Encrypted Data Backups
One compliance effort that makes a difficult situation even more difficult is the requirement for encrypted backups. Hildesheim knows of companies required to maintain such backups of data.
"This sounds like a reasonable precaution if you are storing your [backup] tapes in a public store," Hildesheim says. "But consider that management and likelihood that seven years from today the encryption is able to be decrypted. Never mind that the password or key would have to be stored somewhere securely and cataloged. The encryption algorithm or software would have to still be in a form that could decrypt the data."
This is even more confounded when regulators require that backup media be encrypted, even if it is stored in a controlled storage vault to which only your company has access, Hildesheim says. "One of the answers that many of the regulators are wanting to see in place is encrypted electronic backups," he says. "This again sounds good, until you realize that most have a local store and offsite store which is in a shared environment, or cloud."
Multiple International Regulations
For companies that offer their services primarily through the cloud, such as learning and talent management solutions provider Saba, the need to comply with a host of federal and industry regulations can create complexities that potentially hinder security.
Saba complies with standards such as ISO27001; privacy requirements such as Safe Harbor, EU Directive and other geographic privacy requirements; Life Science Validation Environments; FISMA, etc., says Randy Barr, chief security and information officer.
Some of these regulations are stricter than others and create challenges that are important to address in order to provide adequate security, Barr says.
For example, some require employees to work in the U.S., or have U.S. citizenship. "It's difficult to keep track of individuals who work abroad, and having to do so for some of the groups within our company can be challenging," Barr says. "If Saba wasn't prepared for such regulations, our ability to provide security across the board would be in jeopardy. It's important that all departments take the time to understand the security programs that we've communicated rather than just reviewing compliance requirements and saying it must be done."
Saba is able to meet all of its customers' security requirements, Barr says, but not without a huge amount of extra effort because of the complex compliance requirements. It's working with the Cloud Security Alliance to find more effective ways to comply with standards without draining resources. In addition, it has formed a Saba Security Council to provide a consensus-based forum to support the overall Saba Security program. "Discussions around meeting the requirements of [regulations] are discussed in these quarterly meetings," Barr says.
Sign up for CIO Asia eNewsletters.