Can Organizations Meet Compliance Regulations with Cloud-Based SIEM Solutions?
SaaS SIEM services are now popular and considered a cheaper solution. There’s no software to purchase, cybersecurity professionals to hire or additional training needed to bring staff up to speed. But you have to consider log shipping costs, data sensitivity, data sovereignty as potential cons with this approach.
SaaS SIEM services are popular. But there is a difficulty with Regulations Compliance for SaaS SIEM services. If we check Saas SIEM services against GDPR, we have to consider:
Data portability for the controller. Controllers must be able to facilitate the right of data portability for data subjects. If the data of the controller is in the cloud, it must be possible for the controller to retrieve the data in a structured, commonly used and machine-readable format to provide to the data subject or another controller.
Data ownership. As a controller you must maintain control and ownership of your own data. Therefore this must be spelled out in contract. Next to this, you must confirm that, according to the host-countries’ laws, your company retains ownership of the transferred data.
Data localization — Complicated because depending on the type of data and country where the data is located standards can restrict transfer, govern storage, or expand customer rights.
Processing of personal data outside the European Economic Area (EEA). Because data can be stored within multiple location by cloud service providers, it might be possible that personal data are stored outside the EEA. For this processing, appropriate safeguards must be taken if no adequacy decision have been made about the country where the data resides. Controllers will need to define a multi-country cloud strategy to adhere to adequacy requirements as well as data localization laws [2].
This is not the case just for GDPR. If you have to obey India’s Personal Data Protection (PDPA) Act, you cannot send logs outside of India [3]. The same is for Turkey. According to the Personal Data Protection Law and some other governmental rules, it is not possible to send government and government-related companies logs outside of Turkey. The commercial sector also has no right to send logs outside of Turkey [4].
One of the biggest problems is “ What happens at the end of the agreement?”. You have to keep those logs for years to comply with regulations. Some SAAS SIEM solutions offer to send a copy of the logs to an AWS S3 bucket that you control on a daily basis. This is a way to have a copy for specific retention regulations. But this is an additional cost. Also, you have to manage those raw logs. And, you have to find a way to search billions of lines when required.
There is an alternative to Saas SIEM solutions that is compliant with GDPR and other Personal Data Protection regulations. This is called Managed SIEM service.
Although Saas SIEM service is cheap for the Saas SIEM service operators when compared to installing a SIEM solution to the customer side and manage it remotely (Managed SIEM service). We are trying to solve customer problems, not Saas SIEM operators.
This is not preferred by Saas SIEM service operators, because it is costly for SaaS SIEM operators. But it is a good alternative.
References
Originally published at https://www.peerlyst.com on April 18, 2020.
