Earlier this week the California Privacy Protection Agency released its draft regulation for cybersecurity audits ahead of yesterday’s board meeting.
With this proposed regulation the CCPA wants businesses to implement a cybersecurity program that
“protects personal information from unauthorized access, destruction, use, modification, or disclosure; and protects against unauthorized activity resulting in the loss of availability of personal information. “
If implemented as such, this proposed regulation would impose very strict cybersecurity requirements on for-profit businesses that deal with the personal information of California residents. These organizations will have to establish a process for an annual audit, starting 24 months after the regulation goes into effect. These audits will have to be performed by a qualified and independent auditor who will summarize their conclusions on the effectiveness of the cybersecurity program together with any gaps and potential remediation actions in their annual certification. This report will have to be signed by the board which will put cybersecurity high on their agenda. Just having cybersecurity policies will not be enough. The auditor will also audit the implementation of these policies and how effective they are in risk reduction.
The proposed regulation includes 18 cybersecurity controls that will have to be audited yearly. Businesses will have to implement these controls in a way that is appropriate for the business’s size and complexity and the nature and scope of its processing activities. As such, not every business will implement the same program, but you will have to provide reasoning for the controls you do not implement.
Evidently these controls will affect the whole organization, and not just the data platform. In order to help prepare data platform teams better, we have summarized the controls that will impact the data platform below:
Authentication: The data platform team will have to make sure that MFA is turned on where possible and where not, strong passwords or passphrases are used.
Encryption: Personal information at rest and in transit will have to be encrypted.
Zero trust architecture: The data platform team will have to implement a framework that only grants users access to the applications and data they need to perform their job, and prevent lateral movement across environments. For organizations that use SSO, that might mean introducing stringent account and access management in addition to MFA.
Account and Access Management: Access management plays an important role in the proposed regulation. Data platform teams will have to implement processes to manage and monitor:
Inventory and management of personal information and information systems: Data Platform Teams will have to collaborate with the Data Governance Team to catalog all personal information and report who has access to it, combined with any data lineage. In addition, it will have to report on the data tags, and how these data tags are used to govern access to personal information.
Hardware and Software Inventory and approval process: The recent dbt security vulnerability show the importance for the data platform team to have a view over the hardware and software that is used by the team. This will enable them to quickly identify security incidents in software packages, quantify the impact on the organization, and take remediation actions.
Data Masking: Sensitive Personal Information will have to be masked. Cloud data providers are increasingly providing this functionality, but this will be challenging to do at scale with today’s access management workflows. Data platform teams will have to introduce the necessary automation and integration with DevOps.
Secure Configuration of Hardware and Software. The recent Snowflake data breaches have shown that you cannot rely on default configurations, and that as a customer you have a shared responsibility for cloud data security. Data platform teams will also have to make sure their data platform has been securely configured and perform regular software updates.
Audit-log management: Data platforms teams will have to centrally store and monitor all audit logs. This includes data access and usage, but also any changes performed to the data platform and its access controls.
Anomaly Detection: Data platform teams will have to set up processes for network monitoring including anomaly detection, and processes to detect and prevent unauthorised access, use, or disclosure of personal information.
Securing CI/CD: Organizations will have to improve the security of their CI/CD by using code reviews and security testing.
Data Retention: Data Platform Teams will have to collaborate with the Data Governance team to implement data retention schedules and procedures to delete data no longer required to be retained.
Security Incidents: Data Platform Teams will have to work closely with the security team to detect and report on security incidents such as unauthorized access, usage and disclosure of personal information.
For completeness, the proposal also includes requirements that for which the data platform team will not be responsible such as internal and external vulnerability scans, pen testing and vulnerability disclosure; Antivirus and antimalware; Information segmentation; Limitation and control of ports, services, and protocols; Promoting Cybersecurity awareness and education; and Business Continuity Planning.
It is important to note that organizations will have to monitor compliance of their third parties. Similarly to the NIS 2 Directive in Europe, this will mean that larger organizations will impose strict security requirements on smaller third parties that would otherwise not have to implement those. This requirements casts a very broad net in terms of organizations that will have to comply with the regulation.
When this new regulation goes into effect, data platform teams will have to significantly improve their data platform security. This will amount to a lot of work and can be at the risk of everyone’s productivity. Reach out to learn how Raito’s platform for all data security workflows can help you improve your cloud data platform’s security posture without impacting productivity.
