Home Uncategorized Compliance and regulatory violations

Compliance and regulatory violations

Posted on Posted in Uncategorized

With data leak, confidential or otherwise sensitive data is “leaked” outside the “walls” of your organization and disclosed to the outside world. Many businesses deal with confidential data by its nature. You may think of Electronic Medical Records (EMR) information processed by hospitals and other healthcare organizations or financial data that is housed by banking institutions and other financial organizations. There are many different sources of confidential and other sensitive data that you would never want to leak outside the realms of sanctioned use.

While you may have restrictions in place on who has access to sensitive types of data that exist inside cloud environments, what about the applications that have access to this data? Think of a scenario with a seemingly legitimate widget application that is downloaded for use on an Android device. The end user who installs the Android widget application also has high-level access to sensitive and confidential data stored in your organization’s cloud SaaS environment.

Even though the application requests extremely high-level device permissions such as the following, the user simply grants all permissions to the new widget app:

Read your text messages (SMS or MMS)
Full Network Access
Read phone status and identity
Modify or delete the contents of your device storage
The widget application now has a high level of access to both the network and storage of the device. The seemingly legitimate third-party app is actually malicious in nature and starts reading and copying data synchronized with your cloud SaaS environment to a dark web repository defined by the attacker. What can this cost your business?

The cost of data breach can be significant as outlined by IBM’s “The Cost of a Data Breach Report 2019”. According to the yearly report by IBM’s research team, in 2019, the cost of a data breach included the following eye-opening statistics:

Average total cost of a data breach – $3.92 million
Most expensive country – United States, $8.19 million
Most expensive industry – Healthcare, $6.45 million
Average size of a data breach – 25,575 records
Keep in mind these are average statistics and may cost your business even more according to the degree and effectiveness of cybersecurity responses you have in place. It helps to underscore the tremendous responsibility of your organization when it comes to limiting the exposure of your data to third-party applications.

Compliance and regulatory violations
There is another aspect for businesses today to consider when it comes to keeping data safe and out of the wrong hands – compliance and regulatory. Compliance and regulatory frameworks are designed to protect customer and other sensitive data. Compliance regulations provide a framework of standards that, when followed by organizations, helps to ensure the proper security and other fail safes are put in place to protect important types of data.

Compliance and regulatory frameworks are a good thing for both your business as well as your customer information. It serves to protect both from negative consequences of data breach. However, today’s compliance and regulatory frameworks can also levy huge fines if your organization is found in violation of or grossly negligent to the point where customer data is compromised.

A great example of this the General Data Protection Regulation (GDPR) that went into effect May, 2018. GDPR is not only a recommendation, it is required for those who “touch” data of any European citizen. The fines and consequences for those organizations found in violation of GDPR guidelines can be tremendous.

As noted here, fines can include:

“For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. But even the catalogue of less severe violations in Art. 83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.”

Under the GDPR guidelines, it is extremely important that organizations take seriously their responsibility to provide data security. The overall import of the GDPR data protection framework is data protection by design and by default. A portion of the GDPR checklist helps to highlight this as organizations are expected to ensure the following:

Take data protection into account at all times, from the moment you begin developing a product to each time you process data
Encrypt, pseudonymize, or anonymize personal data wherever possible
Create an internal security policy for your team members, and build awareness about data protection
Know when to conduct a data protection impact assessment, and have a process in place to carry it out
Have a process in place to notify the authorities and your data subjects in the event of a data breach

The walkthrough in the data leak example demonstrates how easy it is for a malicious third-party application that is granted permissions by an end user to access sensitive data. It also demonstrates how easy it would be for an organization to be in violation of compliance regulations like GDPR when customer data is exposed without safeguards in place.

Taking into consideration the threat and risks of malicious or “leaky” third-party applications and browser plugins must be part of the design when it comes to housing your business-critical data in cloud SaaS environments.

ELIMINATE THIRD-PARTY APP RISKS
To effectively eliminate the risks of third-party apps to your business-critical and sensitive data, you need both visibility and control. First of all, you need visibility to any potential risks in your organization. Cloud SaaS data security can be challenging for organizations who are accustomed to on-premises environments and who lack the tooling needed to monitor data access properly in the cloud.

Controlling access to data can also be challenging without the right toolsets since data can be accessed from many different kinds of devices and networks. How can your organization effectively monitor and manage data access and protect the environment from risky third-party applications accessing your cloud data?

The sheer complexity of today’s environments spanning both on-premises and public cloud locations and the enormity of attack vectors require you use an automated approach to both detect and remediate threats effectively.

An ideal SaaS data protection platform should have an automated sentinel that guards your cloud SaaS environment 24x7x365. You can also utilise an API-based Cloud Access Security Broker (CASB) that integrates to provide Google Apps Security or protect your Office 365 environment. It provides you with the tools you need to have both the visibility and control over third-party applications in your environment.

Protection against risky third-party apps as well as other cybersecurity threats to your business is critical.

Be sure to choose the best protection platform for your cloud environment.