Cybrain - Fotolia
RSA 2016: Data compliance beyond the firewall
Vigitrust's Mathieu Gorge reports from the RSA 2016 conference, where a key discussion was storage and compliance in an age where data doesn't necessarily live in the firewall
At RSA Conference 2016 in San Francisco, the main issues for storage and compliance included data encryption and the idea that security of data where it resides is key rather than securing the infrastructure.
Disaster recovery and business continuity: Essential guide
Download this e-guide to create a solid DR and BC plan and protect your organisation from negative events.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.
In this podcast, Computer Weekly’s storage editor Antony Adshead talks with CEO of Vigitrust Mathieu Gorge. They discuss RSA 2016 and what organisations need to do to manage threats to compliance in an environment characterised by the proliferation of data across multiple platforms.
Antony Adshead: RSA 2016 recently took place. What topics related to data storage and compliance were covered?
Mathieu Gorge: RSA 2016 was a lot bigger than RSA 2015 for a start, which was a good sign with regard to the appetite the market has for anything to do with data, cloud, compliance and security.
Of course, there was a lot of talk about the challenge between the FBI and Apple to get access to encryption keys on mobile phones. That dominated discussion at some of the sessions at RSA.
Really, what that means is that data encryption is one of the key topics and where data is stored, whether on-premise or in the cloud, is also something that is very important and was discussed at a number of sessions and workshops.
The concept of looking at data and its lifecycle and how you can encapsulate data – perhaps using encryption, tokenisation or digital fingerprints – to manage the data, rather than where the data is stored, was also an area discussed at some of the keynotes.
So, I think one of the key differences between this year and last year at RSA is that there was a lot more talk about how we deal with the data and where we store the data, versus securing the infrastructure that the data might transit through – whether at rest, in use or in motion.
Adshead: What discussions at RSA address how organisations should prepare themselves to deal with new regulations affecting data storage and compliance?
Gorge: I think it’s fair to say that, at RSA 2016, there was a lot of talk about the new EU GDPR (General Data Protection Regulation) and how that affects data and where you can store data, how you store the data and how you demonstrate compliance.
One of the key topics that came back again and again at the round table discussions, and at some of the side events, was the issue of data classification, data ownership, data management and data storage. So, essentially, the whole lifecycle of the data.
The feedback from RSA from security professionals was that you need to start with a data classification policy and you need to start considering how to isolate the data from where it resides.
So, if you look at new solutions that allow you to manage your encryption keys around the data, regardless of where the data is structured – solutions such as Ionic, for instance – you’ll see that it’s a new way of looking at data storage and at the implications of where you store data.
That said, to do it the right way you need not only technology, but you most likely need help from your in-house solicitor to make sure you fully master the legal ramifications of where your data [resides]. And that’s notwithstanding any requirements for e-discovery, where you may need to get access to data.
Again, I go back to that issue of FBI vs Apple. Let’s imagine Apple actually had to hand over the keys to the FBI – could they even do that, could they manage to find the keys and would they be able to find the relevant data for the FBI?
So, that’s some of the questions you need to keep in mind. It’s kind of a data lifecycle strategy management, which will involve choosing the right storage solutions, whether in the cloud or on-premise; the right security solutions to protect data, not just in transit and at rest but also in use; and managing the people that have access to the data and how you can trace any transaction that has to do with that data.
So, it’s not necessarily new, but it’s a new way of looking at old concepts around data management.
Read more about storage and compliance
- Vigitrust’s Mathieu Gorge reports on key issues at LegalTech 2016 and discusses compliance with EU data protection regulations in the wake of Safe Harbour’s nullification.
- Mathieu Gorge surveys the key challenges of data growth, regulation and mobile and legacy data that affects legal and regulatory compliance in 2015 and 2016.
CW+
Features
Enjoy the benefits of CW+ membership, learn more and join.
We need to take a data-centric approach to security.