How challenging is it to ensure the security of your customer data in a complex legal landscape?

When it comes to web application & API security, legal compliance to GDPR and upcoming NIS 2, it is relatively straightforward if you are following the guidance from major hosting and security vendors. 

When your objectives are more than just compliance but ‘true’ data protection and security, there are at least three additional steps that need to be considered.

  • 1) Is your hosting center under jurisdiction beyond those of EU? 
    For example, the US Cloud Act makes most Amazon web services hosting subject to US data access even if the data is fully within EU boarders. Who owns your data center matters not just in how they run the data center, but who has access to it
  • 2) Your security strategy is not explicitly a requirement for GDPR or NIS-2.
    However, if you have read this far you obviously are looking for something better than minimum legal EU compliance. UTM is a general security commodity and obvious security hygiene for a multilayer protection for network and hosted web services & APIs. EU certifications such as ANSSI or BSI ensure not only effectiveness but also alignment with EU privacy and regulations– these certifications are relatively rare for products such as WAAP/WAF.
  • 3) Lastly, like hosting, origin of company matters regarding extra-territorial data access (e.g., USA Patriot & Cloud Act).
    Unfortunately, all the major Gartner players are from the USA and Israel and come with the additional access risk due to their ownership. Building a security strategy using best in class products from smaller to medium sized EU vendors might increase your purchasing complexity but has the benefits of true data sovereignty, better performance, and better access to support.

In short, to truly protect data and embrace EU privacy and security concepts requires certified EU suppliers that change the security and data protection from standard suits of major vendors to point solutions from smaller and medium size, more focused EU vendors. As an added benefit, EU companies that use this strategy get better vendor attention, better support, and solutions better tailored to their exact needs.

Ensuring customer data security in a complex legal landscape is challenging as web services proliferate, holding immense value in the data they process. Adhering to GDPR and the upcoming NIS 2 Directive is crucial, with potential fines for non-compliance. Organizations can mitigate risks by opting for certified EU cybersecurity products like ANSSI or BSI, ensuring alignment with regulations, data sovereignty, proximity support, and accountability.

New web services are showing exponential growth. From e-commerce platforms to healthcare solutions, the proliferation of web applications and APIs shows no signs of slowing down. The data processed by these applications holds immense value. As such, application vulnerabilities present a pressing concern that demands serious attention.

Keeping your customer data safe in the European Union involves adherence to the General Data Protection Regulation (GDPR), which sets strict guidelines for the processing and transfer of personal data within the EU.

Did you know that by October, 17th 2024, Member States must adopt and publish the necessary measures to comply with the NIS 2 Directive? NIS 2 is a European Union directive aimed at enhancing the cybersecurity posture of critical infrastructure operators and digital service providers.

In case of breaches, the GDPR can result in fines of up to €20 million or 4% of the global annual turnover, while NIS2 allows EU member states to impose fines for non-compliance, with amounts varying by country.

Companies must therefore demonstrate their commitment to data security to avoid potential fines in an environment where cybersecurity vendors are predominantly American companies. This generates another risk linked with the Cloud Act. The Cloud Act (Clarifying Lawful Overseas Use of Data Act) allows U.S. authorities to access data stored by U.S.-based companies, under certain circumstances, regardless of where the data is physically located.

What alternatives are available?

Organizations have opportunities to host their services in sovereign clouds that do not have ties to the United States where Web applications can be secured through the implementation of a Web Application Firewall (WAF) or WAAP (Web and API protection). A WAAP solution secures the HTTP flow. HTTP (Hypertext Transfer Protocol) is the process of communication between a client (such as a web browser or a mobile application) and a server. Within the HTTP flow, the traffic is decrypted by the WAAP solution for attack inspections. This means that, potentially, all personally identifiable information is readable. The WAAP could therefore be used as a tool for espionage.

Which trustful solutions can safeguard my web applications and my data?

There are cybersecurity products certified by EU agencies such as the French ANSSI or the German BSI. These products undergo rigorous evaluations, ensuring reliability and alignment with specific security standards, ultimately contributing to stronger cybersecurity postures.

A certified WAAP will help implement robust cybersecurity measures to protect against cyber incidents and ensure prompt incident response and reporting capabilities. Additionally, a certified WAAP helps organizations address specific security challenges related to web applications and APIs, which are prime targets for cyber-attacks.

Choosing such a solution from a certified European company offers several advantages:

  • 1) Compliance with European Regulations: this ensures that the WAAP solution align with regional legal requirements, providing confidence in data security and privacy compliance,
  • 2) Data Sovereignty: Hosting the WAAP solution with a European company helps ensure data sovereignty, meaning that the data remains subject to European data protection laws and is less susceptible to foreign government surveillance or data access requests,
  • 3) Proximity and Support: Being located within the same region leads to quicker response times for support and assistance,
  • 4) Quality and Accountability: Working with a trusted European company may engender greater trust and accountability, as they are subject to European business standards and regulations. This provides assurance regarding the reliability and integrity of the WAAP solution and the company’s commitment to customer satisfaction.

Overall, the choice to invest in a certified WAAP not only enhances the security posture of a European company but also fosters trust and confidence among its clients, reassuring them that their personal data is in safe hands and will not be exploited by unauthorized entities.

Posted ago by Fabien

Assistant Webmarketing @ Ubika