Ensuring ITAR Compliance – Controlling Data Export and Access
Sector specific data protection and security requirements exist in many countries. For example, in Defense and Manufacturing, many organizations need to comply with regulations known as ITAR (International Traffic in Arms Regulations). ITAR regulate the import and export of defense-related products, services, and technologies that are included on the United States Munitions List (USML). Some key aspects of the regulations defined in ITAR include:
- Information and materials related to items on the USML may only be shared with “US Persons” (unless authorized by the US Department of State).
- All US providers in the USML supply chain must register with the Deptartment of State and obtain appropriate import/export licenses.
- Unauthorized Re-transfer or Re-export of any articles is a major breach of the law – and is tightly regulated.
- Scope of the regulation includes Information that’s accessed by authorized US persons when travelling outside the US and is then shared with foreign nationals.
Based on the scope and definitions in ITAR, data and information assets are considered exports. Given this, it is generally acknowledged that ITAR-controlled documents saved in the cloud need to maintain compliance with ITAR rules and policies. While most companies that need to comply with ITAR have detailed compliance programs in place covering strict control of documents, information security, and materials and equipment on-premise (i.e., in their own facilities and data centers), it is a significant challenge to maintain these same strict guidelines when the decision is made to move to cloud-based IT infrastructures for business needs in areas such as CRM and HR.
One specific challenge related to the cloud is that SaaS application providers are frequently unable to guarantee that data will only be accessed by US citizens since their data centers, regardless of where they are located, are serviced by foreign nationals and are sometimes located outside of the United States. And though the State Dept. has not yet offered specific formal guidance on cloud implications for data and information export safeguards, it is fully expected that it will require formal mechanisms and assurances that foreign nationals will not have access to ITAR-governed information.
PerspecSys helps enterprises with ITAR compliance answer these questions regarding cloud-based applications:
- Where will the data reside?
Most cloud providers cannot guarantee where the data will be located (especially when considering primary and backup locations and the movement of data between them). With PerspecSys, companies retain control of their data, keeping it on-premise and ensuring that it is never processed or stored “in the clear” in the cloud.
- Who will have access?
Because of virtualization, data could be located anywhere in the world at a given time. Despite security measures, access is difficult to control. With PerspecSys, encryption keys remain on-premise (if encryption is used to obfuscate data), and the database assigning random tokens to clear text data remains on-site behind the company’s firewall. Access and permission controls are governed by the same secure systems safeguarding the rest of an organization’s on-premise infrastructure.
- Who is responsible for control?
The ITAR-controlled USML vendor or company is accountable for safeguarding data and information export. With PerspecSys, control of ITAR-governed information is completely put into the hands of the enterprise, giving it the ability to confidently deploy cloud based projects knowing that they can control and protect all of their sensitive data.
Only PerspecSys Can Deliver:
- Cloud Data Protection – No data is shared in “the clear” outside of your network control; data is secured with field-level control based on user defined tokenization or encryption options
- Tokenization and Industry Approved “Strong Encryption” – Organizations can select from an array of included tokenization or encryption options or utilize their own encryption approaches
- Full SaaS Application Functionality – Users have complete access to the features and functions of the SaaS application such as searching, reporting, and e-mailing
- Simple Configuration and Deployment – Administrative dashboard allows companies to easily configure their data protection policies and adapters provide connections with popular Cloud-based applications
- Flexibility – The solution is designed to fit with the way organizations want to do business. For example, the Cloud Data Protection gateway can be deployed in a variety of architectural configurations to meet an organization’s specific security needs.
Learn more about the PerspecSys Cloud Data Protection Gateway by visiting our Resource Center.