Data Privacy Market Still Has Room for All Entrants

by Victoria Hudgins, writer, Law.com, July 18, 2019

The rapid growth and complexity of data privacy laws makes the idea of one dominant privacy compliance company unlikely, ensuring lawyers’ seat at the table.

In the midst of growing data regulation laws and compliance needs, some privacy compliance technology companies are attracting a slew of investments. Take for example, data privacy compliance company OneTrust raising $200 million and TrustArc announcing it secured $70 million last week.

But while it may be tempting to say a select few companies have cornered the data privacy market, competitors and observers say the variety and complexity of data privacy regulations makes no platform the single go-to company in the market. Likewise, lawyers’ legal expertise still makes them a valuable asset for understanding regulations.  

Dave Deasy, vice president of marketing at TrustArc, said the combination of stiff fines grabbing companies’ attention and many regulations’ reporting requirements is driving venture capital investment into data privacy compliance tech.

As European regulators begin to levy penalties for high-profile data breaches under the General Data Protection Regulation (GDPR), companies are also concerned about other growing data regulations and the patchwork of U.S. data privacy laws. In turn, companies need a host of services to meet their data privacy requirements.

“There are a lot of moving pieces. I suspect [data privacy compliance] companies will concentrate on a particular area,” said Paul Hill, senior consultant for SystemExperts Corp., a cybersecurity consulting services company. “There’s legal advice, inventory of data and tracking where data goes and then there’s the wide variety of technical controls.”

TrustArc’s Deasy noted he’s seen more small startups sprouting up with specialized functions geared toward single aspects of a data privacy regulation, from solely offering to manage data request services to only providing data discovery. Meanwhile, law firms are now leveraging compliance technology to counsel their clients, he added.

While firms are using platforms from tech companies, they are also creating data privacy compliance tools of their own for clients, said Tsutomu Johnson, Parsons Behle & Latimer of counsel and CEO of the firm’s legal tech lab.

Indeed, various law firms have created privacy compliance tools to provide clients with access to their legal expertise, at perhaps the determinant of the billable hour, to fit clients’ 24-7 needs. That foray into legal tech is law firms’ stepping stone into automating more legal services, Johnson said.

“What I think law firms will do is pivot and leverage the technology they’ve made in privacy to meet a demand … to figure out a way to contain legal costs and the only way you can do that is by automating,” he said.

Likewise, lawyers still maintain the traditional role of drafting contracts in compliance with varying regulations.

“The gap law firms can still fill is creating language that is in compliance with the text of the law,” Johnson said.

Considering the Use of a CPaaS Provider? Look at the Inherent Risks

The rise of the communications platform as a service (CPaaS) model has many enterprises migrating from on-premises communications to cloud platforms and APIs. CPaaS and APIs offer benefits including improved productivity and third-party app integrations, but before proceeding to adopt CPaaS companies should consider the inherent risks.

Remember that the underlying technologies tend to be insecure. Even if an encrypted communications channel is used between the application that initiates the communications with the CPaaS provider, the data is not necessarily secure along the entire path.

CPaaS providers give developers and companies the ability to integrate or embed communications channels such as SMS, MMS, and voice into their applications. SMS and MMS do not define security mechanisms. Ultimately any SMS or MMS message is delivered to the remote endpoint over an unencrypted communications channel. Hence, integration with these services may not be appropriate in all circumstances, because their use may violate regulatory or contractual requirements for some types of sensitive data. In addition a sophisticated attacker may be able to modify the contents during the transmission or replay it at a later time. 

MMS also entails additional underlying risks. If a user of the integrated application receives an MMS message, the message could contain malware. So the endpoints running the CPaaS integrated applications and devices must be running anti-malware software where possible. 

VoIP and SIP services supported by CPaaS providers also have some inherent security risks. These include being subject to Denial of Service (DoS) attacks, message tampering, impersonation of servers, and registration hijacking of the authentication. 

Organizations should also remember that APIs typically add complexity and increase the attack surface area. Attackers might be able to exploit data sent into an API, including URL, query parameters, HTTP headers, and/or post content. Or an attacker might seek to exploit flaws in authentication, authorization, and session tracking. Adding multiple CPaaS providers will increase the complexity and potentially provider attackers with additional opportunities. 

Organizations should also be aware that employees might utilize CPaaS features to exfiltrate data. For example, MMS could be used to send a file containing sensitive or confidential data.

There are a variety of compensating controls that can be used. For example, a Cloud Access Security Broker (CASB) could be used to help prevent the exfiltration of sensitive or confidential information. It could also be used to help block and quarantine malware being received or sent. 

Some Web Application Firewalls (WAFs) can be used to help secure the use of a CPaaS. A WAF may be able to mitigate the risks of server impersonation, some DoS attacks, or even provide some parameter validation. For example, a WAF can be used to block very large messages, heavily nested data structures, or overly complex data structures. 

All of the communications with the CPaaS provider via the APIs should be encrypted using TLS. This can be enforced by properly configured firewall rules. 

Intrusion Detection Systems / Intrusion Protection Systems (IDS/IPS) devices should also be deployed on the network to detect and or prevent some of the potential attacks. 

Given the security issues in some of the underlying protocols, session management should not solely rely on authentication. If practical for the environment, access should be limited to specific IP address ranges, and where practical perform device authentication as well as user authentication.

Ransomware – should you pay or not?

You may have seen the recent news about cities and towns being held hostage to hackers infecting their data. With over 25 years of experience in cyber security, I’ve seen it all. To help guide you in managing a ransomware attack, I’ve outlined the steps you can take to minimize the impact on your organization – including my view on why you should not pay the ransom.

Should I pay? No!

The big question with almost all ransomware attacks boils down to one question: are you going to pay the ransom or not? As a goal, the answer should be no. Let’s start by stating the obvious: you’re dealing with a criminal who has purposely forced ransomware software onto one or more of your computers rendering them unusable unless you pay for the files to be unencrypted. You have no guarantee whatsoever that you’ll actually get the decryption key and it’s quite possible there is additional malware already installed that you’ll have to deal with next. You are essentially a hostage that is being blackmailed for money to get out of your situation, and you have no assurances that there’s an end in sight.

Take out the emotion

One of the real problems is that this is an emotional situation, you and your work environment have been made vulnerable and you’re not going to like dealing with a criminal to somehow extract yourself from the situation. This is easier said than done, but you need to take the emotion out of it and deal with the facts. Dealing with this attack is very similar to dealing with a disaster recovery situation. If you can put it in that light, it will help to diffuse the emotion and get you more focused on recovery and less on feeling like your company is being held hostage.

Isolate as quickly as possible

The number one priority once ransomware has been identified is to isolate the infected systems as quickly as possible so the problem doesn’t spread. Every second counts. If it’s a single system, don’t be gentle: unplug the power to it. If it’s a collection of systems, isolate that part of the network immediately so it can’t spread to other systems, shared file storage, or other networks. Once it is isolated you can then start to identify the problem, report the situation to authorities, and begin the restore and refresh process.

Dealing with Ransomware is like Disaster Recovery

The final step is to restore and refresh the infected systems from safe backups and reinstall safe versions of the programs and software your systems need to execute normal business activities. In other words, the plan to deal with a ransomware infection is very much modeled after how you plan for disaster recovery: document responsibilities, steps and owners, define vital applications, map out dependencies, determine appropriate backup and redundancy measures, regularly update employees, and as always, test the process periodically.

 

How significant is the tool sprawl problem?

Following up on my post earlier this month on Shadow IT, I wanted to discuss a related issue – “tool sprawl.” Tool sprawl describes an environment where the deployment and use of tools is not managed by a single IT group: applications, software, and tools are installed by end-users because they believe that waiting for the IT group will take too long and be too onerous.

Tool sprawl is a serious obstacle to providing security

The problem with uncontrolled installation and use of tools is most tools have their own way of providing security characteristics and they are unlikely to be the same or in sync with other tools already in place. In addition, many end-users are focused more on functionality than security, and the tool may be at odds with current organizational security expectations or standards. As anybody in IT knows, installing new tools is usually the easiest and least expensive part of the whole process. The real expenses are in time and money for on-going management, integration with other tools, upgrades to meet security requirements, maintenance updates, and, of course, technical support.

Another hidden cost — beyond the additional licensing fees — is that the more applications you have, the more time both your end-users and IT support have to spend learning about and supporting these tools. In many cases it would be less expensive for the organization as a whole to reduce the number of tools that are in use to save on support related expenses.

The tool sprawl problem is getting worse because agile development, cloud computing, and the Internet of Things are all introducing more and more user-focused software at a high rate.

I offer the following tips to address tool sprawl in your environment:

  • Encourage innovation outside of the IT department instead of frowning upon it.
  • Solicit feedback from your users to hear their opinions on what other tools they’d like to be able to use, or what processes they’d like to streamline with an additional tool..
  • Have the IT department identify helpful and secure end-user tools that have been implemented and fast track them into the IT portfolio to show the end-user population that new tools can be embraced.
  • Allow the IT department to put their foot down and categorically deny or remove tools that create compliance or regulatory violations.