Since last year, the storage and processing of the personal data of EU citizens in the USA are no longer possible. Many companies, therefore, increasingly have to question where these processes are currently taking place and whether they need to adapt their data residency strategy to legal requirements. This also applies to application security, as soon as they are dependent on cloud-native solutions for application security testing. Julian Totzek-Hallhuber, Principal Solution Architect at Veracode, explains how AppSec tests depend on the data residency.
The storage and processing of personal data of EU citizens in the United States are no longer considered secure from a data protection point of view. So the European Court of Justice found last year. Since the introduction of the GDPR more than three years ago, the “Schrems II” ruling of 2020 has been an essential step in data security because it once again emphasized the question of data residency.
Data residency is the location where data is collected, stored, and processed. The European Commission decided that EU citizens’ private data should remain within the borders of the European Union and should no longer travel across the Atlantic to be stored in the US. This applies particularly to companies from strictly regulated industries such as healthcare, administrations and authorities, and the financial sector.
The Storage Location Of Data Plays A Central Role
“Schrems II” had global consequences: international companies that are not located within the EU borders but work with customers from the EU are forced to process and save the data on appropriate servers, which are located within the EU borders or in countries with an adequate level of data protection. These include, for example, online trading platforms. EU companies must meet the exact requirements when transferring the data abroad. At the same time, these data protection regulations regulate access to data located within the EU from international locations. For example, if an EU company is now planning to outsource its customer service on international soil, the selected country must comply with the stipulated level of data protection. If this is not the case, the location may not have access to personal EU data.
But not only strictly regulated industries and e-commerce are affected by these data protection requirements, but also software developers and the personal data of their users who may live in the EU. In addition, the question of data residency can have a significant impact on critical application security processes.
When It Comes To Application Security, Regular App Sec Tests Are A Must
During application development, vulnerabilities can sneak into the code, making the software vulnerable to attacks. To identify these as early as possible, development teams are therefore encouraged to test application code regularly. However, the Current State of Software Security study results shows that 76 percent of the more than 130,000 scanned applications have at least one security breach. Half of these vulnerabilities persist even after six months. If gaps are not identified and corrected, the risk of further errors accumulating increases. The result: The responsible teams are forced to subsequently provide costly and time-consuming patches – a process that can be avoided with frequent tests during the development phase.
To save resources and accelerate test processes, analytics and application security testing teams rely on cloud-native SaaS solutions. An additional advantage besides the cost and time savings is the improved scalability compared to on-prem alternatives. Test processes can also be carried out automatically. However, there is one difficulty with data residency: SaaS solutions for AppSec tests can also be hosted outside the EU borders. This brings with it potential risks to regulatory compliance in data processing and storage.
A New Data Residency Strategy Is Needed
The “Schrems II” decision made the question of data residency more critical. For many software companies, this is also why they question their data protection and data residency strategy. On the one hand, the most important questions to be answered for this concern are the current location at which the data is hosted and where the data for AppSec tests is transferred. The use of cloud-native AppSec tools, which are provided as part of a SaaS model with an option for the storage location in the EU, is fundamentally a secure solution. Companies must be able to rely on the fact that all app data, including all instances of their software as well as copies used by third parties for scanning and testing, are stored in one facility within the EU.who is familiar with all requirements for compliance with data protection regulations. This also includes copies that are sent to third parties for testing and scanning.
As in any other industry, tech companies need to make sure they comply with data retention regulations. Compliance with the legal requirements for data storage is a significant undertaking. Introducing a SaaS offering can ensure that the hosting of applications does not later cause problems with compliance with regulations. This protects companies from potential fines and strengthens customers’ trust in the legally compliant protection of their data.