From China to India, organizations race to achieve compliance by 2025
In the world of encryption key management, the clock is ticking. Perhaps no more so than in China and India, where new data security regulations are poised to take effect in early 2025.
In China, a finalized regulation on network data (Administration of Network Data Security) promises stricter requirements around data sharing, data handling and cross-border data transfers.
Its implications run deep, impacting the operations of both Chinese and international businesses. Starting in January, these data processors will be obligated to meet specific data security requirements spanning encryption, backups, authentication and access controls.
A couple months later, India’s Cybersecurity and Cyber Resilience Framework will arrive to the subcontinent. Written by the Securities Exchange Board of India (SEBI), it introduces increased security standards and guidelines for regulated financial entities.
Classifying Data & Assessing Risk: New Cybersecurity Regulations
Both legal directives compel businesses to develop a clear, complete view of their data and the associated risks. Here’s a summary of the demands these policies include, in line with trends we see among global regulators:
- Take inventory of data
- Categorize data risk
- Assess risk & report status
- Monitor risk
- Mitigate risk (mitigations vary; more on that later)
While seemingly straightforward, these best practices require a shift a mindset for organizations unaccustomed to prioritizing data management and cybersecurity.
One of the first steps—identifying critical assets—requires a global view of data and existing encryption practices. Corporations with a multi-local footprint deal with dozens of markets, languages and policies. Oftentimes, data management across various business lines and teams has never been centralized, limiting visibility.
The process of taking inventory gives these businesses the opportunity to unify and centralize its systems at the same time, specifically its key management system (KMS). By doing so, they gain footprint-wide oversight of critical assets and encrypted material. With a streamlined KMS, they can categorize risk and begin meeting the mitigations required from each market in which they operate.
In China, data must be classified as normal data, important data and core data, with the latter two receiving higher safeguards. Sharing of core data requires state-level approval.
Authentication, Access & Logging: Verifying & Managing Users with PKI & KMS
Cybersecurity standards, including these additions in China and India, emphasize the importance of authentication and access controls. Proper verification, authorization and access management ensure that shared data avoids the wrong hands.
In order to integrate authentication, access and logging requirements, businesses rely on PKI and KMS technologies and expertise:
- Authentication: Digital certificates (PKI)
- Access Controls: Centralized KMS to grant, update & revoke access rights
- Access Logs: Global monitoring & data access audit logging via unified KMS
Access controls come in multiple forms. Taking the healthcare sector as an example, role-based access gives users pre-defined permissions that limit the type of data they can view. A receptionist does not need to view the same scope of personal health information as a surgeon. While all of these individuals work in the same universe, they do not require equal levels of access. The same holds true in manufacturing.
Discretionary access, on the other hand, determines access on a case-by-case basis with permissions granted by a centralized controller, e.g. via a KMS.
To just implement access controls, organizations need bullet-proof verification using PKI technology. After all, if the user’s identity is falsified, then access is granted to an untrustworthy individual.
Codifying Mitigations: Detect, Monitor, Respond & Recover
India’s updated policies for regulated entities ensure that they put sufficient monitoring in place to detect anomalies and respond appropriately given the risk level. They require an Incident Response Management plan, a Cyber Crisis Management plan, a Response and Recovery plan and Root Cause Analysis capabilities.
In China, large data processors must assign a head of data security and set up an internal data management team. These professionals oversee risk assessments, trainings, complaints and reporting. To guarantee appropriate protections, they must demonstrate emergency response plans and implement emergency drills.
All of these data monitoring and response activities require a degree of centralization, facilitated optimally by a unified key management system:
- Centralized oversight of encryption activities
- Ability to classify keys & manage user access
- System for monitoring & pinpointing vulnerabilities & breaches
- Control center for emergency drills & rapid response to cybersecurity events
Regulatory Complexity Here to Stay
From Australia to the US to the EU, discussions around data management abound. Regulators realize the ubiquitous nature of data and the reality that our globalized world cannot function without cross-border sharing (China’s regulations specifically focus on data sharing and cross-border data transfers).
In these digital, connected times, keeping data safe becomes more and more the responsibility of regulators—the only authority able to throw a blanket of security standards over all market actors.
Incentivization by major market leaders has evolved cybersecurity to a point, but policymakers hold the key to leveling the playing field and compelling organizations to prioritize data security as part of their core business.