Cross Border Data Transfer - Ionic Delivers Policy Access Management

Security Controls
for Cross Border
Data Transfer

Implement Technical Measures to Satisfy Schrems II Mandates

As organizations move their sensitive data to the cloud, complying with increasing regulatory requirements is essential. If you routinely transferred personal EU data to the US for processing, analytics, use, or storage purposes, you had to adhere to the EU-U.S. Privacy Shield, a safe harbor provision that enabled the legal transfer of such data. But since its invalidation based on the Schrems II judgment by the Court of Justice of the EU (CJEU), transfers relying on the Privacy Shield framework are now illegal. Other countries, such as Switzerland, are following suit.

Organizations now need to implement technical measures to effectively reduce the risk of accessing transferred personal identifiable data (PII), particularly with respect to data stored with US-based cloud providers such as AWS, Azure, and Google.

Understand the Stakes

Organizations are struggling to implement new measures and add additional safeguards when exporting personal data across international borders. Key management security controls provided by US-based cloud providers are not adequate to meet EU or Swiss requirements as the other entities can possibly gain access to the data, which the CJEU does not consider as “adequate” measures.

It is impossible to implement the required additional safeguards or supplementary measures when cloud providers store your data and use their services to manage the keys governing access to the data, which can be stored in the same location. It is also critical to assert the same technical measures against data moving from an at-rest state to an in-use state.

Featured Ebook
You are failing as a CISO if you ignore data privacy

5 Ways to Maintain Complete Control Over Your Data and Resources in Google Cloud with External Key Manager (EKM)

Practitioner Guide
Ionic resource thumbnail preview

Redefine the Rules

To deny service providers from decoding the data themselves for any reason, organizations can externalize key management. This will allow them to secure their data with strong encryption and maintain complete control over storing and managing their encryption keys in an external system, outside the cloud provider’s infrastructure and without the provider's service to manage the keys.

  • Separate keys from data stored in the cloud and use external key management services to satisfy the “additional safeguards” requirements imposed by the CJEU
  • Keep keys resident in EU if necessary or desired
  • Demonstrate compliance mandates with full visibility into who has access to your keys and when they have been used across your organization
  • Control authorization with externally-managed keys by leveraging contextual policies

Enforce ‘Adequate’ Technical Measures to Meet Compliance Requirements

Organizations need to leverage a practical solution to assert compliance under GDPR and avoid fines and lawsuits. For example, Facebook is currently embroiled in litigation with Ireland, and the Schrems law firm has filed over 100 cases against US companies. Controlling the storage and distribution of externally managed keys for data stored in the cloud provides the adequate technical measure required to meet the compliance requirements.

Machina provides scalable key management for on-premises and cloud resources, allowing you to manage trillions of keys per customer. You can use different keys for each granular "piece" of data, which reduces the need for key rotation. As a result, exposure is drastically minimized should a key be leaked or compromised. Machina is designed to tie access controls to the keys themselves, not to the data that those keys protect, which has important ramifications for privacy and operational scalability. You always have proof of compliance with auditable visibility into each key request and its use.

Attribute-based access control (ABAC) policies for fine-grained authorization

Future-Proof Your Business

Maintain control of your valuable assets and enforce regulatory compliance and privacy measures by leveraging Machina as a central authorization framework. Manage access across any application, repository, workload, resource, and system in any environment.

Machina unifies access controls and encryption technology into a unique engine that leverages contextual policies to explicitly authorize access to anything secured with an externally-managed key. These access policies are centrally managed from a single console to consistently authorize access across your organization and accommodate regulation changes without impacting development.

Data handling and authorization transactions across your organization are tracked in detail to provide proof of compliance. Machina allows you to separate runtime access logic from application code, so you can build security and privacy by default and design to future-proof your business against evolving regulations.

Key Partnerships Deliver Solutions Quickly and at Affordable Cost

Our partnerships with AWS, Google Cloud, and Azure offer easy solution implementations.