Executive Order 14117 introduces new restrictions on cross-border data sharing, specifically targeting six “countries of concern,” including China. Given the significance of these regulations, businesses worldwide should grasp their key implications. Regardless of where they do business, all companies should understand at least the basics of the new rule.
You can read our previous blog to catch up on those basics, but at a very high level, the new rules:
aim to help protect the sensitive data of American citizens and businesses
focus on companies/individuals from China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela
restrict commercial data exchange as well as employment, investment, and contract agreements
require a broad set of security best practices and controls, from regular risk assessments down through specific guidance around encryption at rest
While many organizations probably already have these requirements in place, the new data protection controls might pose the biggest tactical challenge for existing security and compliance stacks. We’ll examine some of those now and discuss how Confidencial can help meet them.
What Executive Order 14117 means to data protection requirements—and how Confidencial was built for these kinds of challenges
The final CISA guidance has three essential layers: organization best practices and a set of technical system-level controls.
Best practices
Asset inventory maintenance
Designated accountability stakeholders
Regular vulnerability management
Complete vendor and supplier documentation
Network topologies
Controlled deployment policies
Incident response planning
System-level controls
Access restrictions
Multifactor Authentication (MFA)
(Timely) credential revocation
Log management
Unauthorized media prevention
Default denial configurations
Identity and credential management
The final set of rules, which we’ll look at in greater detail, is focused specifically on data protection. We’ll now look at how Confidencial and our new Cloud Protector DSPM help organizations enable many of these new requirements while also modernizing data sharing and security across the organization.
Rising to new rules and expectations
Confidencial was built on technology IP developed initially as part of DARPA efforts to enable secure data sharing at scale, at a speed that doesn’t slow teams down. It makes all those big-picture best practices, from risk assessment to log analytics, smarter and more effective.
More importantly, Cloud Protector puts important encryption and privacy-enhancing techniques in place that specifically help organizations achieve compliance with the Executive Order.
What’s changing – and how Confidencial can help
Regular robust risk assessments
Organizations must now conduct regular data risk assessments to identify and analyze sensitive data and fine-tune their data security posture. However, this practice is currently uneven in many organizations, especially for unstructured data sources.
Confidencial enhances organizations' ability to meet these new standards by ensuring they have a full view of all their data across multiple sources, including the cloud and on-premise, and inside more unstructured files, such as documents, spreadsheets, and images.
These assessments must also guide a data security posture, bringing new defenses to the riskiest data. In this case, once a sensitive document has been detected, Confidencial’s selective encryption works at the field level to only lock down what needs to be protected, leaving the rest ready for work.
Stricter data access management
They must also practice strict data access management policies, where user- and role-based access to data is managed by policy, and permissions can be automatically extended or terminated. This requires state-of-the-art controls.
Given the centrality of access control to overall policy, requiring data to be moved outside the environment to be either managed or monitored is highly counterproductive. Confidencial scans in place, never duplicating or moving files outside existing storage infrastructure while securing the data from restricted CPs and CoCs.
Complete audit trail
Similarly, logs must be collected, and an audit trail must be created across the entire sensitive data ecosystem. Confidencial tracks all activity on protected data no matter where it moves across (or outside) the environment, a requirement of the new EO.
Data minimization
Organizations must deploy data minimization tactics with the goal of decreasing the linkability of any record and a specific person. This is a problem for traditional data protection and redaction methods that require maintaining duplicate copies of files.
Because it’s locking down parts of the document and not the whole encryption, using Confidencial means no duplication is required. This helps reduce data footprint and the cost and complexity of data management and security.
Additional privacy techniques
They must also put additional privacy techniques in place, using methods to make access and exfiltration harder. This can include differential privacy and homomorphic encryption, both aimed at preserving security and usability. Because Confidencial only encrypts select portions of the file, it can be used alongside other tools.
Advanced encryption in transit and at rest
One of the biggest technical updates to the rules is the new requirement for encryption of both at-rest and in-transit data and rules around responsible and secure key management and storage. Confidencial uses modern NIST-grade encryption with proven algorithms and key sizes to secure data both at rest and in transit with portable and persistent client-side protection. Confidencial meets additional encryption requirements.
Confidencial does not co-locate encryption keys with covered data
Confidencial does not store physical or virtual encryption keys in a country of concern
Confidencial can be specifically required to deny access to specific covered persons
All systems involved in sharing, managing, or storing data and encryption keys are subject to these security requirements, all of which are met by Confidencial
The Executive Order asks: is your data protection ready for what’s coming?
Whether you or your partners share data with individuals or organizations inside the listed countries of concern, the updated rules remind us that status quo security is never sufficient. This is especially true in the era of AI, where information is both an emerging risk and a growing opportunity.
Can your platform provide data encryption in transit and at rest?
Are you able to securely leverage all your shared data?
Are you struggling to scan for data both on-prem and in the cloud?
Questions about the Executive Order and how you can prepare? We’re ready to help.
Comments