It’s true all over the world – large enterprise organizations want flexibility and choice in where their data is stored. This is especially true in regulated industries such as health care, finance, and government that are bound by regulation and compliance to have control over where their data resides.
For these reasons, VMRay offers two data center locations, one in the EU and the other in the US, to our customers. While located in different regions, both are ISO27001 compliant, meet GDPR and California Data Privacy Act standards for data protection and privacy, and meet the Singapore Monetary Authority guidelines for cloud services for the financial sector.
Why is it important to have flexibility and choice in where data is stored? First a little review. Technically there are three classifications of data based on the way it is used:
Data at rest is defined as static data stored locally on hard drives that is not often accessed or modified and can be thought of as archived.
Data in use is active data that is frequently updated and accessed by multiple users in a network.
Data in transit is active data traveling between devices, either through private networks or over public or untrusted networks. Some examples of this are emails and chat data.
For a long while, the tech industry and regulators were primarily concerned about data in transit and preventing the interception of these private exchanges by malicious actors. Previously data at rest was considered the safest type of data because it is not exposed to the dangers of internet transfers or security lapses by third parties. Studies have shown that third parties are often the worst offenders in recklessly sharing customer data, showing little regard about the potential exposure of confidential information.
But increasingly there has been a shift in concern towards data at rest, especially for B2B companies and service providers. Alarmed by the number of data breaches and compromised user data, regulators have introduced new rules, more strictly enforced old ones, and held companies responsible for being careless with customer data.
As part of this, regulators have issued strict guidelines for the protection of data at rest. For example, now all companies that do business in the European Union must conform to GDPR, created in 2018. As a security company focused on malware analysis and incident response, VMRay spent many months in advance of GDPR’s launch reviewing our internal data systems and making changes to comply with the GDPR’s many technological, administrative and legal requirements. Equally important, we worked closely with our partners supporting their compliance efforts as well.
There’s a good reason that all organizations, regardless of industry, should similarly vet their partner ecosystems for GDPR compliance. Data flows downstream and under GDPR, companies that are themselves GDPR-compliant can be held liable for data breaches that occur downstream within their network of partners, suppliers, and subcontractors. While penalties will ultimately be decided in the courts, fines for the most serious cases of non-compliance can range up to 4% of a company’s annual revenues or €20 million (roughly $21.7 million US), whichever is higher.
This is important because cybercriminals often attack large organizations indirectly by targeting trusted partners and suppliers as their security measures tend to be more relaxed. In the Ponemon Institute’s 2017 Data Risk in the Third-Party Ecosystem study, 57 percent of survey respondents said they don’t maintain an inventory of the third parties they share information with, and 82 percent don’t know if their sensitive information was shared with a fourth or even a fifth party. Under GDPR, these organizations would be held responsible for the compromise of this data.
A key component of any cybersecurity audit is confirmation that the company itself and associated partners are all ISO 27001 certified. This is important because ISO 27001 provides a framework of standards for how a modern organization should manage their information and data. This ISO certification is not only a technical inspection, however. It also looks into the processes and the people working for the company. After this thorough examination, having this certification is a sign of a secure, reliable organization that can be trusted with sensitive information.
The good news is VMRay’s GDPR compliance and ISO 27001 certification provides an additional layer of security to the substantial data protections already built into our solutions. The VMRay Platform allows customers to create a completely isolated environment for analyzing advanced malware threats, without the risks posed by open-source tools and services. With On-Premises deployments, customers can ensure their data never leaves the network.
And for organizations choosing a cloud solution, personal data and other sensitive information can be housed in either the US or EU in accordance with local data at rest requirements. For those who choose to host at our headquarters in the EU, this data is protected in accordance with some of the strictest data privacy laws in the world.
Since our company founding in 2013, VMRay has always worked to listen and respond to our customers’ needs. And this is true whether it is providing world-class malware analysis and threat detection or providing flexibility and choice in where one’s data resides.