EU DATA PROTECTION COMPLIANCE WHEN SECURING SAAS APPLICATIONS

Transcription

1 White Paper EU DATA PROTECTION COMPLIANCE WHEN SECURING SAAS APPLICATIONS Introduction Palo Alto Networks takes data protection very seriously. Complying with data protection requirements and enabling its customers to be compliant when using its products is equally important for Palo Alto Networks. The purpose of this white paper is to clarify how Networks Aperture SaaS security service can be used in compliance with EU data protection requirements, including the upcoming EU General Data Protection Regulation. The GDPR is the European Union s forthcoming personal data protection law. In May 2018, the GDPR will replace the 1995 Data Protection Directive, significantly changing the rules surrounding protection of personal data of EU residents. Palo Alto Networks EU Data Protection Compliance When Securing SaaS Applications White Paper

2 The GDPR applies to entities that control or process personal data on EU residents. Personal data is given a broad definition that includes: 1. Data that identifies a person or can be used to contact a person (e.g., name, address, date of birth, user ID) 2. Data that identifies a unique device (potentially) used by a single person (e.g., an IP address or unique device ID) 3. Data that reflects or represents a person s behavior or activity (e.g., location, applications downloaded on a device, websites visited, etc.) 1 This white paper explains: How Aperture works How Aperture processes personal data Legitimate use of Aperture under EU data protection law Relevant international data transfer principles Data retention, deletion and security Summary of legal considerations when implementing Aperture in the EU 1 GDPR Article 4 (1): personal data means any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Palo Alto Networks EU Data Protection Compliance When Securing SaaS Applications White Paper 2

3 CONTENTS 1. Aperture How Aperture Processes Personal Data Who Is Data Controller and Who Is Data Processor? Providing Legal Justification for the Use of Aperture... 6 a. Security as Legitimate Interest... 6 b. Balancing Legitimate Interest and Fundamental Rights of Users... 6 c. Sensitive Data Storage and International Data Transfers Data Retention and Deletion Data Security Amazon Web Services Legal Considerations When Implementing Aperture in the EU... 9 a. Policies... 9 b. Employee Privacy Notice... 9 c. Workers Council Review... 9 d. Data Protection Officer... 9 e. Access to Personal Data Summary Additional Resources Palo Alto Networks EU Data Protection Compliance When Securing SaaS Applications White Paper 3

4 1. APERTURE Aperture SaaS security service adds to Palo Alto Networks Next-Generation Security Platform, providing a unique approach to securing enterprise SaaS applications. Aperture provides safe enablement across all user, folder and file activity within the SaaS application, and provides detailed analysis and analytics on usage to prevent data risk and compliance violations. Integration of Aperture with Palo Alto Networks WildFire cloud-based threat analysis service prevents known and unknown threats from spreading through enterprise SaaS applications, preventing a new insertion point for malware. Data resident within enterprise-enabled SaaS applications may not be visible to an organization s network perimeter. Aperture can connect directly to enterprise SaaS applications to provide: Data classification and monitoring Data Loss Prevention capabilities User activity tracking for anomalies Known and unknown malware prevention This yields unparalleled visibility, allowing organizations to inspect content for data risk violations and control access to shared data via a contextual policy. 2. HOW APERTURE PROCESSES PERSONAL DATA Aperture makes a temporary copy of all data stored in SaaS services to which the customer has enabled access. Aperture copies the files in a secure multitenant environment hosted in Amazon Web Services (AWS ) cloud data centers and analyzes them to detect violations of the customer s rules and policies. The required retention of the temporary copies is currently 48 hours, the minimum time needed to undertake the exercise (this may change as technology evolves). The results of the analysis are made available to the customer through reporting features in the customer interface. Aperture stores the results of each file s analysis, along with any metadata about that file, such as file creation, access dates, and usernames of those who created and accessed the file. The specific metadata available for capture by Aperture varies based on the metadata made available by the SaaS provider. Aperture looks for known patterns of data, such as credit card numbers, or other violations of the policies determined by the customer. If the analysis identifies a violation of policy, a snapshot of the relevant data found is captured and logged in the Aperture system, with approximately 100 bytes of data adjacent to the identified content. CUSTOMER MAINTAINS COMPLETE CONTROL OF ACCESS TO DATA The Customer controls and determines the scope of the scanning and can configure Aperture to access only those SaaS services or tenants it wants to scan. Customer also determines the rules and policies against which the scanning is undertaken. Furthermore, the customer s systems administrator determines which users can be authorized to view data and reports in the Aperture interface. Palo Alto Networks can only access the data if the customer s customer s system administrator configures Aperture to allow it. There is no access to data by Palo Alto Networks in the normal course of operations. Palo Alto Networks EU Data Protection Compliance When Securing SaaS Applications White Paper 4

5 Palo Alto Networks does not perform any activity on the content of the files scanned by by Aperture, apart from detecting policy violations. However, Palo Alto Networks acknowledges that some files may contain personal data as defined by EU data protection law, 2 and that such data may be relevant for Aperture file analysis and accordingly will be processed 3 under EU data protection law. Therefore, Palo Alto Networks ensures that any processing it carries out will comply with EU data protection law to enable customers using Aperture to remain compliant with relevant legislation. 3. WHO IS DATA CONTROLLER AND WHO IS DATA PROCESSOR? Aperture scans the cloud-based data and processes the relevant personal data on behalf of the customer to detect, report and remediate any policy violations. Per relevant data protection laws, the customer, as data controller of the personal data scanned by Aperture, must comply with applicable privacy laws. According to art. 4, para. 7 and 8 of the GDPR: controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; The customer determines the purposes and scope of the data processing (which applications to monitor, the rules and policies to apply when scanning, and who can access the data provided by Aperture) to enable policies enforcement and remedy violations. 2 According to art. 4, para. 1 of the GDPR, personal data means any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 3 According to art. 4, para. 2 of the GDPR, processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Palo Alto Networks EU Data Protection Compliance When Securing SaaS Applications White Paper 5

6 4. PROVIDING LEGAL JUSTIFICATION FOR THE USE OF APERTURE EU data protection laws establish that an entity can legitimately process personal data if: The use of personal data is lawful It is authorized as a data processor with appropriate contractual terms Under art. 6, para. 1 of the GDPR, processing personal data is lawful when: The individual data subject has given his consent, or It is necessary to process the data for a contract with the data subject because the controller has a legal obligation to process the data to protect the vital interests of the data subject; for a task carried out in the public interest, or The controller has a legitimate interest, and that interest is not overridden by the individual data subject s rights and interests Legitimate interest, is the most relevant justification for processing personal data through Aperture. a. Security as Legitimate Interest In the context of security and security services, legitimate interest is generally recognized as a valid legal basis for processing of personal data. In recital (49), the GDPR specifically recognizes that processing personal data for information security reasons is a legitimate interest: The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. Furthermore, the Article 29 Working Party (a group of representatives from the EU data protection authorities) explicitly stated, in its Opinion 06/2014 on the notion of legitimate interest of data controllers, that data processing for the purposes of physical security, IT and network security can be legal based on the legitimate interest exception. b. Balancing Legitimate Interest and Fundamental Rights of Users As set out expressly in recital 49 of the GDPR, legitimate interest provides a legal ground for processing of personal data provided (i) such processing is necessary for the legitimate interest, because such purpose cannot be achieved through other less invasive means, and (ii) it is proportionate, in that it meets the balancing test when weighed against the interests and fundamental rights of individual data subjects. Palo Alto Networks EU Data Protection Compliance When Securing SaaS Applications White Paper 6

7 The use of a tool like Aperture can be considered necessary because the increased possibilities of uploading content into the cloud, and the interaction with cloud and SaaS applications, lead to increased threats to the security of companies information, including trade secrets and confidential Information. Thus, the use of Aperture is necessary for the protection of companies infrastructure and information, including personal data that companies are required to protect. Furthermore, Aperture can be used in a proportionate manner by applying appropriate rules and policies, and by refraining from excessive monitoring of employees behavior. Also, Aperture is designed so that files are stored only to the extent necessary for the analysis required by the service. User activity data logged in the Aperture system is retained by Palo Alto Networks for 90 days. Metadata about analyzed files is retained as long as the customer keeps the service active. The customer can always control the retention of the metadata by cancelling the account. Against this background, it is important that customers configure Aperture by applying appropriate rules and policies to avoid excessive monitoring of employee behavior, and to use Aperture exclusively for necessary security purposes. c. Sensitive Data Processing certain special categories of data, also called sensitive data (such as health data), 4 subject to specific restrictions. The legitimate interest justification to data processing does not apply to processing sensitive data under European data protection law (GDPR and national laws). However, data protection authorities have recognized that if the inadvertent processing of sensitive data by security tools cannot be avoided, data processing for security purpose does not become unlawful per se, because otherwise companies would be unable to comply with the information security obligations they have under general corporate governance policies, under applicable information security laws such as the EU Network and Information Security (NIS) Directive, 5 as well as under EU data protection laws. 6 Accordingly, the Article 29 Working Party recognized that: preventing or making very difficult any monitoring activities (which in many cases are not only lawful but even also desirable such as those directly aimed at guaranteeing the security of the system), by the simple fact that the processing of certain sensitive data might be unavoidable involved, does not seem acceptable either. 7 4 Full list according to art. 9, para. 1 of the GDPR: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. 5 Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive). 6 EU data protection law requires the implementation of technical and organizational measures which ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ( integrity and confidentiality ), Art. 5 para 1 f) GDPR. 7 Article 29 Working Party, Working Document on the surveillance of electronic communications in the workplace, adopted 29 May 2002, (WP55) p. 17. Palo Alto Networks EU Data Protection Compliance When Securing SaaS Applications White Paper 7

8 Therefore, the use of security tools can be considered permissible even if it includes processing sensitive data, provided such data is not the specific target of the monitoring, but rather an unavoidable technical by-product of the monitoring. This is in line with industry practices and uncontested by data protection authorities in practice. Users should be aware of this issue and not draft the policies or rules for Aperture monitoring in a manner that targets specifically sensitive data. Finally, Aperture contains measures to prevent exposure of sensitive data. Typical sensitive data, such as Social Security numbers and national IDs, are masked by default and can only be unmasked by the customer s system administrator. 5. STORAGE AND INTERNATIONAL DATA TRANSFERS There is no transfer of data outside of the EEA in the normal course of operations, if customers have chosen Europe as the region of storage of their data. Palo Alto Networks offers its customers the possibility to enter into data transfer agreements based on the EU Standard Contractual Clauses between the customer and Palo Alto Network, Inc. in the United States, in the event this is necessary to legitimize potential access by Palo Alto Networks affiliates outside the European Union. 6. DATA RETENTION AND DELETION In general, data is retained by Aperture as required by the purpose, and the customer can control data retention and request data deletion. The temporary copies of files created by Aperture for analysis are deleted as soon as the analysis has been completed, which is currently within 48 hours. In addition, metadata is retained as long as the service is active, but customers can request removal at any time by requesting to disable the account. User activity logged by the system is retained for 90 days. Furthermore, if customers disable a policy from the product, all related data is deleted. In summary, all data is deleted as soon as necessary, and in any case as soon as requested by the customer. 7. DATA SECURITY Any files stored on Aperture servers or processed by Palo Alto Networks are secured with state-of-the-art technologies, and Palo Alto Networks operates rigorous technical and organizational security controls in compliance with EU data protection laws. Metadata and scan results are encrypted while in the Aperture environment. Each customer has a unique and exclusive key to encrypt and decrypt such data, and all processing occurs in a virtual environment dedicated exclusively to that customer. Data is transferred from SaaS applications to the Aperture environment using SSL/TLS to the extent enabled by the applications. All data stored within the customer s Aperture instance can only be accessed by the customer s administrator or users authorized by the administrator. Palo Alto Networks EU Data Protection Compliance When Securing SaaS Applications White Paper 8

9 8. AMAZON WEB SERVICES Aperture data is stored in data centers owned and managed by AWS. Data is encrypted and AWS has no access to the data and does not perform any activity on the data. The relevant AWS data centers are located in different regions. Data is stored in the region chosen by the customer (e.g., EU customers can choose that their data be stored in the German data center). For multitenancy purposes and for international companies, data may also be located exceptionally in other data centers or accessed from other regions. In the event of international data transfer, Palo Alto Networks has executed appropriate data processing terms inclusive of the EU Standard Contractual Clauses. For more information about AWS and its security certifications, please visit 9. LEGAL CONSIDERATIONS WHEN IMPLEMENTING APERTURE IN THE EU Even though the implementation of Aperture is based on the legitimate business interest of the customer, it is advisable to work with legal counsel to consider all legal implications of adopting Aperture. Below are a few examples of legal considerations. a. Policies It is important to have in place adequate policies that govern monitoring of electronic activities in the workplace, such as an Acceptable Use Policy, Privacy Policies, Data Classification Policy, etc., to support the purpose of Aperture: detecting violations of privacy and security policies and enforcing them in the workplace. To be enforceable, such policies must be implemented as required by applicable data protection laws and in compliance with legal restrictions to employee monitoring in the workplace. Such requirements may vary on a country-by-country basis. b. Employee Privacy Notice Data protection laws require employers to provide their employees with adequate notice when processing their personal data in the workplace. Since Aperture processes personal data in the context of the employment relationship, the relevant data processing should be addressed in the privacy notice provided to employees. c. Workers Council Review Based on applicable laws and a company s organization, it may be required to consult with the Workers Council or to get the council s approval before implementing Aperture in the workplace. d. Data Protection Officer For companies that have appointed a DPO, it may be appropriate or required to inform the DPO of the adoption of Aperture. e. Access to Personal Data Access to personal data should be based on the principle of business need to know. Aperture should be configured so that only authorized employees can access reports and information regarding policy violations. Palo Alto Networks EU Data Protection Compliance When Securing SaaS Applications White Paper 9

10 10. SUMMARY By implementing Aperture in compliance with applicable data protection laws, customers can protect the security of data in their enterprise SaaS applications based on the legitimate interest recognized by EU data protection laws. Also, by helping to prevent accidental data exfiltration, leakage or sharing by the internal and partner communities of users across the entire infrastructure, Aperture contributes to maintaining compliance with GDPR. End users are amongst the most common risks, particularly when using SaaS applications. Often untrained and unaware of the risks they bring, their actions can result in accidental personal data leakage. Implementing a Platform Approach With our Next-Generation Security Platform, each critical stage within the attack lifecycle is met with a defense model to prevent data exfiltration. From the attacker s initial attempt to breach the perimeter, to delivering malware or exploiting the endpoint, to moving laterally through the network until the attacker reaches the primary target and attempts to exfiltrate personal and sensitive data. Our security platform prevents data exfiltration and leakage in several ways: Security at the network. To protect data within your organisation, built-in data filtering profiles on the nextgeneration firewall help prevent accidental data leakage at the network layer. System administrators can apply policies to inspect and control content traversing the network to help limit unauthorised transfer of sensitive data, such as credit card numbers. Security at the SaaS level. Organisations need to control access to SaaS applications, enforce policy controls on information sharing and stop data leakage. These capabilities (e.g. User-ID, App-ID and Content-ID technologies) are delivered through our platform using the next-generation firewall and Aperture SaaS security service. The next-generation firewall analyses all traffic from your network to SaaS applications and back. However, certain cloudbased activity can be invisible to in-line security services, such as data sharing permissions or accessing cloud-based data from outside the network (without VPN). In this case, Aperture complements the nextgeneration firewall, using SaaS APIs to connect directly to the SaaS applications themselves. This makes it possible to see everything users have uploaded or shared. With Aperture, users can view and monitor file uploads across all assets in enterprise SaaS applications, such as Box, Microsoft Office, Dropbox, Salesforce, Secure Data Space and more. Policies can then be applied to monitor and enforce responsible use of assets (including personal data) and protect against accidental data leaks caused by human errors, such as promiscuous or inadvertent sharing, and sharing content using links that may be exposed to the internet. If a policy violation is detected, an alert is generated. If configured, Aperture takes automatic action to remediate the risk. Security at the endpoint. Traps advanced endpoint protection employs a multi-method approach to preemptively block known and unknown threats, including zero-day exploits and unknown malware, from compromising endpoints. Palo Alto Networks EU Data Protection Compliance When Securing SaaS Applications White Paper 10

11 Stopping credential theft. Stolen credentials are a common threat vector for data breaches, given it is relatively simple to steal a password and gain the level of access desired. Our platform provides the capabilities to break up credential-based attacks across the attack lifecycle. Often, attackers will use credential phishing attempts, sent via or social media, to trick users into submitting corporate credentials in a fraudulent form. Our platform stops credential leakage by preventing users from submitting credentials to unknown and unauthorised sites. Because stolen credentials are typically used to access critical systems inside the organisation, we also establish protections against lateral movement by enforcing multi-factor authentication policies that govern access to these critical applications where sensitive data is contained. In addition, AutoFocus contextual threat intelligence service can ingest third-party threat intelligence sources and turn them into prevention across our security platform through our MineMeld threat intelligence syndication engine. Once indicators of compromise are collected, MineMeld can filter, de-duplicate and consolidate metadata across all sources, allowing security teams to analyse a more actionable set of data, enriched from multiple sources, for easier enforcement. 11. ADDITIONAL RESOURCES Additional information on how Aperture processes personal information can be found in the Aperture product privacy datasheet at How the Next-Generation Security Platform contributes to GDPR compliance: Information on all Palo Alto Networks certifications, including SOC2: Palo Alto Networks Oval Tower De Entrée , 5th Floor Amsterdam, The Netherlands EMEA Support: Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at trademarks.html. All other marks mentioned herein may be trademarks of their respective companies