Cybrain - Fotolia

RSA 2016: Data compliance beyond the firewall

Vigitrust's Mathieu Gorge reports from the RSA 2016 conference, where a key discussion was storage and compliance in an age where data doesn't necessarily live in the firewall

At RSA Conference 2016 in San Francisco, the main issues for storage and compliance included data encryption and the idea that security of data where it resides is key rather than securing the infrastructure.

In this podcast, Computer Weekly’s storage editor Antony Adshead talks with CEO of Vigitrust Mathieu Gorge. They discuss RSA 2016 and what organisations need to do to manage threats to compliance in an environment characterised by the proliferation of data across multiple platforms.

Antony Adshead: RSA 2016 recently took place. What topics related to data storage and compliance were covered?

Mathieu Gorge: RSA 2016 was a lot bigger than RSA 2015 for a start, which was a good sign with regard to the appetite the market has for anything to do with data, cloud, compliance and security.

Of course, there was a lot of talk about the challenge between the FBI and Apple to get access to encryption keys on mobile phones. That dominated discussion at some of the sessions at RSA.

Really, what that means is that data encryption is one of the key topics and where data is stored, whether on-premise or in the cloud, is also something that is very important and was discussed at a number of sessions and workshops.

The concept of looking at data and its lifecycle and how you can encapsulate data – perhaps using encryption, tokenisation or digital fingerprints – to manage the data, rather than where the data is stored, was also an area discussed at some of the keynotes.

So, I think one of the key differences between this year and last year at RSA is that there was a lot more talk about how we deal with the data and where we store the data, versus securing the infrastructure that the data might transit through – whether at rest, in use or in motion.

Adshead: What discussions at RSA address how organisations should prepare themselves to deal with new regulations affecting data storage and compliance?

Gorge: I think it’s fair to say that, at RSA 2016, there was a lot of talk about the new EU GDPR (General Data Protection Regulation) and how that affects data and where you can store data, how you store the data and how you demonstrate compliance.

One of the key topics that came back again and again at the round table discussions, and at some of the side events, was the issue of data classification, data ownership, data management and data storage. So, essentially, the whole lifecycle of the data.

The feedback from RSA from security professionals was that you need to start with a data classification policy and you need to start considering how to isolate the data from where it resides.

So, if you look at new solutions that allow you to manage your encryption keys around the data, regardless of where the data is structured – solutions such as Ionic, for instance – you’ll see that it’s a new way of looking at data storage and at the implications of where you store data.

That said, to do it the right way you need not only technology, but you most likely need help from your in-house solicitor to make sure you fully master the legal ramifications of where your data [resides]. And that’s notwithstanding any requirements for e-discovery, where you may need to get access to data.

Again, I go back to that issue of FBI vs Apple. Let’s imagine Apple actually had to hand over the keys to the FBI – could they even do that, could they manage to find the keys and would they be able to find the relevant data for the FBI?

So, that’s some of the questions you need to keep in mind. It’s kind of a data lifecycle strategy management, which will involve choosing the right storage solutions, whether in the cloud or on-premise; the right security solutions to protect data, not just in transit and at rest but also in use; and managing the people that have access to the data and how you can trace any transaction that has to do with that data.

So, it’s not necessarily new, but it’s a new way of looking at old concepts around data management.

Read more about storage and compliance

Read more on Computer storage hardware