Most enterprise organizations gather extensive security data from their information (IT) and operational (OT) infrastructure. While the sources of this security telemetry data are important, the destination of that data is arguably more critical for organizations concerned with data sovereignty.
When security telemetry data is collected by endpoint agents or network probes, it is typically forwarded to one or more central analytics platforms. Examples of these include security information and event management (SIEM) systems as well as the central systems associated with endpoint-based (EDR) or network-based (NDR) threat detection and response systems. The location of these analytics platforms can have a material impact on data sovereignty.
Data sovereignty refers to an organization's right and responsibility to control the location and usage of its data. This is crucial for managing sensitive information and complying with data privacy and other regulations.
In this blog article, we explore the relationship between security telemetry and data sovereignty. We'll look at the challenges organizations face in maintaining control of their security data and discuss strategies for selecting technologies that prioritize data sovereignty.
What is Security Telemetry?
The security telemetry we are focused on here is the collection and transmission of data generated by your network devices, endpoints, and security tools. Telemetry can come from a number of sources, but our primary focus today is on the network security sensors and endpoint agents.
These telemetry sources automatically extract, record and send data from all over your network and send it back to a central hub to be further processed and analyzed, revealing valuable insights about traffic patterns, system health, user activity, and more, helping IT and security operations teams identify and address security threats effectively.
With data sovereignty in mind, let’s look at the two primary sources of security telemetry and the data they generate:
Network Telemetry: Network security systems like Network Detection and Response (NDR) and Intrusion Detection/Prevention Systems (IDS/IPS) generate various types of telemetry data that organizations need to be mindful of for data sovereignty purposes. This includes network traffic data like source and destination IP addresses, ports used, and protocols involved. Beyond basic traffic metadata, NDR can generate packet captures (PCAPs), which can contain the raw data being transmitted across the network. This can include sensitive information like usernames, passwords, or even snippets of internal documents. Additionally, these systems may collect sensitive user metadata that ties specific actions to user accounts or devices on the network.Clear Text in Network Telemetry :
- Endpoint Telemetry: Endpoint security tools such as Endpoint Detection and Response (EDR) also generate a wealth of telemetry data that requires careful consideration for data sovereignty. This could include details on file activity, such as file creation, modification, and deletion events. Endpoint telemetry may also include user activity data, application usage tracking and even keystrokes or screenshots depending on the tool's configuration.
Sample endpoint telemetry gathered by Microsoft System Monitor:
The telemetry gathered by both network and endpoint security tools work together to provide a comprehensive view of your IT security posture. Network telemetry can provide a birds-eye view of network traffic while endpoint telemetry gives you a closer look at what’s happening on individual devices.
So, why does security telemetry matter in the context of data sovereignty?
It matters because security telemetry often contains highly sensitive information about an organization’s internal operations. Network telemetry can capture full packets and generate metadata containing clear text usernames, passwords, or even internal documents. Similarly, endpoint telemetry tracks file and user activity that could expose sensitive data. Data sovereignty becomes incredibly important when using these types of security systems.
Organizations need to ensure their sensitive telemetry data resides in locations that comply with regulations and isn’t accessible by unauthorized parties, which in turn helps protect confidential information and avoid fines and data breaches. Maintaining this necessary level of control becomes incredibly difficult and increasingly important when we consider the conflicting regulations ruling data privacy around the world, especially as SaaS-based central analytics becomes more popular.
The Data Sovereignty Minefield
It is important to make the distinction between data residency and data sovereignty. While related, the two terms are not interchangeable:
- Data Residency refers to the physical location where data is stored and processed. That is, the geographical boundaries where your data resides.
- Data Sovereignty is more than the physical location. It focuses on legal control over the data. That is, who has the authority to access, use, manage, and delete the data?
Understanding these two concepts is vital to understanding the various regulations from around the world that organizations must navigate and comply with.
- United States: The two primary regulations in the U.S. are the PATRIOT (Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) Act and the CLOUD (Clarifying Lawful Overseas Use of Data) Act. The first act, which was a response to terrorist operations in the U.S. in 2001, allows the U.S. government to seize the data of any company registered in the U.S. even if that data resides elsewhere. The second act, passed in 2018, allows U.S. companies to use the personal data of foreigners.
- European Union: In the EU, the main data compliance regulation is GDPR (General Data Protection Regulation). GDPR doesn't explicitly mandate data localization, but it does grant data subjects the right to know where their data is stored and processed. This has influenced organizations to store network telemetry data containing personal information within the EU. It is important to note that GDPR restricts the transfer of personal data outside the EU to places that provide an “adequate level of protection”, which has affected organizations that store or process network telemetry data containing personal data in the cloud or with third-party providers outside the EU.
Understandably, these different regulations can cause conflict, legal challenges, and uncertainty for organizations operating in both regions. The recent invalidation of the Privacy Shield framework – a mechanism for data transfer between the US and EU – further highlights the ongoing tension.
Data sovereignty presents a complex issue for organizations operating in a globalized world. While it ostensibly aims to protect data privacy, it can also create significant challenges in terms of compliance, operations, and security in areas such as:
- Navigating a patchwork of regulations
- Keeping up with frequent changes
- Challenges to data accessibility and latency
- Increasing infrastructure cost
- Difficulties in vendor selection
Challenges with SaaS-Based Security Systems
Threat detection and response systems that depend upon central analytics with a software as a service (SaaS) model raise significant data sovereignty concerns for organizations subject to strict privacy regulations. Unlike traditional software deployments, many vendors who deliver their solutions exclusively via SaaS-based systems often do not disclose data residency information, which can make achieving data sovereignty difficult.
These analytics platforms may be hosted anywhere globally, making it difficult – if not impossible – to pinpoint the exact location of an organization’s security telemetry data.
This lack of control clashes with data privacy regulations in certain regions that mandate strict boundaries for data storage. There are a number of potential consequences an organization might face if they choose a SaaS-based solutions:
- Lack of Transparency: Unlike on-premise solutions where you control the physical location of your data, SaaS vendors often lack transparency regarding where they store your security telemetry data. Their analytics platforms could be spread across multiple locations, making it difficult or impossible to pinpoint. This uncertainty poses challenges for organizations that need to comply with regulations mandating data residency within specific borders.
- Loss of Control: By giving your security telemetry data to a SaaS vendor, you give up varying degrees of control over that data. The amount of control is dependent on the vendor and their practices. Regardless, by giving up control you lose influence on who has access to the data, how it is used, and under what circumstances it might be accessed by third-parties.
- Potential for Foreign Government Access: Data stored within a SaaS platform generally falls under the legal jurisdiction of the country where the vendor’s infrastructure resides. This creates a scenario where foreign governments, under specific circumstances, can access your organization’s security telemetry data, even if it contradicts your home country’s data privacy laws.
- Increased Risk of Data Breaches: Most SaaS vendors implement their own strict security controls, but data breaches could occur. A security breach involving a SaaS vendor’s infrastructure could potentially expose your organization’s sensitive data.
- Vendor Lock-in: Once you are established with a SaaS vendor, it can be complex to migrate your telemetry data that has been scattered across various locations to a new solution. This could limit the ability to ensure data sovereignty in the future if regulations or security needs change.
Protecting Your Data: Know Your Choices
When it comes to telemetry data, there are a number of questions you should consider asking to ensure that your data is protected:
Securing Telemetry Communications
- Is there an “adequate level of protection”?
- Is transmission encrypted?
- Is sensitive data obfuscated or anonymized?
- Are there contractual transfer guarantees in place?
Securing Telemetry Data at Rest (Central Analytics)
- Is there an “adequate level of protection”?
- Who controls access?
- Which authorities can demand access?
- Is the database encrypted?
Various central analytics deployment options provide different benefits and challenges, and each organization must determine which option works best for them while still trying to meet the requirements of their local regulations. Let’s review some of the options:
- SaaS: This type of deployment is easy to deploy, provides a large dataset for machine learning, and often features rapid adoption of new innovations. However, organizations often have little to no control over their data residency and security.
- Public Cloud: A public cloud deployment – such as in AWS, Azure, or Google Cloud – is extremely scalable with no hardware maintenance, but organizations have limited control over security measures and there is no cap on expenses.
- Private Cloud/Data Center: This type of deployment option allows organizations to only pay for what they need making it very scalable. Deploying central analytics in a private cloud or data center gives organizations control over their data residency; however, it can get expensive.
- On-Premise: This classic option gives the organization complete sovereignty and control over data residency and security, but the organization becomes responsible for hardware maintenance and will require the vendor to innovate if they want machine learning capabilities.
Regardless of the central analytics deployment option an organization chooses, there are four main actionable strategies that can help you achieve greater levels of data sovereignty:
- Evaluate the content of your telemetry data — determine the risk posed by sensitive content.
- Determine your regulatory compliance obligations relative to data sovereignty.
- Select the best approach to security analytics: Saas vs. Public Cloud vs. Private Cloud vs. On-Prem.
Choose security vendors that prioritize data sovereignty and minimize reliance on cloud infrastructure for telemetry processing.
The Stamus Security Platform
The Stamus Security Platform (SSP) is a network-based threat detection and response (NDR) platform that delivers actionable network visibility and powerful threat detection in private cloud, public cloud, on-premise, or hybrid environments. Regardless of where you deploy the central analytics (Stamus Central Server), SSP prioritizes data sovereignty.
The Stamus Security Platform offers:
- Extensive correlated network data and evidence with organizational context
- Openness and Extensibility with extensive customizations
- Optimization for enterprise-scale operations
- Optional air-gapped deployment
- Integrations with SIEM, SOAR, IR Ticketing, and more
Here is how Stamus Security Platform fits into your existing security stack:
Take Control of Your Data
There is no single solution to achieving data sovereignty. Each organization will take a different path to achieve its goals based on the needs of that organization and the regulations of the regions in which it operates. And relinquishing control of some aspects of your data is inevitable in a modern enterprise. But, there are some key takeaways for every organization to consider regardless of their unique circumstances:
- Understanding Your Data: Identify the type of security telemetry data you collect and analyze and assess its sensitivity. This will help you determine the level of control you need over data residency.
- Navigating Regulations: Stay informed about data sovereignty regulations in the regions you operate. This will ensure your data storage and security practices comply with relevant laws.
- Choosing the Right Deployment Model: Evaluate the benefits and challenges of different central analytics deployment options like SaaS, public cloud, hybrid cloud, and on-premise. Each offers a unique balance of control, scalability, and cost.
- Prioritizing Data Sovereignty: Select security vendors that prioritize data sovereignty and minimize reliance on cloud-based processing for sensitive telemetry data.
- Actionable Strategies: Implement strategies such as data minimization and vendor selection based on data sovereignty practices to stay ahead of the challenges presented by securing telemetry data.
By understanding the complexities of data sovereignty and implementing a comprehensive approach, organizations can achieve a balance between effective data security and regulatory compliance, empowering them to not only protect their data, but own it too.
To stay updated with new blog posts from Stamus Networks, also make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.