When it comes to data privacy and cloud collaboration, it can be hard to decipher what is needed to achieve your goals. What is deemed private for one country or region might not be considered sufficient in another. Every jurisdiction has its own rules about how to handle data in the cloud. It is important to not only meet local compliance requirements, but also achieve best practice privacy management that can follow you wherever you go.
Data privacy is becoming a fundamental need for every organization around the world to ensure that their users’ and customers’ legal privacy requirements can be met. But there is often ambiguity around the best-practices in keeping the data protected. Should you worry about data residency? Compliance? Certifications? The most important thing is to understand the goals of your privacy program. When you are clear about your goals, you can ask the right questions and choose a cloud collaboration solution that meets your needs and keeps your data protected.
For most organizations, there are 3 key considerations when it comes to data privacy in cloud collaboration:
#1: Organizational data governance: Are you able to control what information is shared inside and outside of your organization?
#2: Regulatory compliance: Are you compliant with local or industry regulations?
#3: Trust in your provider: Can your collaboration provider demonstrate that they are able to safeguard your data?
Do you have full control of your data? Security leaders say a top concern is being able to control the information that is shared from within their organization. They want to make sure sensitive information is not accidentally or maliciously leaked by users when using their collaboration tools. It is extremely important to protect your organizational boundaries and rules while enabling users frictionless collaboration.
When thinking about data governance, important questions to answer include:
· Who can collaborate with whom?
· What can or cannot be shared?
· What happens if violations occur?
· What kind of controls are provided to data controllers?
With real-time data loss prevention (DLP), IT administrators can prevent sensitive data from being accessible by any user, internal or external. These capabilities are powered by Cisco Cloudlock (with the capabilities extended to our partner ecosystem). They flag content in a data loss prevention (DLP) system, whether it is spoken, shared, or shown.
Our ethical walls capability is another powerful tool that allows Webex administrators to prohibit Webex interactions between various departments within their organization. A department can be prohibited from communicating with up to five separate groups.
And with Webex, administrators always have control of their organization’s privacy with user profile controls that remove personal information when the service is deprovisioned, controls on user generated content that specify how long information is stored, controls on data systems that have a default period for metadata retention, and sub processor management information from the Cisco privacy data sheets.
Laws surrounding your business could have regulatory requirements for communications within and outside your organization. Depending on your region, governments may demand protection and commitments to data privacy as well. Since more organizations are interested in implementing data localization programs, they want to be certain that your service provider can keep your data local. According to Cisco’s recent data privacy benchmark study, 92 percent of security professionals say data localization is important to their organization and that it is needed to safeguard personal data.
To ensure your data localization goals are met, your provider must have the ability to keep data in your country or region. That does not necessarily mean your provider needs a data center in your region, rather they need to be able to securely store and process data in your region.
Allowing customers to keep their data stored locally because of specific data locality and local compliance needs has been a driving factor in the Webex approach. The Frankfurt and Amsterdam data centers allow E.U. Webex customers the choice to keep their data stored in the E.U. Users can be confident in knowing that their data — including meeting artifacts, messages, files, and whiteboards — will never leave the region. Similarly, Webex users in Canada have the option of keeping their content completely within their country.
Additionally, our commitment to security and privacy is demonstrated by numerous certifications that include SOC2, CSA Star level 1 and 2, ISO 27001, 27017 and 27018, HIPAA Self Assessments, plus rigorous penetration testing, third-party audits and a variety of added meeting and calling security and privacy options. Webex is the first cloud service provider to be certified by the EU Code of Conduct. The EU Cloud Code of Conduct pledges to provide legal certainty for cloud service providers, demonstrating compliance with data protection rules.
The provider of your services is typically considered a data custodian, while your organization is the data controller. When your end users have privacy related requirements, does your provider have sufficient controls you can exercise to meet those needs? And are they sufficiently transparent about that? What about sub processors – where else does the data flow and what is it used for?
Trust can be manifested in many ways – Including product, principles, and commitment.
1. Product: Data protection, privacy, and security requirements should be integrated into the product. It should be considered in design and development and throughout the entire product lifecycle. We like to say it needs to be built-in, not bolted on as an afterthought. And various security frameworks need to be applied in the product to protect data and customers, such as zero trust end-to-end security.
Webex uses a variety of controls to protect data, including Zero Trust end-to-end encryption. All communications on the Webex Meetings platform occur over encrypted channels. Organizations with a heightened need for data confidentiality may want to manage their encryption keys so they can control who has access to them and who can use them to decrypt the content. For these customers, we offer an uncomplicated way to set up and manage their keys in the cloud through our bring your own key (BYOK) capability. The keys can be used with Webex Messaging, including messages, files and whiteboarding, as well as Webex Meetings content, including recordings, transcripts and calling (voicemail).
2. Principles: A provider’s principles and values in today’s digital world should guide you in your selection. Principles like transparency or respect for data rights will drive the handling of the data today and in the future evolution of technology. For example, as artificial intelligence starts becoming prominent in collaboration, these principles will drive the responsibility and accountability in data handling. Webex has the most mature and comprehensive standards for data handling.
Cisco has provided customers with a single on-line location for data processing information, the Trust Portal since December 2017, which includes Privacy Data Sheets and Privacy Data Maps. Data Protection Impact Assessments (DPIA), are an integral part of the Cisco Privacy Program, including recurrent reassessments to reflect product developments. The publicly available Privacy Data Sheets are, essentially, summaries of the privacy assessments that serve as privacy notices to our customers. Cisco’s Security and Trust Organization coordinates the data incident response process and manages the enterprise-wide response to data-centric incidents. This group manages the receipt, investigation, and public reporting of security vulnerabilities related to Cisco products and networks. The team works with customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.
3. Commitment: Providers need to demonstrate that they are consistently rising to the challenge of changing security, privacy, and compliance demands. That includes getting and pursuing authorizations, certifications, and proof they meet regulations for your region or industry. Compliance may mean proving they can meet data localization requirements by having data centers in your country.
Cisco has always put security and privacy first. That is why we integrate data protection, privacy, and security requirements into product design and development methodologies throughout the entire product lifecycle and use various security frameworks to protect our data and those of our customers. We build all products in accordance with the Cisco Secure Development Lifecycle (SDL), which includes privacy impact assessments, proactive penetration testing, and threat modeling.
Your collaboration provider should be able to demonstrate their candidacy for your trust on a variety of different dimensions and keep your data safe while in-transit and when stored in the cloud, and at the location you desire. Webex takes proactive measures to provide the highest level of security and privacy. The process begins with privacy built in from the very start of design through to the constant testing and awareness of threats. The future of Webex entails constant advancements in protecting data at every level.
For more information, contact Webex Sales Cisco Webex | Contact Sales