Welcome to the World of Public Cloud Collaboration Allowing Enhanced Security

Transcription

1 Whitepaper Welcome to the World of Public Cloud Collaboration Allowing Enhanced Security A New, More Secure, and More Efficient Approach to Storage, Management and Collaboration for ITAR-defined Technical Data Through the Use of Cloud Solutions

2 The ITAR Rules Are Undergoing a 21st Century Facelift Regulations and practices governing the storage and processing of technical data defined in the ITAR are evolving. For many years management and collaboration have not been available for the ITAR-defined technical data. Regulations and practices governing the storage and processing of technical data defined in the International Traffic in Arms Regulations (the ITAR) are evolving. For example, in 2014, the Directorate of Defense Trade Controls (DDTC) within the U.S. State Department, the administrating agency for the ITAR 1, issued an advisory opinion pertaining to internet transmission of ITAR technical data. The new guideline, reflecting ongoing efforts to bring the ITAR in alignment with advancements in cloud computing over the last 15 years, for the first time formally recognized ITAR technical data might be shared and stored using cloud computing applications. The flexibility reflected in that guideline was conditioned on specific encryption strategies designed to address the traditional concerns of the DDTC that accidental or unintended exports of specified data be avoided. Other handling and recipient protocols beyond encryption, some again of a customary nature, also would be required, but it is clear from the DDTC s policy statement that change was in the wind. Thus, we see that in mid-2015, the DDTC has again visited the subject of cloud storage by proposing for comments certain revisions to the ITAR that, if adopted, would appear to permit cloud storage of technical data outside of the United States. Generally, these proposed rules changes, published in the Federal Register on June 3, 2015, would allow the electronic storage abroad of the ITAR-defined technical data that has been encrypted under the FIPS 140-2, so long as it is not stored in various prohibited countries. 2 For many years, aerospace and defense industry organizations have been unable to collaborate via common cloud computing practices that are widely recognized at the enterprise-level as best-in-class to foster high productivity and performance. Thus, the implementation of public cloud tools for document storage, management and collaboration have not been available for the ITAR-defined technical data. Even Robert Gates, former Secretary of Defense, recognized the detriment to development created by these types of restrictions when in 2010 he called the U.S. export control system a byzantine amalgam of authorities, roles, and missions scattered around different parts of the federal government. 3 1 See accessed June 10, See accessed June 10, As explained in the proposed rule change, [t]his will allow for cloud storage of encrypted data in foreign countries, so long as the technical data remains continuously encrypted while outside the United States. The effect of this proposed change would only add more risk to the concept of deemed exports unless the cloud solution itself can prevent export to one of those prohibited country. Moreover there may be less change here than might be immediately imagined. Technical data that must al ways be encrypted when outside the United States will always be useless for reference or production purposes when outside the country and, therefore, inaccessible in a usable form. 3 See (accessed on June 10, 2015) Whitepaper - ITAR Technical Data 2 6

3 Stringent Guidelines The ITAR dictates control over the export and import of defenserelated articles and services on the United States Munitions List (USML) and all listed and related technical data. This includes information within blueprints, technical drawings, photographs, mechanical plans, instructions, software and other sensitive defense-related documentation. The ITAR dictates control over the export and import of defense-related articles and services. Under the ITAR, at least to the present and unless an exemption exists, generally such information must be stored in a U.S.- located environment physically and logistically accessible only to U.S. citizens or permanent residents (U.S. persons). For a public cloud solution to meet these rigorous demands, all installation, support, ongoing maintenance and system upgrade activities must be supported exclusively by U.S. persons, employed by U.S. employers and supervised by other U.S. persons. Additional security features not mandated specifically by the ITAR but certainly part of a comprehensive and reasonably effective cybersecurity approach are full encryption, tamper-proof audit trails, two-factor authentication and operators, administrator and provider shielding, granular user permissioning, and document handling and dissemination restrictions, unless extra-territorial sharing (exporting) is going to occur. To be sure, ITAR-compliant solutions are not, and cannot be, available to the general public. Those wishing to utilize the ITAR-compliant solutions must guarantee that users are limited to U.S. persons or others who are appropriately licensed and, ideally, such organizations would maintain a valid DDTC exporter registration with full, unsanctioned U.S. export privileges, among other requirements. ITAR-compliant solutions are not, and cannot be, available to the general public. Moreover, any third party provider of cloud-based document storage, management and collaboration solution likely come within the ITAR s definition of manufacturers, exporters and brokers of defense article, related technical data and defense services as defined in the USML and therefore are required to register with the Defense Trade Controls as a precondition for the issuance of any license or other approval of export based on such services. 4 Organizations wishing to turn to a public cloud provider should ensure such registration has been approved and remains current. 4 The underlying regulations may be accessed at (both accessed June 10, 2015). Whitepaper - ITAR Technical Data 3 6

4 Encryption and Tokenization More sophisticated and complete solutions to cloud security solutions to avoid deemed exports are required. Complex requirements and lagging use of technology solutions have led many to move quicker than it appears the DDTC would wish. The U.S. State Department has already cautioned at least one cloud security services provider for overstating the benefits of encryption and tokenization to meet the ITAR s high standards. While the provider apparently sought to market its token-based encryption technology as solving certain deemed export restrictions, according to a June 9, 2014 article published in the Wall Street Journal on the issue, a State Department official is quoted as stating, Tokenization is almost irrelevant to the exemption. We did not in any shape or form endorse tokenization as means [of meeting the ITAR standards]. Thus, more sophisticated and complete solutions to cloud security solutions to avoid deemed exports are required. Risky Business: The Cost of Non-Compliance Aerospace and defense contractors have been sanctioned for failing to comply with the ITAR. What is the importance of all this? Since 2010, there have been at least nine cases where aerospace and defense contractors have been sanctioned for failing to comply with the ITAR. In 2014, there were two fines issued, totaling approximately $30 million. In 2013, there were three fines issued for the ITAR violations, for a total of $41 million. Year Number of Fines Issued $30 million $41 million $55 million $79 million Total Amount of Assessed and Contingent Fines Moreover the possibility of fines is not the totality of sanctions. Remedial and punitive measures extend to additional civil and administrative remedies, including debarment as an exporter or even a government contractor. Consequences also could extend into criminal sanctions for egregious non-compliance. Whitepaper - ITAR Technical Data 4 6

5 Risky Business: What is to be Done? A better alternative is provided by newer offerings that have sophisticated functionality. Organizations wishing or having to use the collaborative and efficient cloud solutions that are coming to define best practices for ITAR-defined technical data, therefore, do have choices that go beyond the too often applied, and too often inadequate, default of telling employees to be careful and then hoping for the best. One alternative is to develop an expensive private, dark cloud to provide secure storage and sharing of sensitive documents. A better alternative, however, is provided by newer offerings that are entering the market and have sophisticated functionality that achieve important efficiencies and cost savings. These offerings have systemic monitoring tools to track who has viewed information, if it has been copied to an unsecure platform or if it has been exported. They can prevent the careless, clueless and malicious recipients of ITAR technical data from violating the ITAR despite best efforts at training and cautioning. The second choice relies on a conscious, automated and persistent effort, enabled by sophisticated document management tools, to avoid breaches of the ITAR through the deployment of proven enterprise tools that substantially reduce the risk of not meeting security guidelines. Not only do these tools employ safeguards to prevent non-u.s. persons or unlicensed individuals from viewing information, potentially causing the unintended or accidental export of the ITAR-defined technical data, they also implement definitive functions and processes to prevent copying and sharing outside of the solution. These solutions track access and sharing to allow for tamper-proof auditing for the future, as well as required reporting on an ongoing basis. Priceless Peace of Mind There is no need for businesses to take unnecessary risks. Although the monetary penalties for the ITAR violations are stiff -- often times, up to tens of millions of dollars in fines levied upon a company -- additional outcomes can be even more damaging including future bids that are challenged when an organization becomes known for a history of not complying with the ITAR. However, with the U.S. government opening the door for organizations that handle the ITAR-related technical data to now leverage secure public cloud collaboration tools, there is no need for businesses to take unnecessary risks. Whitepaper - ITAR Technical Data 5 6

6 These solutions, such as the ITAR-compliant Brainloop Secure Dataroom, are available for relatively affordable costs, particularly when compared to the consequences of the ITAR violations. In order to attain priceless peace of mind when handling the ITAR technical data, companies must ensure that collaboration solutions being considered for deployment are covered by endto-end the ITAR compliance. These solutions must assure the non-intended exports of the ITAR technical data are possible. They must be implemented and supported exclusively by U.S. persons at U.S. companies. They must include tamper proof audit trails to demonstrate uninterrupted ITAR compliance based on a document s specific history. They must be, or match, the ITARcompliant Brainloop solution. These solutions are available for relatively affordable costs, particularly when compared to the consequences of the ITAR violations. To learn more about the rules and regulations pertaining to the storage and collaboration of the ITAR-related documents in the ITAR compliant public cloud solutions, visit ITAR.com. About Brainloop Inc. Operating since 2007, Brainloop Inc., the Secure Enterprise Information Company, is a market-leading provider of highly intuitive SaaS (Software-as-a-Service) solution enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. Our enterprise customers, comprising of numerous industries, count on our software s regulatory and corporate compliance, collaboration and process capabilities as well as its complete portfolio of security features. Brainloop s secure solutions look at the entire information protection issue in a holistic and integrated way to better protect the way businesses operate today. We go beyond common security measures to provide full 256-bit encryption, audit trail, two-factor authentication and provider and administrator shielding, all through an easy to use interface. Our customers count on our software s regulatory and corporate compliance, collaboration and process capabilities as well as its complete portfolio of security features. Brainloop Inc. holds a registration under part 122, Registration of Manufacturers and Exporters, section through 122.5, of the United States Munitions List for the purpose of providing its ITARcompliant, cloud based storage, management and collaboration solutions for documents containing technical data. [email protected] Copyright 2015 Brainloop WP Whitepaper - Whitepaper - ITAR Technical Data 6 6