Manufacturing and Defense – ITAR
ITAR Compliance – Controlling Data Export and Access
Sector specific data protection and security requirements exist in many countries. For example, in Defense and Manufacturing, many organizations need to comply with regulations known as ITAR (International Traffic in Arms Regulations). ITAR compliance requirements cover the import and export of defense-related products, services, and technologies that are included on the United States Munitions List (USML), including applicable data and information.
It is generally acknowledged that ITAR-controlled documents and information stored and processed in the cloud need to maintain compliance with ITAR rules and policies. It is a significant challenge to maintain the same strict guidelines and processes that organizations have with their internal systems when using external cloud providers. For example, most public cloud providers cannot or will not guarantee that only US citizens will have access to data in the cloud provider’s infrastructure or guarantee that ITAR controlled data will not flow to secondary data-centers in foreign locations. As a result, most ITAR controlled organizations have been unable to take advantage of the cost and efficiency benefits of the public cloud.
On June 3, 2015, the Department of State issued a Federal Register notice requesting comments on proposed amendments to the ITAR (ITAR, 22 C.F.R. Parts 120 – 130) that would revise certain definitions and update controls on the transmission and storage of technical data in the cloud. In particular, it proposed that data going to a cloud environment would not be treated as an export if it was:
Secured using end-to-end data protection with the appropriate strength using a secure implementation with the required policies and controls
Not stored in a prohibited country
The comment period on this exciting development closed in August and the industry is waiting on final language and guidance from the DDTC. In anticipation of the changes, organizations governed by the ITAR are actively beginning to explore technologies that they can leverage to make their move to the cloud occur in a secure and compliant way.
In addition to the pending ITAR updated, in 2014 Blue Coat obtained an Advisory Opinion from the State Department stating that tokenized ITAR controlled technical data could be transferred to the cloud without an export license when the appropriate security policies and technologies are in place.
“In accordance with [ITAR] § 125.4(b)(9), tokenization may be used to process controlled technical data using cloud computing applications without a license even if the cloud computing provider moved tokenized data to servers located outside the U.S., provided sufficient means are taken to ensure the technical data may only be received and used by U.S. persons are employees of the U.S. government or are directly employed by a U.S. corporation and not by a foreign subsidiary throughout all phases of the transfer, including but not limited to transmission, storage, and receipt.”
Implications for Cloud Adoption
The Advisory Opinion points out that “sufficient means” need to be put in place to ensure the underlying technical data is never viewed in the clear by non-authorized persons. Blue Coat’s Cloud Data Protection Gateway can be a critical part of the solution to this issue. The software platform is able to tokenize data before it goes into the cloud for transmission, processing and storage. Only authorized users can gain access to the platform, that is installed in an organization’s data center, that is required to view the underlying data in the clear (the platform converts the tokenized data to clear text before it is presented back to the end-user). So technical data never leaves the organization’s physical control, but the organization can still adopt public cloud applications. The platform also addresses a common issue that occurs when cloud data is tokenized or encrypted, the loss of functionality such as searching and sorting. Blue Coat Platform is able to maintain critical cloud application functionality, so users to have full use of things like searching, sorting and reporting on technical information that has been protected – that allows companies to retain absolute control over technical data while making the move to the cloud.
Cloud Data Protection Gateways
Given their unique ability to secure cloud data, Cloud Data Protection Gateways (CDPG’s) will become very useful to organizations governed by the ITAR who are looking to move to the cloud. CDPG’s are designed to apply encryption or tokenization data security techniques to secure data before it leaves an enterprise’s IT environment and begins its journey to the cloud.
With Cloud Data Protection Gateways, sensitive data fields and attachments, such as those that may contain ITAR governed information, is replaced with an encrypted value or token while still inside the enterprise’s firewall, prior to going to a cloud environment for processing and storage. Because the clear-text data never leaves the organization, and is protected end to end (in-transit, at-rest and in-use within the cloud), issues associated with data privacy, security and compliance can be addressed. In addition to securing the data, Cloud Data Protection solutions ensure that the users of cloud applications can still use the application’s features – like searching, sorting and reporting – even on data that has been strongly encrypted or tokenized.
Blue Coat’s Cloud Data Protection Gateway supports the use of both encryption and tokenization to secure regulated data. When encryption is required, companies can use their preferred encryption modules, including those with FIPS 140-2 levels of certification, to secure their cloud data. The encryption keys remain physically in the hands of the enterprise. When tokenization is used, it’s a similar situation; the token vault used to map the original values to their token equivalents remains within the company’s datacenter.