Welcome to the World of Public Cloud Collaboration Allowing Enhanced Security



Similar documents
ITAR: Welcome to Public Cloud Collaboration

Stringent Guidelines. ITAR dictates control over the export and import of. defense-related articles and services on the United States

EXPORT CONTROLS COMPLIANCE

ITAR Compliance Best Practices Guide

Key Elements of International Trade Compliance. Presented by:

Using Technology Control Plans in Export Compliance. Mary Beran, Georgia Tech David Brady, Virginia Tech

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

COMPUTER & INTERNET. Westlaw Journal. Expert Analysis Software Development and U.S. Export Controls

Second Annual Impact of Export Controls on Higher Education & Scientific Institutions

Addressing ITAR compliance with Teamcenter

Brainloop Cloud Security

Research Information Security Guideline

Enterprise Cloud Backup of Cloud-Based Applications/Platforms

HIPAA Security Alert

Export Controls and Cloud Computing: Legal Risks

International Trade Compliance Alert

You Can Survive a PCI-DSS Assessment

Why You Should Consider Cloud- Based Archiving. A whitepaper by The Radicati Group, Inc.

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Security in Fax: Minimizing Breaches and Compliance Risks

Supplier Awareness. Export Control/ ITAR

PCI Compliance for Cloud Applications

Global Compliance Audit

Bridging the HIPAA/HITECH Compliance Gap

Information Security Program Management Standard

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

DATA SECURITY AGREEMENT. Addendum # to Contract #

Harvard Export Control Compliance Policy Statement

Department of Defense DIRECTIVE

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

HIPAA and HITECH Compliance for Cloud Applications

Compliance in the Corporate World

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Bossier Parish Community College

HIPAA Compliance and the Protection of Patient Health Information

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Healthcare Compliance Solutions

Export Control Basics

Policy and Procedures Date:

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Introduction to The Privacy Act

white paper Mitigate Risk in Handling ediscovery Data Subject to the U.S. Export Control Laws and Regulations

1. Not Subject to the EAR and Defense Article. (1) Reserved. (2) Reserved

Safeguarding the cloud with IBM Dynamic Cloud Security

The Story of Non-admitted Insurance in California

2016 OCR AUDIT E-BOOK

Encryption, Key Management, and Consolidation in Today s Data Center

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

EXPORT CONTROL GUIDELINES FOR STAFF

HIPAA Compliance: Are you prepared for the new regulatory changes?

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Securing the Service Desk in the Cloud

Compliance Management, made easy

Evolution from FTP to Secure File Transfer

Sarbanes-Oxley Compliance for Cloud Applications

Enterprise Data Protection

5 Cornerstones of Compliance

Is Your Vendor CJIS-Certified?

ADDING STRONGER AUTHENTICATION for VPN Access Control

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI

SAS 70 Type II Audits

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

PCI Data Security Standards (DSS)

Simplify the Complexity of Managing 3rd Party Anti-Bribery / FCPA Compliance

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Strengthen security with intelligent identity and access management

Banking Supervision Policy Statement No.18. Agent Banking Guideline

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

BMC s Security Strategy for ITSM in the SaaS Environment

Whitepaper. Simple and secure. Business requirements for Enterprise File Sync and Share solutions.

Anypoint Platform Cloud Security and Compliance. Whitepaper

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Securing the Cloud Infrastructure

Guidelines on Data Protection. Draft. Version 3.1. Published by

Transcription:

Whitepaper Welcome to the World of Public Cloud Collaboration Allowing Enhanced Security A New, More Secure, and More Efficient Approach to Storage, Management and Collaboration for ITAR-defined Technical Data Through the Use of Cloud Solutions www.brainloop.com

The ITAR Rules Are Undergoing a 21st Century Facelift Regulations and practices governing the storage and processing of technical data defined in the ITAR are evolving. For many years management and collaboration have not been available for the ITAR-defined technical data. Regulations and practices governing the storage and processing of technical data defined in the International Traffic in Arms Regulations (the ITAR) are evolving. For example, in 2014, the Directorate of Defense Trade Controls (DDTC) within the U.S. State Department, the administrating agency for the ITAR 1, issued an advisory opinion pertaining to internet transmission of ITAR technical data. The new guideline, reflecting ongoing efforts to bring the ITAR in alignment with advancements in cloud computing over the last 15 years, for the first time formally recognized ITAR technical data might be shared and stored using cloud computing applications. The flexibility reflected in that guideline was conditioned on specific encryption strategies designed to address the traditional concerns of the DDTC that accidental or unintended exports of specified data be avoided. Other handling and recipient protocols beyond encryption, some again of a customary nature, also would be required, but it is clear from the DDTC s policy statement that change was in the wind. Thus, we see that in mid-2015, the DDTC has again visited the subject of cloud storage by proposing for comments certain revisions to the ITAR that, if adopted, would appear to permit cloud storage of technical data outside of the United States. Generally, these proposed rules changes, published in the Federal Register on June 3, 2015, would allow the electronic storage abroad of the ITAR-defined technical data that has been encrypted under the FIPS 140-2, so long as it is not stored in various prohibited countries. 2 For many years, aerospace and defense industry organizations have been unable to collaborate via common cloud computing practices that are widely recognized at the enterprise-level as best-in-class to foster high productivity and performance. Thus, the implementation of public cloud tools for document storage, management and collaboration have not been available for the ITAR-defined technical data. Even Robert Gates, former Secretary of Defense, recognized the detriment to development created by these types of restrictions when in 2010 he called the U.S. export control system a byzantine amalgam of authorities, roles, and missions scattered around different parts of the federal government. 3 1 See https://www.pmddtc.state.gov/index.html, accessed June 10, 2015. 2 See https://www.pmddtc.state.gov/fr/2015/2015-12844_80fr31525.pdf, accessed June 10, 2015. As explained in the proposed rule change, [t]his will allow for cloud storage of encrypted data in foreign countries, so long as the technical data remains continuously encrypted while outside the United States. The effect of this proposed change would only add more risk to the concept of deemed exports unless the cloud solution itself can prevent export to one of those prohibited country. Moreover there may be less change here than might be immediately imagined. Technical data that must al ways be encrypted when outside the United States will always be useless for reference or production purposes when outside the country and, therefore, inaccessible in a usable form. 3 See http://www.defense.gov/speeches/speech.aspx?speechid=1453 (accessed on June 10, 2015) Whitepaper - ITAR Technical Data 2 6

Stringent Guidelines The ITAR dictates control over the export and import of defenserelated articles and services on the United States Munitions List (USML) and all listed and related technical data. This includes information within blueprints, technical drawings, photographs, mechanical plans, instructions, software and other sensitive defense-related documentation. The ITAR dictates control over the export and import of defense-related articles and services. Under the ITAR, at least to the present and unless an exemption exists, generally such information must be stored in a U.S.- located environment physically and logistically accessible only to U.S. citizens or permanent residents (U.S. persons). For a public cloud solution to meet these rigorous demands, all installation, support, ongoing maintenance and system upgrade activities must be supported exclusively by U.S. persons, employed by U.S. employers and supervised by other U.S. persons. Additional security features not mandated specifically by the ITAR but certainly part of a comprehensive and reasonably effective cybersecurity approach are full encryption, tamper-proof audit trails, two-factor authentication and operators, administrator and provider shielding, granular user permissioning, and document handling and dissemination restrictions, unless extra-territorial sharing (exporting) is going to occur. To be sure, ITAR-compliant solutions are not, and cannot be, available to the general public. Those wishing to utilize the ITAR-compliant solutions must guarantee that users are limited to U.S. persons or others who are appropriately licensed and, ideally, such organizations would maintain a valid DDTC exporter registration with full, unsanctioned U.S. export privileges, among other requirements. ITAR-compliant solutions are not, and cannot be, available to the general public. Moreover, any third party provider of cloud-based document storage, management and collaboration solution likely come within the ITAR s definition of manufacturers, exporters and brokers of defense article, related technical data and defense services as defined in the USML and therefore are required to register with the Defense Trade Controls as a precondition for the issuance of any license or other approval of export based on such services. 4 Organizations wishing to turn to a public cloud provider should ensure such registration has been approved and remains current. 4 The underlying regulations may be accessed at https://www.pmddtc.state.gov/registration/index.html http://www.ecfr.gov/cgi-bin/text-idx?sid=86008bdffd1fb2e79cc5df41a180750a&node=22:1.0.1.13.59&rgn=div5 (both accessed June 10, 2015). Whitepaper - ITAR Technical Data 3 6

Encryption and Tokenization More sophisticated and complete solutions to cloud security solutions to avoid deemed exports are required. Complex requirements and lagging use of technology solutions have led many to move quicker than it appears the DDTC would wish. The U.S. State Department has already cautioned at least one cloud security services provider for overstating the benefits of encryption and tokenization to meet the ITAR s high standards. While the provider apparently sought to market its token-based encryption technology as solving certain deemed export restrictions, according to a June 9, 2014 article published in the Wall Street Journal on the issue, a State Department official is quoted as stating, Tokenization is almost irrelevant to the exemption. We did not in any shape or form endorse tokenization as means [of meeting the ITAR standards]. Thus, more sophisticated and complete solutions to cloud security solutions to avoid deemed exports are required. Risky Business: The Cost of Non-Compliance Aerospace and defense contractors have been sanctioned for failing to comply with the ITAR. What is the importance of all this? Since 2010, there have been at least nine cases where aerospace and defense contractors have been sanctioned for failing to comply with the ITAR. In 2014, there were two fines issued, totaling approximately $30 million. In 2013, there were three fines issued for the ITAR violations, for a total of $41 million. Year Number of Fines Issued 2014 2 $30 million 2013 3 $41 million 2012 3 $55 million 2011 1 $79 million Total Amount of Assessed and Contingent Fines Moreover the possibility of fines is not the totality of sanctions. Remedial and punitive measures extend to additional civil and administrative remedies, including debarment as an exporter or even a government contractor. Consequences also could extend into criminal sanctions for egregious non-compliance. Whitepaper - ITAR Technical Data 4 6

Risky Business: What is to be Done? A better alternative is provided by newer offerings that have sophisticated functionality. Organizations wishing or having to use the collaborative and efficient cloud solutions that are coming to define best practices for ITAR-defined technical data, therefore, do have choices that go beyond the too often applied, and too often inadequate, default of telling employees to be careful and then hoping for the best. One alternative is to develop an expensive private, dark cloud to provide secure storage and sharing of sensitive documents. A better alternative, however, is provided by newer offerings that are entering the market and have sophisticated functionality that achieve important efficiencies and cost savings. These offerings have systemic monitoring tools to track who has viewed information, if it has been copied to an unsecure platform or if it has been exported. They can prevent the careless, clueless and malicious recipients of ITAR technical data from violating the ITAR despite best efforts at training and cautioning. The second choice relies on a conscious, automated and persistent effort, enabled by sophisticated document management tools, to avoid breaches of the ITAR through the deployment of proven enterprise tools that substantially reduce the risk of not meeting security guidelines. Not only do these tools employ safeguards to prevent non-u.s. persons or unlicensed individuals from viewing information, potentially causing the unintended or accidental export of the ITAR-defined technical data, they also implement definitive functions and processes to prevent copying and sharing outside of the solution. These solutions track access and sharing to allow for tamper-proof auditing for the future, as well as required reporting on an ongoing basis. Priceless Peace of Mind There is no need for businesses to take unnecessary risks. Although the monetary penalties for the ITAR violations are stiff -- often times, up to tens of millions of dollars in fines levied upon a company -- additional outcomes can be even more damaging including future bids that are challenged when an organization becomes known for a history of not complying with the ITAR. However, with the U.S. government opening the door for organizations that handle the ITAR-related technical data to now leverage secure public cloud collaboration tools, there is no need for businesses to take unnecessary risks. Whitepaper - ITAR Technical Data 5 6

These solutions, such as the ITAR-compliant Brainloop Secure Dataroom, are available for relatively affordable costs, particularly when compared to the consequences of the ITAR violations. In order to attain priceless peace of mind when handling the ITAR technical data, companies must ensure that collaboration solutions being considered for deployment are covered by endto-end the ITAR compliance. These solutions must assure the non-intended exports of the ITAR technical data are possible. They must be implemented and supported exclusively by U.S. persons at U.S. companies. They must include tamper proof audit trails to demonstrate uninterrupted ITAR compliance based on a document s specific history. They must be, or match, the ITARcompliant Brainloop solution. These solutions are available for relatively affordable costs, particularly when compared to the consequences of the ITAR violations. To learn more about the rules and regulations pertaining to the storage and collaboration of the ITAR-related documents in the ITAR compliant public cloud solutions, visit www.brainloop ITAR.com. About Brainloop Inc. Operating since 2007, Brainloop Inc., the Secure Enterprise Information Company, is a market-leading provider of highly intuitive SaaS (Software-as-a-Service) solution enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. Our enterprise customers, comprising of numerous industries, count on our software s regulatory and corporate compliance, collaboration and process capabilities as well as its complete portfolio of security features. Brainloop s secure solutions look at the entire information protection issue in a holistic and integrated way to better protect the way businesses operate today. We go beyond common security measures to provide full 256-bit encryption, audit trail, two-factor authentication and provider and administrator shielding, all through an easy to use interface. Our customers count on our software s regulatory and corporate compliance, collaboration and process capabilities as well as its complete portfolio of security features. Brainloop Inc. holds a registration under part 122, Registration of Manufacturers and Exporters, section 122.1 through 122.5, of the United States Munitions List for the purpose of providing its ITARcompliant, cloud based storage, management and collaboration solutions for documents containing technical data. www.brainloop.com www.brainloopitar.com info@brainloop.com Copyright 2015 Brainloop WP-039-0616 Whitepaper - Whitepaper - ITAR Technical Data 6 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information