Only 1% of cloud providers meet proposed EU Data Protection requirements?

September 4th, 2014   /     /   smarter identity, security and compliance

I was pretty surprised to see this statistic in a recent article in Help Net Security. After all, we live and work in a global world, and the cloud is by its very nature a transnational environment. The article quotes research from Skyhigh Networks, a cloud security provider, which concluded that, based on data collected from its internal register of over 7,000 cloud service providers, 99% of cloud services do not meet the requirements of the EU General Data Protection Regulation that’s due to come into effect next year.

This regulation includes:

  • The right to be forgotten / data infidelity and deletion policies
  • Data residency
  • Data breach detection and notification
  • Encryption and secure passwords

Currently, the penalties vary from country to country, but under the new regulation, the proposed penalties for violating the new laws can be up to five percent of a company’s annual revenue, or up to €100 million. In short, companies working with EU customers and/or data need to pay close attention to these changes.

If you’re already a OneLogin customer, you can breathe a sigh of relief, because we’re in the 1% of compliant cloud services providers - in fact, Skyhigh Networks gave us their highest designation, Skyhigh Enterprise-Ready. If you’re not, you might want to mention that fact to your non-compliant cloud service providers, because our solutions can help them to meet the EU General Data Protection requirements.

OneLogin closely monitors the changing EU privacy landscape and, since early this year, has offered a European data residency option that provides cloud-based Identity and Access Management solutions and on-demand Single Sign-On services hosted at EU data centers. This enables us to provide our clients with a service that meets European data residency and compliance standards, as well as other location preference requirements.

Our service lets clients host their user identities within the EU service provider data centers exclusively; the separation from our US-based data centers ensures compliance with these latest EU data protection guidelines. Additionally, as EU-US discussions on the issue of Safe Harbor continue, our EU clients might also in future have the option of hosting their systems in the US data centers, since OneLogin is already complying with the Safe Harbor program. As noted by Constellation Research, “Multinational businesses need to be aware of how they become both obligated and restricted by data center location, and they need to be sensitive to end users’ concerns.”

Unless a cloud service provider takes the approach of leveraging mechanical typewriters, as some German and Russian government agencies are contemplating, no technology provider can guarantee to prevent government surveillance of corporate data. And that extends to companies asserting the right to share customer data with third parties (some 23% of the providers surveyed by Skyhigh Networks), which makes it challenging to comply, without exception, with “right to be forgotten” legislation.

With high-profile European clients like News International and Reed Recruitment, OneLogin cannot be anything other than highly conscientious when it comes to European data protection regulations. That’s why we have made the significant investments outlined in my last blog post. As Steve Wilson, Vice President and Principal Analyst at Constellation Research, noted, “The market requires a serious commitment to international privacy compliance, and vendors who deliver this capability will have an important competitive differentiator. Customers worldwide seek a choice in where they wish their users’ identity information and metadata to reside.”

Today, OneLogin is hosting our IAM solution in four geographically separate enterprise-grade data centers. Depending on your geographic requirements, you can choose which data centers are used to house your user information and metadata – which is important because that metadata can be extremely sensitive, depending on any individual user’s access rights and requirements. Remember the adage – if your data isn’t secure, it isn’t your data.

If you have any questions or concerns about OneLogin’s compliance with EU data protection requirements, now or in the future, don’t hesitate to let us know.

About the Author

Alvaro Hoyos is OneLogin’s Chief Information Security Officer and is tasked with architecting and leading the company’s risk management, security, and compliance efforts. Alvaro also works with prospects, customers, and vendors to help them understand OneLogin’s Security, Confidentiality, Availability, and Privacy posture and how it works alongside, or in support of, customer’s own risk management strategy. He has worked over 15 years in the IT sector and prior to joining OneLogin, spent 8 years working with startups, SMBs, and Fortune 500 companies with their security, compliance, and data privacy efforts.

View all posts by Alvaro Hoyos