Skip to main content
McAfee MVISION Cloud

About the GDPR

The European General Data Protection Regulation (GDPR), a global law on data protection, went into effect within the European Union (EU) on May 25, 2018. This regulation requires anyone who collects or processes personal information about EU individuals to adhere to strict new policies to protect people's personal information. Under the GDPR, companies are required to demonstrate compliance, and put procedures and technology in place to keep the data safe from exposure, change, or unauthorized deletion. The data subjects have a say in what is done with their personal information. Regulators are allowed to impose fines of up to 4% of global turnover on companies that do not comply with the law.

According to the MVISION Cloud Resource Center publication, The GDPR: An Action Guide for IT: "Any organisation that collects data (a “data controller”) or stores and processes data (a “data processor”) on living individuals of the EU and EEA must conform to this regulation and incorporate appropriate policies and technology to conform."

MVISION Cloud has created a toolset to help your organization prepare for the impending GDPR. The EU GDPR Business Risk attribute identifies and lists this risk for all cloud services in the registry. You can leverage this attribute to create reports and searches to identify any CSPs your organization uses to gauge their readiness for GDPR. 

For complete details about the GDPR and how to prepare your organization, download The GDPR: An Action Guide for IT

 

GDPR in MVISION Cloud for Sanctioned IT

MVISION Cloud for Sanctioned IT provides the following GDPR requirements. 

Adequate Security

Only users provisioned in MVISION Cloud’s environments can log in to the cloud tenant (of that environment) to configure DLP policies, view the incidents, and activity feeds. Any offending and sensitive content is encrypted using a tenant-specific key and can be saved in either the customer’s AWS S3 storage or in a MVISION Cloud-provisioned AWS S3 bucket. The customer can also choose to not provide any storage to save the offending sensitive content at all. When this text is presented on the MVISION Cloud dashboard, it is decrypted on-the-fly by the browser’s request to MVISION Cloud, to AWS infrastructure, to fetch the content. Then it is decrypted on MVISION Cloud before the text is rendered in clear text in the browser. Note that this piece of sensitive content can be obfuscated in the UI if it is enabled to do so. If the user is not granted the Incident Manager RBAC role, the user cannot view the incidents on the MVISION Cloud dashboard.

MVISION Cloud also provides an Enterprise DLP Integrator on-premise application that can be installed on virtual machines (VMs) provisioned by the customer in their environment. The DLP Integrator application provides a fingerprint solution and also integrates with other enterprise DLP solutions over ICAP, effectively allowing customers to leverage their existing infrastructure and policies. The VMs and DLP Integrator are located within the customer infrastructure, in accordance with customer policies and controls. Fingerprints are uploaded to MVISION Cloud over SSL connection and persisted in the MVISION Cloud database.

Data Retention

All activity feeds captured in MVISION Cloud’s environment are retained for 90 days. All policy violation incidents captured in MVISION Cloud’s environment are retained until the customer requests for them to be purged.

Data Minimization 

Specific Active Directory attributes’ data can be sent by the MVISION Cloud Connector application to MVISION Cloud over HTTPS. The data is not encrypted. Transfer of this data is enabled by the Cloud Connector user interface, if configured by the customer, and adheres to the customer’s policies and controls. By default, this is not enabled on Cloud Connector, and the customer can choose to leave it disabled.

 

Customer Support for Data Subject Rights

Access to the MVISION Cloud dashboard is controlled through Role-Based Access Controls, which provides roles such as Executive Summary, Policy Manager, Incident Manager, Administrator, etc. Based on the role assigned to the user, appropriate navigation options are displayed in the MVISION Cloud user interface. Users can view and download data only pertaining to the pages visible per the role assigned to them.

 

Data Deletion

To purge data from MVISION Cloud’s environment, the customer should log a ticket with MVISION Cloud Support specifying what needs to be deleted. For example, delete all data, or delete only incidents against specific time range. Support works with the operations team, which in turn provisions all necessary approvals before securely deleting the data from databases and backups.

 

Data Handling and Informing Customers

Data consists of DLP policy incidents, activities that can identify insider threats and compromised accounts, control access policies to data based on user role, device, and/or location. It is possible to configure the tenant so that data does not leave the country.

The MVISION Cloud DLP solution integrates with other cloud services via APIs or proxy. MVISION Cloud periodically fetches activity feeds and polls for any changes to the account being monitored and fetches the files for a DLP scan. Data fetched for the scan is held in MVISION Cloud’s cloud-hosted virtual machine memory temporarily, where the DLP policy scan is performed. After the scan, the data is erased from the transient memory and any violation reported is persisted as an incident with necessary metadata. File data itself is not saved. The customer can configure MVISION Cloud to save offending and sensitive content in MVISION Cloud-provided or customer-provided AWS S3 storage for customers to analyze. Activity feed data is persisted in the MVISION Cloud database, which contains the type of activity performed, username, timestamp, etc.

Customers are informed about the MVISION Cloud architecture and Points of Presence (POPs) where data can be stored. They can choose the location, and accordingly, a specific environment can be configured for the tenant.

Per the tenant configuration, all data is stored in that POP, and is not transferred outside of the environment.

Support

Customers can onboard a MVISION Cloud Sanctioned IT application for DLP and activity monitoring by providing the API credentials on the MVISION Cloud dashboard. The credentials are actually provided on the Cloud Service Provider’s (CSP) site or window, and therefore MVISION Cloud does not play a role during authentication. Once the user is authenticated, an OAuth token provided by the CSP is saved by MVISION Cloud and is used to connect to the service via APIs. A similar flow exists for accessing CSPs via Proxy.

Note that it is possible that a customer may allow access to their MVISION Cloud tenant user interface to Support and/or specific account team members to monitor the progress and health. In which case, MVISION Cloud Support can view the customer’s PII data, and are therefore controlled by customer’s policy and procedures.

Telemetry

Monitoring and alerting is implemented at the product level, as well as by the Operations team at the infrastructure level, for various health stats on components such as queuing, databases, backlogs, delays in processing, etc. 

 

GDPR in MVISION Cloud for Shadow IT

MVISION Cloud for Shadow IT provides the following GDPR requirements. 

Adequate Security

Only users who have an account to log in to the MVISION Cloud dashboard can access the data. MVISION Cloud Connector is installed on virtual machines (VMs) provisioned by the customer in their environment an on-premise application. The VMs, and therefore Cloud Connectors , are located within the customer infrastructure, in accordance with customer policies and controls.

Edge device logs may contain Personally Identifying Information (PII) data such as usernames and source IP addresses, as configured. The Cloud Connector configuration provides an option to tokenize PII data before uploading the events to MVISION Cloud. All the data transferred by Cloud Connector is compressed before uploading to the cloud over a secure SSL connection.

Cloud Connector application health and file process statistics are uploaded to MVISION Cloud for monitoring. Health statistics are sent to MVISION Cloud every 30 minutes by default, but the interval is configurable. Statistics are used by Support personnel for monitoring the health of the deployment.

Data Retention

Within MVISION Cloud Connector, tokenization mapping is required to be retained until Cloud Connector is running. It is also required because detokenization of usernames or IP addresses are requested on-the-fly between the customer’s browser while rendering the MVISION Cloud dashboard and Cloud Connector's virtual machine when they are in the same network. Note that detokenization does not work if both systems are not within the customer’s network.

Data in the MVISION Cloud infrastructure is aggregated on a daily, weekly, and monthly basis. Aggregation keeps daily data for 45 days, weekly data for 13 weeks, and monthly data for 14 months. Daily data is rolled up to weekly, and weekly to monthly. Any data older than 14 months is purged by default.

Data Minimization

As part of log processing, Cloud Connector matches the domains and IP addresses used against the MVISION Cloud Registry, and uploads only the configured fields from Firewall/Proxy logs to the cloud for further aggregation and analysis. These fields are a subset of each event.

For Active Directory-based correlation, only a maximum of five required fields can be transferred per event as associated with the user in the event itself.

Customer Support for Data Subject Rights

Access to the MVISION Cloud dashboard is controlled through Role-Based Access Controls, which provides roles such as Executive Summary, Policy Manager, Incident Manager, Administrator, etc. Based on the role assigned to the user, appropriate navigation options are displayed in the MVISION Cloud user interface. Users can view and download data only pertaining to the pages visible per the role assigned to them.

Data Deletion

Users can purge tokenization mapping and any debug or error logs on Cloud Connector, which will effectively delete all the PII data present in the Cloud Connector's VM. If tokenization mapping data is not available, detokenization won’t be possible, and a logged-in user will be presented with tokens instead of usernames or IP addresses, even if they have privileges to view them.

Users may download reports, and those reports must be deleted as they may contain PII data. Customers may also allow access to the MVISION Cloud dashboard of their tenant to certain MVISION Cloud account team representatives or Support personnel. In which case, the customer must request that those individuals delete any data saved locally. Note that detokenization is not possible on-the-fly if the user accessing the MVISION Cloud dashboard is not in the same network, so external personnel won’t be able to see usernames and IP addresses in clear text.

Customers can also raise a request to MVISION Cloud Support via Salesforce to securely purge their data in the MVISION Cloud infrastructure. In which case, the Operations team that manages the data will purge the data in databases as well as from backups. Approval mechanisms are in place before data is securely purged from the backend.

Periodically, as part of data retention and rotation policies, Shadow data older than 14 months is automatically purged.

Data Handling and Informing Customers

MVISION Cloud for Shadow IT delivers the following capabilities:

  • Cloud Discovery and Risk Monitoring. Processes logs and identifies all the cloud services in use within your organization. Provides an objective and customizable risk assessment for each cloud service.
  • Cloud Usage Analytics. A Hadoop-based analysis engine detects usage anomalies based on statistical and behavioral models. Identifies risky user behavior, inconsistent policies, and underutilized subscriptions to cloud services.

Underlying data for analysis is provided through customer’s proxies, firewalls, or SIEMs, and is processed by an on-premise Cloud Connector application. It is a lightweight on-premise application that processes egress device logs and identifies relevant log entries while tokenizing confidential information.

You can configure Cloud Connector to upload the data to MVISION Cloud’s specific environment, and it is possible to configure in such a way that data does not leave the country.

Customers are informed that the data collected consists of logs from their firewalls or proxies. Specific Active Directory attributes can also be configured to be sent to MVISION Cloud pertaining to the users in the events. PII data from events and AD can be configured to be tokenized before uploading to the MVISION Cloud cloud.

As part of the Cloud Connector installation, customers provide the environment where the Cloud Connector will upload data. This way,  customers are aware of the data storage location based on the MVISION Cloud’s environment deployment location.

The data is transferred from Cloud Connector to the configured environment over a secure connection.

Support

Sample log files are provided by the customer to MVISION Cloud Support to enable Cloud Connector configuration and to define the regular expressions needed to parse the edge device logs for processing. Usually, customers obfuscate the PII data from the logs before sharing with Support.

For troubleshooting, customers might be expected to share debug and error logs from Cloud Connector's VM for analysis, and these files might contain PII data. Data that is collected is managed and controlled in accordance with standard Support operating procedures.

Infrequently, a copy of the tokenization database might be shared with Support to allow for further investigation into a problem. The release of such data to MVISION Cloud is controlled by the customer and follows standard Support operating procedures.

Telemetry

Cloud Connector application health and file process statistics are uploaded to MVISION Cloud for monitoring. Health statistics are sent to MVISION Cloud every 30 minutes by default, but the interval is configurable. Statistics are used by Support personnel for monitoring the health of the deployment. Monitoring health data is retained for the past 90 days. 

  • Was this article helpful?