower by organisations in the EU than by their US counterparts. With the arrival of NIS2, this ratio is expected to shift to cover this enormous gap at least partially. Conservative estimates are that NIS2 entry in force will translate into a ~22% increase in ICT spending over a 3–4-year period.

NIS2 was published just before year-end, and EU Member States now have 21 months to transpose requirements and mechanisms described into national laws. The 2016 NIS Directive – despite shortcomings – served as a cornerstone for increasing Member States’ cybersecurity capabilities. Now, NIS2 will expand the scope and the list of impacted organizations. It is expected that as many as 160 000 organizations will be subject to this new legislation, including digital services providers (platforms and data centre services), electronic communications networks and services providers, manufacturing, food, and the public sector.

“Like the SEC’s incoming Cybersecurity Disclosure requirements and Caremark decisions from the last few years, the NIS2 Directive emphasizes senior management’s role in providing oversight of a company’s cybersecurity program. The NIS2 Directive ups the ante of its predecessor, the NIS1 Directive, by holding senior management directly responsible for implementing the Directive’s requirements, where failure to do so can hold personal liability for the parties involved. While the pressure may seem to shift from the CISO to senior management more broadly, it continues to be critical for CISOs, like Commvault’s very own Javier Dominguez, to have a seat at the table with Directors and Officers. CISOs must be empowered to create and successfully execute robust cybersecurity risk management strategies through proper resourcing and support.”

Leah Flynne
Director Compliance @ Commvault

NIS2 aims to strengthen cybersecurity postures by, amongst other: improving cybersecurity governance, addressing the security of supply chains, streamlining reporting obligations (early warnings/shortened notification periods), and introducing more stringent supervisory measures and stricter enforcement requirements.

What can you do right now?

First, try to understand which obligations will apply to your organization and in which compliance bucket your organization will fall into: “Essential Entity,” “Important Entity,” or maybe “other.”
Next, see if you can create synergies and leverage existing technical and organizational measures implemented during preceding compliance efforts (e.g., GDPR, NIS1, etc.)
Start looking for the right partners that can adequately support your compliance efforts. Engage your vendors in discussing the approach that best fits your organization.
Last but not least, initiate planning for increased spending to address any remaining gaps. In compliance could result in administrative fines of up to 10 million euros or up to 2% of the total annual worldwide turnover of the organization.

“Commvault team is closely monitoring the progress of the implementation of the requirements. With today’s guidance, the Commvault team is actively reviewing the contents of NIS2 and assessing how we are best aligned with them by preparing appropriate responses, both internal and external, through maturing the existing NIST governance framework (internationally recognized) set of controls and applying it to our Data Governance and Cybersecurity positions currently.”
Anthony Calabretta
Manager IT Compliance @ Commvault

DORA

DORA aims to achieve “a high common level of digital operational resilience,” mitigating cyber threats and ensuring resilient operations across the EU financial sector. It will become directly applicable from Jan 17th, 2025. It will impact the financial sector (banks, insurance companies, investment firms) and its ICT providers (i.e., cloud platforms) – roughly around 22 000 organizations.

New requirements imposed by DORA will effectively boil down to reviewing and updating risk management practices. Financial sector customers will need to transfer as many regulatory risks as possible to ICT providers or apply different risk-mitigating strategies. In any case, ICT providers will need to be able to assure adherence to DORA’s requirements. The whole industry will also need to reassess contractual relations with vendors. DORA will incorporate requirements for contracts between financial companies and their critical ICT providers, including the location where data is processed, service level agreement descriptions, reporting requirements, rights of access, and circumstances that would lead to terminating the contract.

In a separate post – Commvault’s Product Team will perform a more technical deep-dive into DORA’s requirements related to detection (art. 10), response and recovery (art. 11), and backup (art. 12).

US data privacy laws – CPRA/CCPA, CPA, CDPA, UCPA, VCDPA, ADPPA

As of January 1st, 2023, California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act 2018 went into effect. Many temporary exemptions in place expire, imposing additional obligations on companies dealing with California residents’ personal information, e.g., regarding employment-related personal data, opt-out from selling personal information.

2023 is also the year when the Colorado Privacy Act (CPA), The Connecticut Data Privacy Act (CDPA), The Utah Consumer Privacy Act (UCPA), and The Virginia Consumer Data Privacy Act (VCDPA) will become effective. Legislative fragmentation risk is imminent and substantial, and this is the kind of risk that caused the European Union to harmonize the regulatory approach. Let us see whether the same will be true in 2023 in the case of the American Data Privacy and Protection Act (‘ADPPA’) – a proposal for a federal and general data privacy law.

India – DPDPB

Indian legislators plan to introduce a very ambitious Digital Personal Data Protection Bill (DPDPB) this year. When enacted, long-awaited legislation will undoubtedly impact all kinds of organizations due to India’s role as a tech powerhouse and a global outsourcing hub.

Australia – Privacy Penalty Bill & overhaul of the Privacy Act

Australian authorities announced yet another complete overhaul of the Privacy Act dated 1988. The current legislation was summarized as “out of date and not fit for purpose in the digital age.”

In the meantime, still in 2022, Australia passed the Privacy Penalty Bill that increased privacy-related sanctions to levels comparable with trends introduced by GDPR (up to 50m AUD) and expanded regulatory powers of the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA).

Summary

The relentless compliance clock just started ticking again. Cross-functional teams consisting of IT, compliance, privacy, legal professionals, and business analysts will spend considerable amounts of time analysing the impact of the cloudburst of legislative developments that emerged at the end of last year and will materialize throughout 2023.

Be aware that the legislative developments presented here could be more comprehensive. You can be sure, however, that they will become standard talking points not only in 2023 but also for the years to come.

Content Syndicated from: 5 Essential Data Privacy Regulations for Businesses to Know in 2023

Simplifying Cloud Database Protection for Hybrid and Multi-Cloud

Sanket Maheshwari — Fri, 28 Jul 2023 17:10:11 +0000

The rise of cloud computing has revolutionized the way organizations manage their data and has quickly become the preferred method for storing and accessing critical information. Pre-pandemic – cloud adoption for databases was growing at an exponential rate, with more and more organizations making the switch to single cloud vendors. Post-pandemic – Cloud database adoption continues to grow but as customers become more cloud-savvy most enterprises are embracing a multi-cloud and/or hybrid cloud approach to get the best of both/multiple worlds for their database workloads.

According to a Flexera report, 89% of all enterprises use multi-cloud while 80% of enterprises have a hybrid cloud strategy with single or multiple clouds.

A hybrid or multi-cloud database strategy comes with its own challenges –

Complexity - Keeping track of multiple tools for multiple clouds and multiple database types.
Cost – Redundant costs increase as teams across an organization employ their own tools, sometimes doubling up on capabilities and infrastructure.
Security – Security teams must defend against new threats while managing cloud database services and tools that are different from one cloud provider to the next. Security becomes more challenging with an ever-growing attack surface. Here is how Commvault helps mitigate these challenges for cloud database protection –

Management made simple

Single UI and API-first support that gives simplified & unified control with cloud-native integration to automatically discover, protect and manage database copy lifecycle. Ability to define RPO policies that are uniform across hybrid cloud & multi-cloud with a blend of snap and backup. Ability to protect instances, complete regions, or multiple regions.

Broad workload, cloud, and multi-cloud portability support

Commvault has the largest cloud, database workload, and multi-cloud portability support as compared to any backup vendor in the market today thus meeting the customer’s data protection needs no matter where they are in their multi-cloud journey.

Cost Savings

Most backup vendors use snap as a backup strategy for their cloud databases. They provide snap orchestration which, while easing management overhead does not reduce the snap storage costs. Commvault on the other hand provides customers with a unique way to blend snap and export-based backups which leads to significant reduction in cloud database protection costs as compared to other solutions.

Security

Secure access to the Commvault environment with RBAC-based control and multi-factor authentication. Ensure that backups are tamper-proof with encryption and air-gapped immutability.
In conclusion, Commvault helps to manage databases on-premises and across multiple clouds using a single platform. We continue to innovate and bring new products and solutions to the ever-changing database eco system to provide simple, comprehensive, secure and cost-effective data protection and recovery capabilities where customers needed it the most.

To learn more:

References

1- Source: https://www.flexera.com/blog/cloud/cloud-computing-trends-2022-state-of-the-cloud-report/
2 - Content Syndication: https://www.commvault.com/blogs/simplifying-cloud-database-protection

Data Security through Zero Trust and a Ransomware Strategy

Sanket Maheshwari — Fri, 21 Jul 2023 14:31:29 +0000

Zero trust architecture is central to an organization’s security posture to mitigate cyberattacks, and the Defense Department recently released its Zero Trust Strategy and Roadmap on its plan to get the DOD to a Zero Trust architecture by 2027.

A zero-trust architecture provides the foundations for micro-segmentation of the IT landscape, access limited with the Least Privilege principle, and all communication to and between the micro-segments being authenticated, audited, and verified3. The underlying philosophy for zero trust is never assume trust, but continuously validate trust, so bad actors don’t get in. Companies, organizations and government agencies need to make sure that even users inside a network can’t do serious damage.

Conent Syndicated from Data Security through Zero Trust and a Ransomware Strategy

Flag Unusual Behavior

Zero trust principles ensure user access is continuously validated and monitored for Authentication and Authorization while constantly Auditing. Commvault leverages security controls such as multi-factor authentication for everyday administrative tasks, privacy locks, and data encryption. User access can be compartmentalized, explicitly denying CommCell level access, while applying roles to micro-segmented groups of resources through multi-tenant configurations. Zero trust controls help limit internal lateral movement to prevent data loss and unauthorized access to data.

Apply Zero Trust Controls

Commvault makes it simple to apply zero trust AAA controls by using the Security Health Assessment Dashboard. The dashboard provides a single pane of glass for identifying controls, highlighting potential risks within the backup environment, and recommending interactive actions to apply controls.

Add Layers of Security

To help strengthen the resilience of your data infrastructure, the NIST Cybersecurity Framework focuses on five primary pillars for a successful and holistic cybersecurity program. Attention to these pillars can help your organization in developing a comprehensive risk management strategy. Commvault has built these security pillars into our data protection software and policies without the incremental management overhead. The Commvault data protection and management platform include five security layers:

-Identify

Protect
Monitor
Respond
Recover

Our multi-layered security consists of feature sets, guidelines, and best practices to manage cybersecurity risk and ensure data is readily available. We help protect and isolate your data, provide proactive monitoring and alerts, and enable fast restores. Advanced technologies powered by artificial intelligence and machine learning, including honeypots, make it possible to detect and provide alerts on potential attacks as they happen so you can respond quickly. By keeping your backups out of danger and making it possible to restore them within your Service Level Agreements, you can minimize the impact of a ransomware attack so you can get back to business right away (and avoid paying expensive ransoms).

Immutability

Protecting and isolating your backup copies is critical for data integrity and security. Therefore, we have taken an agnostic approach to immutability. With Commvault, you do not need special hardware or cloud storage accounts to lock backup data against ransomware threats. If you happen to have Write-Once, Read Many (WORM)-, object lock- or snapshot-supported hardware (which Commvault fully supports), you can still use Commvault’s built-in locking capabilities to complement and layer on top of existing security controls. Commvault’s ability to support layered defenses for securing data sets against ransomware ensures that your organization benefits from a sound cyber recovery-ready architecture. Here are some elements to include in your immutability architecture:

Access locks to isolate copy store against ransomware
Immutability with lifecycle locks to reduce risks, balanced with consumption impact
Air-gap isolation network and controls
Configuration governance to protect against intentional or accidental changes
Concurrent Recovery performance – reduce latency with due importance to speed and cost impact
Automatic patching to stay current, simplifying management and maintenance of data protection infrastructure
Alignment with the 3-2-1 data protection philosophy (3 copies of data, 2 different media, 1 vaulted copy)

Learn more about Commvault’s immutable infrastructure architecture here.

Cyber Deception Technology

While delivering business continuity is a critical element of any multi-layered strategy, a strong security posture also includes proactive defense technology that actively surfaces and engages unknown and zero-day threats. Metallic® ThreatWise changes the game in ransomware protection, combining sophisticated early warning and early action with comprehensive data protection. It enables businesses of every size to neutralize silent attacks before they cause harm, detecting and diverting the stealthiest of zero-day attacks, which evade conventional detection technology and circumvent security controls.

A Ransomware Strategy

You need a plan to remain steadfast against ransomware. Beyond simply adhering to zero trust principles and hoping for the best, the ultimate solution can manage and substantially reduce the impact of a ransomware attack. It can reduce costs for your organization by utilizing one centralized management platform, so security teams don’t have multiple product points to log in and out of. It can increase the visibility of your data through a single landscape to minimize complexity for your teams. And finally, it can protect what matters most by providing the broadest workload coverage and rapid recovery capabilities through a unified approach. For all of this to happen, a solution must embrace Zero Loss Strategy. Learn more here.

Become Less Vulnerable

The reality is your organization needs to be prepared and take proactive steps to protect your data and work with a provider who offers ransomware protection and recovery solutions. How prepared are you? Take our free risk assessment to find out.