Archive for the ‘data governance’ Category

Best Practices for ITAR Compliance in the Cloud

The cloud has become part and parcel of todays Enterprise. However, remaining compliant with the International Traffic in Arms regulation (ITAR) demands extensive data management aptness. Most of the regulatory details covered by ITAR aim to guarantee that an organization’s materials and information regarding military and defense technologies on the US munitions list (USML) is only shared within the US, with US authorized entities. While this may seem like a simple precept, in practice, attaining it can be extremely difficult for most companies. Defense contractors and other organizations that primarily handle ITAR controlled technical data have been unable to collaborate on projects while utilizing cloud computing practices that have a proven track record fostering high performance and productivity. Nevertheless, the hurdles impeding the productivity opportunities of the cloud can be overcome. Practices that govern the processing and storage of export controlled technical data are evolving.

Full ITAR compliance in the cloud is not an end result, but a continual odyssey in protecting information assets. In the long run, being ITAR compliant boils down to having a solid data security strategy and defensive technology execution in place.

Utilize End-to-End Encryption

On September 2016, the DDTC published a rule that established a ‘carve out’ for the transmission of export controlled software and technology within a cloud service infrastructure, necessitating the ‘end-to-end’ encryption of data. The proviso is that the data has to be encrypted before it crosses any boarder, and has to remain encrypted at all times during transmission. Likewise, any technical data potentially accessed by a non-US person outside or within the United States has to be encrypted ‘end-to-end’; which the rule delineates as the provision of continual cryptographic protection of data between the originator and the intended recipient. In a nutshell, the mechanism of decrypting the data can’t be given to a third party before it reaches the recipient.

The native encryption of data at rest offered by most cloud providers fails to meet the definition of end-to-end encryption, because the cloud provider likely has access to both the encryption key and data. The cloud provider inadvertently has the ability to access export controlled information. Organizations have to ensure that DDTC definition of ‘end-to-end’ encryption is met before storing their technical data in a public or private cloud environment. Otherwise they will be in violation of ITAR.

Classify Data Accordingly

Most technologies are not limited to single use. Whenever an organization that handles technical data related to defense articles shares information regarding a service or product; steps have to to be taken to make sure that any ITAR controlled data is carefully purged in its entirety. Classification entails reviewing existing business activities and contracts to establish if they fall under ITAR. The process requires a good understanding of licensing terms, court interpretations, agency directives and other guidance. In order to successfully navigate the nuances and complexities of ITAR, organizations have to collect enough metadata to catalog, separate and classify information. For easy identification, the data should be classified into categories such as ‘Public Use’, ‘Confidential’, and ‘Internal Use Only’. Classifying data is a requisite to creating a full-proof Data Leakage Prevention (DLP) implementation.

Develop a Data Leak Prevention (DLP) Strategy

Accidental leaks owing to user error and other oversights occur more often that most would care to admit. Mistakes that can happen, will happen. Establishing a set of stringent policies to obviate users from mishandling data, whether fortuitously or intentionally is crucial to ITAR compliance. Organizations should have a strategy in place to guarantee the continual flow of data across their supply chains, while protecting said data from the following employee scenarios:
Well meaning insiders – employees who makes an innocent mistake.
Malicious insiders – employees with ill intention
Malicious Outsiders – individuals looking to commit cooperate espionage, hackers, enemy states, and competitors among others.

Control Access to Technical Data

Access control is well known technique that is used to regulate who can view or use the resources in a computing environment. Access control can be employed on a logical or physical level. Physical access control restricts access to physical areas and IT assets. Logical access control allows IT administrators to establish who is accessing information, what information they are accessing and where they are accessing it from. Roles, permissions are security restrictions should be established before hand to ensure that only authorized U.S persons have access to export controlled technical information. Multifactor authentication strengthens access control by making it extremely difficult for unauthorized individuals to access ITAR controlled information by compromising an employees access details.

Establish Security Policies and Train the Staff Well

An ITAR specific security stratagem is the corner stone of data security practices. The policies should handle network and physical security considerations. ITAR is riddled with complications that make it easy for organizations to make mistakes if they don’t remain keen. The organization is as secure as it’s weakest link, in most cases it’s usually the staff. A solid security policy on paper simply does not cut it. Without proper staff training, a compliance strategy will be largely ineffective since it doesn’t tie in with the actual organizational procedures. Investing in end-user training is the only way to ensure security policies are implemented.

In Closing

Organizations have turned to government clouds to manage the complex regulatory issues associated with the cloud. Platforms like AWS Gov Cloud has developed substantial capabilities that enable organizations subject to ITAR to effectuate robust document management and access control solutions. When paired with FileCloud organizations can build and operate document and information management systems that satisfy the strictest security and compliance requirements.


Author : Gabriel Lando

Backup Mistakes That Companies Continue to Commit



Imagine a situation where you wake up, reach your office, and witness the chaos. Because your business applications are not working anymore. And that’s because your business data doesn’t exist anymore! Information about thousands of customers, products, sales orders, inventory plans, pricing sheets, contracts, and a lot more – not accessible anymore. What do you do? Well, if your enterprise has been following data backup best practices, you’ll just smile, and check what the progress on the data restoration is. Alas, problems await. That’s because your people might have committed one of the commonplace yet breakneck mistakes of data backups. Read on to find out.


Fixation of the Act of Backup

Sounds weird, but that’s what most enterprises do, really. Data engineers, security experts, and project managers – everyone is so focused on the act of backup, that they all lose track of the eventual goals of the activity. Recovery time objectives (RTO) and recovery point objectives (RPO) should govern every act in the process of data backup. Instead, companies only focus on ensuring that data from every important source is included in the backup.

Nobody, however, pays much heed to backup testing. This, for instance, is one of the key aspects of making your data backup process foolproof. Instead, companies end up facing a need for data restoration, only to realize that the backup file s corrupt, missing, or not compliant with the pre-requisites of the restoration tool.

The solution – make rigorous backup testing a key element of your backup process. There are tools that execute backup tests in tandem with your data backup. If you don’t wish to invest in such tools as yet, make sure you conduct backup testing at least bi-annually.

Not Adopting Data Backup Technologies

What used to be a tedious and strenuous task for administrators and security experts a few years back can now be easily automated using data backup tools. These tools are much more reliable than manual backup operations. What’s more, there will not be the dreaded problems such as those associated with data formats, etc., when the time for restore arrives.

Scheduled backups, simultaneous testing, and execution of backup and restore in sync with your RTO and RPO goals. Of course, businesses must understand the data backup tools available in the market before choosing one.


Unclear Business Requirements (In Terms Of Data Backup And Restore)

Take it from us; one size won’t fit all organizations or processes, when it comes to data backups, whether manual or controlled via a tool. Project managers must understand the business requirements around data to be able to plan their data backup projects well. The backbone of a successful data backup process and plan is a document called recovery catalog. This document captures all necessary details centered on aspects such as:

The different formats of data owned by the business

  • The time for which every backup needs to be available for possible restore operations (RPO)
  • The priority of different data blocks from a recovery perspective (RTO)
  • The recovery document will go a long way in helping you enlist the tools you need for successful management of data backup and recovery. Also, it will help you design better processes and improve existing processes related to the entire lifecycle of data backup.

Right Requirement, Wrong Tool

Your CIOs expectations from your team are governed by the business’ expectations from the entire IT department of the company. There’s nothing wrong with the expectations and requirements, it’s possible, however, that the tools you have are not well suited to fulfill those requirements.

For instance, in an IT ecosystem heavily reliant on virtualization, there are already built in cloning capabilities within these virtualization tools. However, these backups can take disk space almost equal to the entire environment. Now if you need to change your VMs often, your storage will soon be exhausted as you keep on making new copies of updated environments.

If you have clarity on the most important business applications, it becomes easier to work with IT vendors and shortlist data backup tools that can easily integrate with these applications. This could be a massive boost to your enterprise’s data backup capabilities.

Failure to Estimate Future Storage Needs

No doubts, the costs of data storage are on their way down, and chances are they’ll continue to do so. However, almost every business only buys storage based on its estimation of what’s needed. It’s commonplace enough for companies to completely ignore the fact that their data backups will also need space to stay safe. And this is why it’s so important to estimate the data storage requirements after accounting for your data backup objectives. While doing a manual backup, for instance, if the executors realize that there’s not much space to play around with, it’s natural for them to leave out important data. Also, account for the possibilities of increased frequencies of backups in the near future.

Not Balancing Costs of Backup with Suitability of Media

It’s a tough decision, really, to choose between tape and disks for data storage. While tapes are available inexpensively, in plenty, and pretty durable from a maintenance perspective, you can’t really store essentials systems data and business critical applications’ data on tape, because the backups are slow. Estimate the cost of time lost in the slow backup because of tapes while deciding on your storage media options. Often, the best option is to store old and secondary data on tape and use disks for storage of more important data. In this case, you will be able to execute data restoration and complete is sooner than depending purely on tape media.

Concluding Remarks

There’s a lot that can go wrong with data backups. You could lose your backed-up data, run out of space for it, realize the data backup files are corrupted when you try to restore them, and in general, fail to meet the RTO and RPO goals. To do better, understand what leads to these mistakes, and invest time and money in careful planning to stay secure.


Author: Rahul Sharma

International Traffic in Arms Regulations (ITAR) Compliance in the Cloud



ITAR was enacted in 1976 to control the export of defense-related articles and services. It stipulates that non-US persons are not allowed to have logical or physical access to articles modulated by International Traffic in Arms Regulations; which is administered by the Directorate of Defense Trade Controls – DDTC, a sub-division of the State Department. The articles covered by ITAR are listed on the United States Munitions List – USML, and generally, encompass any technology that is specifically designed or intended for military end-use. ITAR was also contrived to govern the import and export of any related technical data that consists of describes, supports, or accompanies the actual exported service or goods unless exemptions or special authorization is created.

The goal of ITAR is to prevent the transfer or disclosure of sensitive information, typically related to national security and defense, to a foreign national. In most cases, non-compliance usually translates to the loss of assets and professional reputation. However, with ITAR, lives may possibly be at stake. This is why the International Traffic in Arms Regulations is a strictly enforced United States government regulation and carries some of the most austere criminal and civil penalties that not business or individual would want to be on the receiving end of.

ITAR is not applicable to information that is already available in the public domain, or that is commonly taught in school under general scientific, engineering or mathematical principles.

Who is required to be ITAR compliant?

The law essentially applies to defense contractors who manufacture or export services, items or other information on the United States Munitions List. However, any company that is in the supply chain for such items must make ITAR compliance a priority. ITAR has a fairly complicated set of requirements, and since the repercussions of non-compliance are severe, companies should not hesitate to seek legal clarifications of their obligations if they even suspect the regulation applies to them – better safe than sorry. The vague categories of the USML make it difficult to intelligibly understand what exactly falls under the purview of military equipment.

The list is inclusive of most technology used for spaceflight, along with a vast range of technical data such as product blueprints, software and aircraft technology. Most of these items were initially developed for military purposes but were later on adapted for mainstream purposes – in aviation, maritime, computer security, navigation, electronics and other industries. It is crucial for firms that offer products and services to government consumers to fully grasp this distinction, to avoid expensive legal violations. ITAR may also likely impact large commercial enterprises, universities, research labs, and other institutions who are not directly involved in the defense industry.

The Repercussions of Non-compliance

Violating ITAR could lead to both criminal and civil penalties. The imposed fines are virtually unlimited – typically, organizations are prosecuted for hundreds of violations at once. The penalties for ITAR violations, both criminal and civil, are substantial. Criminal penalties may include fines of up to a million dollars per violation and 10 years’ imprisonment while civil fines can be as high as half a million dollars per violation. Failure to comply with ITAR may also damage an organizations reputation and ability to conduct business. The State Department maintains publicly available records of all penalties and violations dating back to 1978. Organizations and individuals run the risk of being completely debarred from exporting defense-related services and items.

Challenges in the Cloud

ITAR compliance and the adoption of cloud platforms presents unique challenges. Uploading technical data to the cloud carries with it a huge risk of penalties and violations. There are a lot of questions in regards to whether or not regulated technical data can be stored in a public cloud. The intrinsic quandary in that cloud vendors use distributed and shared resources that will likely cross national borders, and this dispensation of resources is not entirely transparent to the end-user. Data back-up and replication are common security measures when sharing files and collaborating via the cloud, but they can inadvertently lead to unlicensed exports in the event data is sent to servers located outside the United States. Once technical data goes beyond U.S borders, the risk of non-US persons having access to it increases exponentially.

In 2016 for example, Microwave Engineering Cooperation settled an ITAR violation with the State Department after technical data related to a defense article was exported to a foreign person without authorization. So if giving a foreign person access to technical data, or placing it on a server in a foreign nation is deemed and export. What guidance does ITAR give to ensure the entire process is done in a legal manner? Or is cloud storage simply off the table?

The State Department maintains that technical data can be stored on servers outside the U.S, provided that the of the ITAR license exemption conditions are met, and adequate measures are taken to obviate non-US individuals from accessing technical data. In most cases, the measure typically involves ensuring that any data sent to a server beyond U.S borders, or that is potentially accessible by a foreign person within or outside the U.S has to be properly encrypted. It is important to note that by law, cloud providers aren’t considered exporters of data, however, your organization might be. So the burden of ensuring ITAR compliance when handling technical data falls squarely on the people within the organization. Organizations dealing with defense-related articles in any capacity have to exercise extreme caution when using any commercial file sharing and sync service.


Author: Gabriel Lando

Adopting Privacy by Design to Meet GDPR Compliance

The proliferation of social networking and collaboration tools has ushered in a new era of the remote enterprise workforce; however, they have also made organizational boundaries non-static. Making it increasingly difficult to safeguard the confidential and personal data of their business partners, employees and customers. In theses political uncertain times, defending privacy is paramount to the success of every enterprise. The threats and risks to data are no longer theoretical; they are apparent and menacing. Tech decision makers have to step in-front of the problem and respond to the challenge. Adopting the privacy by design framework is a surefire way of protecting all users from attacks on their privacy and safety.

The bedrock of privacy be design (PbD) is the anticipation, management and prevention of privacy issues during the entire life cycle of the process or system. According to the PbD philosophy, the most ideal way to mitigate privacy risks is not creating them to begin with. Its architect, Dr. Ann Cavoukian, contrived the framework to deal with the rampant issue of developers applying privacy fixes after the completion of a project. The privacy by design framework has been around since the 1990s, but it is yet to become mainstream. That will soon change. The EU’s data protection overhaul, GDPR which comes into effect in May 2018, demands privacy by design as well as data protection by default across all applications and uses. This means that any organization that serves EU residents has to adhere to the newly set data protection standards regardless of whether they themselves are located within the European Union. GDPR has made a risk-based approach to pinpointing digital vulnerabilities and eliminating privacy gaps a requirement.

Privacy by Default

Article 25 of the General Data Protection Regulation systematizes both the concepts of privacy by design and privacy be default. Under the ‘privacy by design’ requirement, organizations will have to setup compliant procedures and policies as fundamental components in the maintenance and design of information systems and mode of operation for every organization. This basically means that privacy by design measures may be inclusive of pseudonymization or other technologies that are capable of enhancing privacy.

Article 25 states that a data controller has to implement suitable organizational and technical measures at the time a mode of processing is determined and at the time the data is actually processed, in order to guarantee data protection principles like data minimization are met.

Simply put, Privacy by Default denotes that strict privacy settings should be applied by default the moment a service is released to the public, without requiring any manual input from the user. Additionally, any personal data provided by the user to facilitate the optimal use of a product must only be kept for the amount of time needed to offer said service of product. The example commonly given is the creation of a social media profile, the default settings should be the most privacy-friendly. Details such as name and email address would be considered essential information but not location or age or location, also all profiles should be set to private by default.

Privacy Impact Assessment (PIA)

Privacy Impact Assessments are an intrinsic part of the privacy by design approach. A PIA highlights what personally Identifiable Information is collected and further explains how that data is maintained, how it will be shared and how it will be protected. Organizations should conduct a PIA to assess legislative authority and pinpoint and extenuate privacy risks before sharing any personal information. Not only will the PIA aid in the design of more efficient and effective processes for handling personal data, but it can also reduce the associated costs and damage to reputation that could potentially accompany a breach of data protection regulations and laws.

The most ideal time to complete a Privacy Impact Assessment is at the design stage of a new process or system, and then re-visit it as legal obligations and program requirements change. Under Article 35 of the GDPR, data protection impact assessments (DPIA) are inescapable for companies with processes and technologies that will likely result in a high risk to the privacy rights of end-users.

The Seven Foundational Principals of Privacy by Design

The main objective of privacy by design are to ensure privacy and control over personal data. Organization can gain a competitive advantage by practicing the seven foundational principles. These principles of privacy by design can be applied to all the varying types of personal data. The zeal of the privacy measures typically corresponds to the sensitivity of the data.

I. Proactive not Reactive; Preventative not Remedial – Be prepared for, pinpoint, and avert privacy issues before they occur. Privacy risks should never materialize on your watch, get ahead of invasive events before the fact, not afterward.
II. Privacy as the default setting – The end user should never take any additional action to secure their privacy. Personal data is automatically protected in all business practices or IT systems right off the bat.
III. Privacy embedded into design – Privacy is not an after thought, it should instead be part and parcel of the design as a core function of the process or system.
IV. Full functionality (positive-sum, not zero sum) – PbD eliminates the need to make trade-offs, and instead seeks to meet the needs of all legitimate objectives and interests in a positive-sum manner; circumventing all dichotomies.
V. End-to-end lifestyle protection – An adequate data minimization, retention and deletion process should be fully-integrated into the process or system before any personal data is collected.
VI. Transparency and visibility – Regardless of the technology or business practice involved, the set privacy standards have to be visible, transparent and open to providers and users alike; it should also be documented and independently verifiable.
VII. Keep it user-centric – Respect the privacy of your users/customers by offering granular privacy options, solid privacy defaults, timely and detailed information notices, and empowering user-friendly options.

In Closing

The General Data Protection Regulation makes privacy by design and privacy by default legal requirements in the European Union. So if you do business in the EU or process any personal data belonging to EU residents you will have to implement internal processes and procedures to address the set privacy requirements. A vast majority of organizations already prioritize security as part of their processes. However, becoming fully compliant with the privacy by design and privacy by default requirement may demand additional steps. This will mean implementing a privacy impact assessment template that can be populated every time a new system is procured, implemented or designed. Organizations should also revisit their data collection forms to make sure that only essential data is being collected. Lastly it will be prudent to set up automated deletion processes for specific data, implementing technical measures to guarantee that personal data is flagged for deletion after it is no longer required. FileCloud checks all the boxes when it comes to the seven principles of privacy by design and offers granular features that will set you on the path to full GDPR compliance. Click here for more information.

Author Gabriel Lando

image courtesy of

Technical Data Under ITAR


The International Traffic in Arms Regulations (ITAR) are controls established by the U.S State Department to regulate the temporary import and export of defense articles. While most defense contractors comprehend the implications of ITAR to physical objects, ITAR’s application to data remains unclear to most. The first step to properly identifying technical data and how its controlled for export purposes is having a concise understanding of what technical data is and what it encompasses.

Technical data refers to the unique information required for the development, production and subsequent use of defense articles.

  • Development – is inclusive of all the information that is created or gathered before production and may include but is not limited to: layouts, pilot production schemes, testing and assembly prototypes, design research, integration design, configuration design, design concepts, design analysis, and other forms of design data.
  • Production – is comprised of all the information generated or gathered during the production stages and may include but is not limited to: engineering, manufacture, assembly, integration, testing, inspection and quality assurance.
  • Use – encompasses any information that relates to the installation, operation, maintenance, testing or repair of defense articles.

Technical data also refers to classified data that relates to defense services and defense articles.

Implications of Cloud Computing on Technical Data

The cloud facilitates access to information while expanding the delivery of services. On the other hand, ITAR aims to restrict the flow of information while limiting the provision of services and goods. The contrast between the two creates unique challenges as it relates to compliance for defense contractors who have operations in multiple countries and wish to adopt cloud computing. Some organizations have opted to avoid the cloud altogether and fall back to maintaining separate systems in order to meet ITAR requirements, which tends to be extremely inefficient and costly. In order to fully understand the possible implications of cloud computing on export controlled data, you must first understand what constitutes an export when it comes to technical data.

I. What is an Export?

In global trade, the term export is typically synonymous with large shipping crates being loaded onto ships or wheeled into a large transoceanic cargo plane. However, U.S export control laws are not limited to the movement of hardware across borders. Instead, the regulations also extend to specific technical data. The type of control extended depends on the export control jurisdiction and classification. Export Administration Regulations (EAR) defines an export as the shipment or transmission of items out of the United States, or release of software or technology to a foreign national within the U.S. The ITAR definition of export is analogous.

Technical data is regulated for reasons of foreign policy, non-proliferation and national security; the current law stipulates that technical data should be stored in the U.S and that only authorized U.S persons should have access to it. The existing definition of export was drafted at a time when cloud computing was not in the picture, therefore, the exact application of the term ‘export’ in this space remains unclear.

II. When Does an Export Occur?

When it comes to export control, transmitting data to a cloud platform for storage or manipulation is conceptually similar to carrying a hard copy of the data to another country or sending it via the mail. Transmitting data to the cloud for backup or processing mainly involves copying the data to a remote server. If the server’s location is outside the United States; then uploading export-controlled technical data to it will be deemed and export, as if it had been printed on paper and carried outside the country. This creates an appreciable challenge since, with the cloud, the end-user is not axiomatically privy to the location of the data, and the locations of the cloud server are subject to change.It is important to note that export controlled data doesn’t have to leave the U.S to be considered an export. Under ITAR, technical data should not be disclosed to non-US persons regardless of where they are located, without authorization. Non-US persons encompass any individual who isn’t a lawful permanent resident of the United States. When technology subject to ITAR is uploaded to a cloud server, regardless of whether the provider has made sure that all servers are located within the U.S, and a user from another country accesses it; an export has occurred. Even though the data never left the United States.

III. Who is the Exporter?

Users of cloud services interact with the cloud in multifarious ways; in most cases, the operational specifics are intentionally abstracted by the service provider. Information relating to where the computations are occurring may not be made available to the end-user. However, in the United States, the cloud service provider is generally not considered the exporter of the data that it’s subscribers upload to its servers. Despite the fact that the State Department hasn’t issued a formal directive on the matter, U.S subscribers that upload technical data onto the hardware of a cloud service provider will be considered the exporters of said data in the event of foreign disclosures. Aptly, if ITAR controlled technical data is divulged to a non-US IT administrator of the cloud service provider, it is the subscriber to the service and not the service provider that is deemed the exporter.

In Closing

The cloud has reshaped the landscape with respect to government, business, and consumer information technologies by delivering enhanced flexibility and better cost efficiencies for a vast variety of services. But the nature of cloud computing increases the chances of inadvertent export control violations. When it comes to ITAR controlled technical data, users are inadvertently vulnerable to unexpected and complex export requirements, and in the event of non-compliance, to drastic potential criminal and civil penalties, including weighty fines and possibly jail time. With that in mind, the next logical suggestion would be to forget cloud file sharing and sync altogether; however, that does not have to be in the case. The Bureau of Industry and Security published a rule in the Federal Register that establishes a ‘carve out’ for the transmission of regulated data within a cloud service infrastructure necessitating encryption of the data. Encryption coupled with a set of best practices can enable you to freely adopt the cloud while remaining ITAR compliant.




Author: Gabriel Lando



Personal Data, PII and GDPR Compliance



The countdown for the European Union’s General Data Protection Regulation (GDPR), which will go into full effect in May 2018, is coming to a close. GDPR aims to solidify the data privacy rights of EU residents and the requirements on organizations that handle customer data. It introduces stern fines for data breaches and non-compliance while giving people a voice in matters that concern their data. It will also homogenize data protection rules throughout the EU. The current legislation, the EU Data Protection Directive was enacted in 1995, before cloud technology developed innovative ways of exploiting data; GDPR aims to address that. By enacting strict regulations and stiffer penalties the EU hopes to boost trust within a growing digital economy.

Despite the fact that GDPR came into force on 24th May 2016, organizations and enterprises still have until the 25th of May 2018 to fully comply with the new regulation. A snap survey of 170 cybersecurity pros by Imperva revealed that While a vast majority of IT security professionals are fully aware of GDPR, less than 50 percent of them are getting everything set for its arrival. It went on to conclude that only 43 percent are accessing the impact GDPR will have on their company and adjusting their practices to comply with data protection legislation. Even though most of the respondents we based in the United States, they are still likely to be hit by GDPR if they solicit and/or retain (even through a third party) EU residents’ personal data.

Remaining compliant with GDPR demands, among several other things, a good understanding of what constitutes ‘personal data’ and how it differs from ‘personal identifiable information’ or PII.

What is Personal Data In the GDPR Context?

The EU’s definition of personal data in GDPR is markedly broad, more so than current or past personal data protection. Personal data is defined as data about an identifiable or identified individual, either indirectly or directly. It is now inclusive of any information that relates to a specific person, whether the data is professional, public or private in nature. To mirror the various types of data organizations currently collect about users, online identifiers like IP addresses have been categorized as personal data. Other data such as transaction histories, lifestyle preferences, photographs and even social media posts are potentially classified as personal data under GDPR. Recital 26 states:

To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

This personal data term directly applies to all the 28 states in the European Economic Area (EEA)

Is Personally Identifiable Information (PII) the Same as Personal Data?

The term ‘Personally Identifiable Information’ doesn’t appear anywhere in the GDPR; however, it does have a definite meaning in US privacy law. Therefore the term in itself is likely to cause confusion to anyone seeking to comply with GDPR. For a concept that has become ubiquitous in both technological and legal colloquy, PII is surprisingly hard to define. In a nutshell, PII refers to any information that can be used to distinguish one individual from another. This includes any information that can be used to re-identify anonymous data. This can solely refer to data that is regularly used to authenticate/identify an individual, this may be averse to information that violates the privacy of on individual, that is, reveal sensitive information regarding someone. The US interpretation of the term is undeniably incongruous with what is relevant for a proper GDPR assessment since it pre-selects a set of identifying traits.

To put it bluntly, all PII can be considered personal data but not all personal data is Personally Identifiable Information. Developing a solid GDPR compliance program demands that IT architects and marketers move beyond the restricted scope of PII to examine the full spectrum of personal data as defined by the EU.

Handling Personal Data in Accordance With GDPR

The first step to GDPR compliance in matters pertaining personal data is undoubtedly the risk assessment of how existing data is being stored and accessed, the level of risk attached to it, and whether it contains any PII. The data might be stored on server file systems, databases or even on an end user’s physical storage or cache. Becoming GDPR compliant will mean that you are not only protecting more data types in the future but will also involve dissipating more effort in the identification of existing data that initially wasn’t considered personal data. It is important to note that you cannot limit your scope to the data you hold as if it were a closed system. Nowadays, people typically interact with interconnected systems, and GDPR mirrors that. In such scenarios, organizations should focus outward, and infer who in their ecosystem can connect with an attribute to another, from the multiple varying paths to re-identification within their ecosystem.

Additionally, GDPR requires that a document ‘opt-in’ consent must be provided by each individual. The consent has to explicitly pinpoint the data collected, how it is going to be used and how long it will be retained. Organizations also have to provide participants with an option to remove their consent at any given time and request their personal data be permanently deleted. Participants should have the ability to get factual errors amended, and even request their personal data for review and use.

FileCloud Can Help You Comply With GDPR

The General Data Protection Regulation sets a new standard in the protection of personal data. Its efforts aim to grant data subjects more control over their data while ensuring the transparency of operations. FileCloud provides a set of simple features that can help organizations meet GDPR requirements.

Click here for more information.

Author: Gabriel Lando

Image courtesy of

FileCloud Empowers Government Agencies with Customizable EFSS on AWS GovCloud (U.S.) Region

FileCloud, a cloud-agnostic Enterprise File Sharing and Sync platform, today announced availability on AWS GovCloud (U.S.) Region. FileCloud is one of the first full-featured enterprise file sharing and sync solutions available on AWS GovCloud (U.S.), offering advanced file sharing, synchronization across OSs and endpoint backup. With this new offering, customers will experience the control, flexibility and privacy of FileCloud, as well as the scalability, security and reliability of Amazon Web Services (AWS). This solution allows federal, state and city agencies to run their own customized file sharing, sync and backup solutions on AWS GovCloud (U.S.).

“Having FileCloud available on AWS GovCloud (U.S.) provides the control, flexibility, data separation and customization of FileCloud at the same time as the scalability and resiliency of AWS,” said Madhan Kanagavel, CEO of FileCloud. “With these solutions, government agencies can create their own enterprise file service platform that offers total control.”

Government agency and defense contractors are required to adhere to strict government regulations, including the International Traffic in Arms Regulations (ITAR) and the Federal Risk and Authorization Management Program (FedRAMP). AWS GovCloud (U.S.) is designed specifically for government agencies to meet these requirements.

By using FileCloud and AWS GovCloud (U.S.), agencies can create their own branded file sharing, sync and backup solution, customized with their logo and running under their URL. FileCloud on AWS GovCloud offers the required compliance and reliability and delivers options that allow customers to pick tailored cloud solutions. FileCloud is a cloud-agnostic solution that works on-premises or on the cloud.

“FileCloud allows us to set up a secure file service, on servers that meet our clients’ security requirements,” said Ryan Stevenson, Designer at defense contractor McCormmick Stevenson. “The easy-to-use interfaces and extensive support resources allowed us to customize who can access what files, inside or outside our organization.”

Try FileCloud for free!

FileCloud Unveils ‘Breach Intercept’ to Safeguard Organizations Against Ransomware

FileCloud, the cloud-agnostic EFSS platform, today announced FileCloud Breach Intercept. The newest version of FileCloud offers advanced ransomware protection to help customers handle every phase of a cyberattack: prevention, detection and recovery.

FileCloud is deployed across 90 countries and has more than 100 VARs and Managed Service Providers across the world. Deployed by Fortune 500 and Global 2000 firms, including the world’s leading law firms, government organizations, science and research organizations and world-class universities, FileCloud offers a set of unique features that help organizations build effective anti-ransomware strategies.

Global ransomware damage costs are expected to total more than $5 billion dollars in 2017, compared to $325 million dollars in 2015. Ransomware is growing at an estimated yearly rate of 350 percent with business enterprises becoming the priority target for hackers. Enterprise File Sharing and Sync (EFSS) solutions have seen an increase in ransomware attacks with 40 percent of spam emails containing links to ransomware. Whereas public cloud EFSS solutions such as Box and Dropbox offer centralized targets for ransomware attacks, FileCloud’s decentralized private cloud reduces your company’s exposure to potential attacks.

“Anyone with access to a computer is a potential threat, and the cloud their personal armory,” said Venkat Ramasamy, COO at FileCloud. “Why rummage through hundreds of houses when you can rob a bank? Hackers target centralized storage such as Dropbox or Box rather than self-hosted FileCloud solutions. The freedom to choose the cloud platform that best meets the unique dynamics of each business is our line in the sand of competitive differentiation.”

Breach Intercept

Cyberdefense via customization

The best defense against a phishing attack is to make sure your employees can differentiate genuine communication from malicious spoofing. Hackers can easily spoof email from public SaaS products, which have a standardized, easily falsifiable format. FileCloud offers unparalleled branding and customization tools, allowing you to set your own policies, and design your own emails and broadcast alerts. Customized emails and UX significantly reduce spoofing risk as hackers can’t run a mass spoofing unless they have an exact copy of an email from one of your employees.

Granular controlled folder access

With FileCloud Breach Intercept, you can set different levels of access between top-level folders and sub-folders. Administrators can set read/write/delete/share permissions for any user at any folder level, and permissions are not necessarily inherited according to folder structure, limiting propagation.

Real-time content / behavior heuristic engine

State-of-the-industry heuristic analysis works to detect threats in real time and suspicious content and user activity will activate security protocols and prevent ransomware from taking hold. For example, if FileCloud detects a file posing as a Word document, the system halts the upload and sends an alert to the administrator, preventing propagation of an attack.

Unlimited versioning and backup to rollback

Unlimited versioning and server backup helps companies recover from any data loss accident, including ransomware. FileCloud can roll back not only employee files but also entire server files to any specific date and time before the attack.
FileCloud is available for immediate download from our customer portal. For more information or to download FileCloud Breach Intercept, please visit


Top 10 Predictions in Content Collaboration for 2018

Collaboration within the workplace is not a new concept. However, it has become increasingly crucial in this mobile world as we become more connected across the globe. The proliferation of cloud computing has given rise to a new set of content collaboration tools such as Dropbox, FileCloud, Box. These tools enable employees to effectively collaborate, subsequently leading to a more skilled, engaged and educated workforce. Content collaboration solutions allow employees within the organization to easily share information with each other, and effectively work together on projects irrespective of geographic location via a combination of networking capabilities, software solutions, and well-established collaborative processes. Content collaboration platforms are the evolution of Enterprise File Sharing and Sync (EFSS).
… You can read the full article at VMBlog.

GDPR – Top 10 Things That Organizations Must Do to Prepare

May 25, 2018 – that’s probably the biggest day of the decade for the universe of data on the Internet. On this date, Europe’s data protection rules –  European General Data Protection Regulation (GDPR) – becomes enforceable. In 2012, the initial conversations around GDPR began, followed by lengthy negotiations that ultimately culminated in the GDPR proposal. At the time of writing this guide (Sep 2017), most European businesses have either started making first moves towards becoming compliant with GDPR, or are all set to do so. Considering how GDPR will be a pretty stringent regulation with provisions for significant penalties and fines, it’s obvious how important a topic it has become for tech-powered businesses.

Now, every business uses technology to survive and thrive, and that’s why GDPR has relevance for most businesses. For any businessman, entrepreneur, enterprise IT leader, or IT consultant, GDPR is as urgent as it is critical. However, it’s pretty much like the Y2K problem in the fact that everybody is talking about it, without really knowing much about it.

Most companies are finding it hard to understand the implications of GDPR, and what they need to do to be compliant. Now, all businesses handle customer data, and that makes them subject to Data Protection Act (DPA) regulations. If your business already complies with DPA, the good news is that you already have the most important bases covered. Of course, you will need to understand GDPR and make sure you cover the missing bases and stay safe, secure, reliable, and compliant in the data game. Here are 10 things businesses need to do to be ready for GDPR.

Top 10 things that organizations should do to prepare and comply with GDPR

1.      Learn, gain awareness

It is important to ensure that key people and decision makers in your organization are well aware that the prevailing law is going to change to GDPR. A thorough impact analysis needs to be done for this, and any areas that can cause compliance issues under GDPR needs to be identified. It would be appropriate to start off by examining the risk register at your organization if one exists. GDPR implementation can have significant implications in terms of resources, particularly at complex and large organizations. Compliance could be a difficult ask if preparations are left until the last minute.

2.      Analyze information in hand

It is necessary to document what personal data is being held on hand, what was the source of the data, and who is it being shared with. It may be necessary for you to organize an organization-wide information audit. In some cases, you may only need to conduct an audit of specific business areas.

As per GDPR, there is a requirement to maintain records of all your activities related to data processing. The GDPR comes ready for a networked scenario. For instance, if you have shared incorrect personal data with another organization, you are required to inform the other organization about this so that it may fix its own records. This automatically requires you to know the personal data held by you, the source of the data and who it is being shared with. GDPR’s accountability principle requires organizations to be able to demonstrate their compliance with the principles of data protection imposed by the regulation.

3.      Privacy notices

It is important to review the privacy notices currently in place and put in a plan for making any required changes before GDPR implementation. When personal data is being collected, you currently need to provide specific sets of information such as information pertaining to your identity and how you propose to use that information. This is generally done with a privacy notice.

The GDPR requires you to provide some additional information in your privacy notices. This includes information such as the exact provision in the law that permits asking for that data and retention periods for the data. You are also required to specifically list that people have a right to complain to the ICO if they believe there is a problem with the way their data is being handled. The GDPR requires the information to be provided in the notices in easy to understand, concise and clear language.

4.      Individual rights

You should review your procedures to confirm that they cover all the individual rights set forth in the GDPR. These are the rights provided by the GDPR.

  • To be informed
  • Of access
  • To rectification
  • To erasure
  • To restrict processing
  • To data portability
  • To object
  • To not be subject to automated profiling and other such decision-making

This is an excellent time to review your procedures and ensure that you will be able to handle various types of user requests related to their rights. The right to data portability is new with the GDPR. It applies:

  • To personal data provided by an individual;
  • When processing is based on individual consent or to perform a contract; and
  • Where processing is being done by automated methods.

5.      Requests for Subject access

You would need to plan how to handle requests in a manner compliant with the new rules. Wherever needed, your procedures will need to be updated.

  • In most of the cases, you will not be allowed to charge people for complying with a request
  • Instead of the current period of 40 days, you will have only a month to execute compliance
  • You are permitted to charge for or refuse requests which are apparently excessive or unfounded
  • If a request is refused, you are required to mention the reason to the individual. You are also required to inform them that they have the right to judicial remedy and also to complain to the correct supervising authority. This has to be done, at the very latest, within a month.

6.      Consent

It is important to review how you record, seek and manage consent and if any changes are required. If they don’t meet the GDPR standard, existing consents need to be refreshed. Consent must be specific, freely given, informed, and not ambiguous. A positive opt-in is required and consent cannot be implied by inactivity, pre-ticked boxes or silence. The consent section has to be separated from the rest of the terms and conditions. Simple methods need to be provided for individuals to take back consent. The consent is to be verifiable. It is not required that the existing DPA consent have to be refreshed as you prepare for GDPR.

7.      Aspects related to children

It would be good if you start considering whether systems need to be put in place in order verify the ages of individuals and to get consent from parents or guardians for carrying out any data processing activity. GDPR brings in specific consent requirements for the personal data of children. If your company provides online services to children, you may need a guardian or parent’s consent so as to lawfully process the children’s personal data. As per GDPR, the minimum age at which a child can give her consent to this sort of processing is set to 16. In the UK, this may be lowered to 13.

8.      Aspects related to data breaches

You should ensure that you have the correct procedures necessary to investigate, report, and detect any breaches of personal data. The GDPR imposes a duty on all companies to report specific types of data breaches to the ICO, and in some situations, to individuals. ICO has to be notified of a breach if it is likely to impinge on the freedoms and rights of individuals such as damage to reputation, discrimination, financial loss, and loss of confidentiality. In most cases, you will also have to inform the concerned parties directly. Any failure to report a breach can cause a fine to be imposed apart from a fine for the breach by itself.

9.      Requirements related to privacy by design

The GDPR turns privacy by design into a concrete legal requirement under the umbrella of “data protection by design and by default.” In some situations, it also makes “Privacy Impact Assessments” into a mandatory requirement. The regulation defines Privacy Impact Assessments as “Data Protection Impact Assessments.”’ A DPIA is required whenever data processing has the potential to pose a high level of risk to individuals such as when:

  • New technology is being put in place
  • A profiling action is happening that can significantly affect people
  • Processing is happening on a large set of data

10.  Data protection officers

A specific individual needs to be designated to hold responsibility for data protection compliance. You must designate a data protection officer if:

  • You are a public authority (courts acting in normal capacity exempted)
  • You are an institution that carries out regular monitoring of individuals at scale
  • You are an institution that performs large-scale processing of special categories of data such as health records or criminal convictions

Many of GDPR’s important principles are the same as those defined in DPA; still, there are significant updates that companies will need to do in order to be on the right side of GDPR.

Author: Rahul Sharma