Unpacking China’s New Data Security Law and Privacy Legal Framework

By Michael Cunningham • September 9, 2021

If you’re a multinational enterprise (MNE) that does business in or with China, you’re likely aware of the Data Security Law (DSL) that went into effect on September 1, 2021. The DSL adds to an increasingly comprehensive legal framework for information and data security in China. The law also imposes extensive data processing requirements and imposes potentially severe penalties for violations. 

This article attempts to share a high-level overview of the DSL and put into context the overall state of data governance in China. First, a disclaimer: This article isn’t legal advice. Instead, it is a high-level look at a new set of data governance and regulations that affect our customers. We do recommend that you seek guidance from your legal department and other relevant experts.

A Brief Recap of China’s Recent Data Security Initiatives

The recent legal moves by China over the past few years address the country’s growing concerns over the amount of data collected by firms and whether that information is at risk of misuse and attack, particularly by foreign nations. On June 10, 2021, the Standing Committee of China’s National People’s Congress passed the Data Security Law (DSL), which took effect earlier this month (September). The DSL, together with the 2017 Cybersecurity Law and the just-passed Personal Information Protection Law (PIPL), will form an increasingly comprehensive legal framework for information and data security in China. 

Data Security Law Highlights

The primary purpose of the DSL is to regulate “data activities,” safeguard data security, promote data development and usage, and protect individuals and entities’ legitimate rights and interests. Additionally, the DSL focuses on safeguarding China’s state sovereignty, state security, and development interests. 

Extraterritorial Jurisdiction

The DSL provides broad extraterritorial jurisdiction. According to Article 2, the law governs data activities conducted within China as well as those outside the country that may “harm the national security or public interests of the PRC, or the legitimate rights of Chinese citizens or entities.”

Defining and Classifying Data 

The DSL requires all companies in China to classify the data they handle into several categories and governs how that data is stored and transferred to other parties. The classification system will control data according to the data’s importance (i.e., “important data”) to China’s economy, national security, and public and private interests. 

The DSL further introduces a separate regulatory framework for “core state data,” broadly defined as data involving national security, lifelines of the national economy, importance to people’s livelihood, and significant public interests. Core data are subject to stricter processing regulations. 

Currently, the data classification system details are not specified in the DSL but are expected to be rolled out in the future.

Data Security Compliance Obligations

The DSL imposes general obligations on companies and individuals who carry out any data activities, including: 

  • Establishing comprehensive data security management systems, organizing data security education, and implementing necessary measures to ensure data security 
  • Strengthening risk monitoring, taking corrective actions when data security flaws or “loopholes” are discovered, and notifying users and authorities of security incidents 
  • Conducting regular risk evaluations of the data activities for “important data” processors and reporting results to relevant authorities.

The more sensitive the data a company handles, the more rigorous the data security obligations. For example, in addition to obeying strict processing restrictions for “national core” data, entities that process “important data” must: 

  • assign a data security officer, 
  • create a data security management department, 
  • conduct regular evaluations to monitor potential risks, and 
  • report results to appropriate government agencies.

Cross-Border Data Transfer Requirements

There are many details about cross-border data transfers that we won’t cover in this article. But, basically, the DSL doesn’t allow the transfer of any data from China to any foreign law enforcement agencies or judicial bodies without approval from the appropriate Chinese government authorities, creating complications for companies legally required to submit data to foreign authorities. 

For example, companies established in China that offer goods or services in the European Union (EU) are subject to the EU General Data Protection Regulation (GDPR), which allows EU supervisory officials to request data when exercising their enforcement powers. However, China requires that companies receive government approval before transferring data in response to GDPR enforcement requests. 

Again, the DSL currently provides no specific guidance to companies on this requirement. 

Penalties for Noncompliance

Failure to comply with DSL requirements includes demands for rectification, warnings, monetary fines, forfeiture of illegal gains, revocation of business licenses, and/or orders to close down businesses. Noncompliance with the DSL that scales to a criminal or administrative offense level may also be prosecuted criminally under China’s Criminal Law or be subject to administrative penalties. In addition, the DSL allows parties to recover damages through civil litigation in court. 

What’s Next? Here’s How Appsian Security Can Help

MNEs currently conducting business in and with China are likely already used to stingy information and data security controls and may have existing internal policies for information technology, data management, and privacy already in place. Even so, those companies will benefit from additional reviews of their data processing policies and activities for potential non-compliance risks.

Additionally, it’s a good time to talk with Appsian Security to learn how the Appsian Security Platform (ASP) can help you comply with China’s DSL, along with other global compliance regulations like GDPR. ASP gives you complete control and visibility over your business data using a comprehensive platform that combines data security, identity and access management, and governance, risk, and compliance (GRC). 

Contact us today for a demonstration.



Sources, references, and further reading:

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Access Governance is Critical for Preventing Phishing Attacks

By Piyush Pandey • May 18, 2020

The news is flooded with stories about cybercriminals successfully engaging in phishing and social engineering aimed at exploiting people’s COVID-19 fears, all in order to steal user credentials to business applications and VPNs. From fake delivery notifications to World Health Organization (WHO) impersonations, malicious actors are preying on people’s emotions during this pandemic.

The credentials used for authentication are ultimately an organization’s network perimeter. This puts organizations in a difficult position — they can limit employee’s access to these systems and risk negative impacts on productivity and business continuity, or they could bury their head in the sand and hope nothing bad happens. Many are choosing the latter, and the implications are being felt worldwide.

Why There is a Correlation Between a Stressful Environment and Cyber Attack Volume

Social engineering fundamentally relies on taking advantage of strong emotions to trick people into taking actions that can cause them harm. This crisis has emotions running high, and many employees are stuck in a state of fight or flight.

Research shows that stress impairs the brain’s ability to make decisions. That’s why, when people are under stress, they often take more risks and engage in activities that could cause them harm. In other words, employees are not forgetting their phishing trainings, their brains are functionally incapable of making good decisions.

Cybercriminals rely on emotional responses — whether it’s clicking on links, downloading documents, or opening attachments — emotionally charged content (e.g., fake layoff announcement email with a malware attachment) is more likely to result in a successful attack

The problem isn’t the people, it’s the cybercriminals and the tactics they use.

How to Prevent Phishing Attacks?

The Principle of Least Privilege

Often, companies view data protection solely from the compliance and financial risk perspective. Unfortunately, this doesn’t go nearly far enough. It is recommended that companies consider limiting user access to resources based on the principle of least privilege, or the absolute minimum access necessary to complete a job function. Least privilege is a governance strategy that has never been more relevant than today — especially as organizations rely on remote workforces. Fundamentally, when users have more access than necessary, they may accidentally (or intentionally) violate compliance requirements designed to protect the organization.

Today, access governance is largely dictated by predetermined roles and permissions usually classified into groups (administrator, power user, etc.) This classification of permissions is tied to authentication processes like username/password security models that are heavily targeted by cybercriminals through phishing and social engineering. Further, if a phishing attack compromises a user’s credentials, then the cybercriminal may access or acquire as much sensitive data as their victim’s role will allow. This is precisely were least privilege should kick in.

The rise of phishing attacks that target coronavirus fears not only places organizational data at risk, but it also places employees at risk — especially those with high privileges. Many employees use the same credentials for multiple applications, such as social media networks and shared cloud drives. If one set of credentials is compromised, multiple systems are now at risk.

Limiting access to data according to the principle of least privilege provides organizations with the tools necessary to prevent catastrophic data breaches. A good question to ask yourself is, what data should my administrators and power users have access to? Do they need easy access to executive payroll data? Do they need easy access to other employee social security numbers? What do they really need easy access to in order to do their job?

The truth is, they will likely need access to some sensitive data, so how do you protect data that still falls under the principal of least privilege?

Zero Trust

“Zero trust” often sounds harsh — trust no one, assume a threat at all access points, and never grant access by default (e.g., a predetermined role and privilege.) At first glance, this mentality appears to go against corporate values like collaboration and integrity, but, in reality, it fosters them.

Moving toward an IT culture based on zero trust means that an organization can identify all devices, users, applications, and data across its ecosystem. Then, the organization can establish the appropriate controls that limit access where appropriate.

Fundamentally, a zero trust model encourages collaboration and integrity while also supporting employees who mean well but could be making risky decisions while under stress — coronavirus related or otherwise. By setting zero trust identity and access controls, organizations ensure constant alignment between who an employee is and what they have access to, thus, mitigating risk.

Multi-Factor Authentication

Part of establishing an effective zero trust model involves finding solutions that allow organizations to apply contextual attributes when granting access. Attribute-based controls adapt to different contexts and ultimately drive how and when users can access information. For example, an attribute might be geolocation or time of day. Adaptive multi-factor authentication (MFA) takes these attributes and requires additional authentication as users move across systems or within applications. For example, to log into an ERP system, passing a standard authentication challenge is required. Then, to update direct deposit or access payroll information, an adaptive MFA challenge should be deployed. Zero trust means that just because they passed through the front door of the application, they can’t execute the most sensitive transactions.

As employees work remotely, organizations may want to incorporate adaptive MFA so employees in finance or human resources can securely authenticate to their ERP systems. Adaptive MFA will detect anomalous locations or times for activity, trigger an additional authentication process, and prevent malicious actor access.

Ultimately, zero trust and adaptive MFA protect the organization, the person whose information was almost leaked, and the employee whose credentials were stolen. The organization can be alerted to the cyber criminal’s attempt to gain entry to its networks, the person whose data was almost leaked retains privacy, and the employee whose credentials were phished is protected from the negative impact of their privilege being hijacked.

Remote Access Means Phishing and Phishing Requires Additional Strategies 

Organizations have tried to protect themselves from phishing attacks for years. What they have not done is protect themselves during a time of social, emotional, and physical upheaval. But, the current upward trend in phishing attacks should come as no surprise to organizations. Cybercriminals never rest — they take advantage of any weaknesses in an IT ecosystem, both digital and human.

Maintaining strong identity and access governance strategies ensures that both data and end-users can be protected during these strange and unusual times.

This article was originally published by Mission Critical Magazine. 

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

December is Prime “ERP Data Breach” Season… Be Prepared!

By Scott Lavery • November 28, 2018

Establishing security best practices for your PeopleSoft applications is always a work in progress. As newer, more advanced threats come to light, staying current can feel like a daunting task. While PeopleSoft systems are inherently robust and secure, a constantly evolving threat landscape, PLUS new data regulations have paved the way for several necessary security enhancements. As the end of 2018 draws near, now more than ever, organizations must be aware of the myriad of threats that are well-aware that “year-end” bonus season is coming… and are preparing their tactics to redirect your employees hard-earned payroll/bonuses.

What is the weakest link in your ERP security chain?

Threats today have become increasingly user-centric. The targets for malicious hackers have shifted from entire networks to applications. By leveraging phishing and social engineering attacks, most ERP breaches are now originating from the unauthorized use of valid login credentials – stolen directly from the user themselves. Thus, making your users (and their passwords) by far, the weakest link in your security chain.

Recommendations for mitigating the “human error” element

Inspired by dozens of successful PeopleSoft security projects, security experts at Appsian have compiled a list of best practices that every organization must utilize, and details the steps that should be taken to implement a layered approach to securing PeopleSoft. Rather than solely focusing security efforts on the perimeter, we will discuss how your sensitive data can be protected from malicious intruders (and even insiders) who are able to access PeopleSoft with valid credentials:

  • Enabling SAML for centralized identity management and establishing a single sign-on to reduce the risk caused by users having multiple (potentially) weak passwords.
  • Expanding traditional multi-factor authentication from login-only to field, page and component levels to ensure data protection from insider threats.
  • Employing location-based security to enforce least privilege access when sensitive systems are being accessed from outside your corporate network.
  • Enhancing data masking to alleviate challenges posed by static role-based masking rules and reduce unwanted exposure of sensitive data fields.
  • Extending logging capabilities to be compliance-ready with 360-degree awareness of what going on inside your PeopleSoft systems and user activity.
  • Bringing real-time visibility to breaches, suspicious events, and potential vulnerabilities by incorporating security analytics to your PeopleSoft security infrastructure.

Download the whitepaper to learn more about the best practices for achieving an end-to-end security and compliance strategy.

Download Your Whitepaper!

On a time-crunch? Request a quick session with our PeopleSoft security experts.

Contact Us Today!

1. https://info.digitalshadows.com/ERPApplicationsUnderFire-Press.html
2. https://www.us-cert.gov/ncas/current-activity/2018/07/25/Malicious-Cyber-Activity-Targeting-ERP-Applications
3. https://www.cyberark.com/resource/cyberark-global-advanced-threat-landscape-report-2018/

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

University of Waterloo relaunches direct deposit self-service functionality for employees

By Chris Heller • August 11, 2017

Direct deposit is a given for most of us. Until it doesn’t work. I definitely remember the days of getting paper checks in the mail….or not.

Our customer – University of Waterloo – recently relaunched their direct deposit functionality that allows employees to add or update their direct deposit bank account information on-line through myHRinfo self-service.

Here’s a link to an article from their Daily Bulletin newsletter

The implementation of ERP Firewall, which provided UWaterloo with additional layers of security on top of their PeopleSoft HCM system, was foundational to the relaunch.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Why the 2017 Anthem Healthcare breach matters to PeopleSoft customers

By Chris Heller • August 6, 2017

A GreyHeller customer – one of the largest financial services firms in the US – licensed and implemented our ERP Firewall layered security platform specifically to put in place detailed logging and analysis to prevent the same type of breach suffered by Anthem Healthcare in 2015. Anthem settled that breach for $115 million.

On July 31, 2017 it was reported that Anthem suffered another breach. This breach involved a malicious insider – one of the hardest situations to track down.

If you as a PeopleSoft customer are concerned about your PeopleSoft sensitive data being exfiltrated, our ERP Firewall software solution can help.

By layering:
• Multi-Factor Authentication to prevent a phished employee’s credentials being used to use Query to download sensitive data
With:
• Data Masking to redact sensitive data

You can prevent cyber criminals from stealing your PeopleSoft sensitive data.

How does it work and how easy is ERP Firewall to implement?

ERP Firewall plugs into your PeopleSoft webserver and is delivered with a pre-configured set of the most commonly used rules (based on implementing ERP Firewall for nearly 100 customers). Our highly automated install process takes a couple of hours after which you will be invoking MFA, masking data and logging transactions at a highly granular level. Many of our customers actually go-live within 30-days of installation.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

PS_TOKEN, Phishing and Peoplesoft

By Chris Heller • December 2, 2015

After the PS_TOKEN threat vector was announced at Hack in the Box Amsterdam in May 2015, security organizations started adding specific tests for PS_TOKEN into their penetration test portfolio. Find out what this means to your organization.

Phishing and spear phishing attacks are specifically targeting PeopleSoft systems. Monthly organizations lose money to fraudulent direct deposit transactions.

Layered security within your PeopleSoft application is a must to protect against the known threats of today and the unknown threats of tomorrow.

In this session, Greg Wendt, Executive Director, Security Solutions, talks about numerous takeaways learned from GreyHeller’s PS_TOKEN assessments and how a layered security model keeps you protected. Topics include:

  • Mitigation options
  • Best practices
  • Lessons learned
  • Incident Response
  • Defense-in-depth for PeopleSoft

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Oracle’s CVE-2015-4852 Update

By Greg Wendt • November 11, 2015

Since many PeopleSoft customers utilize weblogic for their PeopleSoft environment, we wanted to highlight yesterday’s security alert. Oracle released an out of band security update (more information) for issues within Oracle Weblogic Server. Recommendations are to apply the patch and mitigation steps as soon as possible. While out of band security updates are rare, they are not unheard of. PeopleSoft customers need to review the update as soon as possible.

The CVSS (Common Vulnerability Scoring System) score of this update is 7.5 (more information). For reference, vulnerabilities are ranked from 0-10 based upon numerous factors like ease of execution for example. CVSS score ranges are Low (0 – 3.9), Medium (4.0 – 6.9) and High (7.0 – 10.0). The high base score of this update most likely led to the out of band patch being released.

As always if you ever have security questions, remember our assessment opportunity.

Stay safe and keep secure!

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

PS_TOKEN becoming standard PeopleSoft Penetration Test

By Greg Wendt • November 6, 2015

After the PS_TOKEN threat vector was announced at Hack in the Box Amsterdam in May 2015, security organizations started adding specific tests for PS_TOKEN into their penetration test portfolio.

If your organization does regular penetration tests (which you should if your PeopleSoft system is publicly available on the internet), your organization may fail and would therefore have to remediate this risk immediately.

What does this mean to you?  

More time and effort will be required to deal with test results moving forward.  Prepare for this situation today.  

GreyHeller is the leading expert in performing PS_TOKEN assessments for customers and non-customers alike.  Ensure your organization is in the most secure position by scheduling your assessment with GreyHeller today. 

Register Now

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Automation of Identity Management Ensures Data Security

By Greg Wendt • October 15, 2015

Security professionals are generally most concerned with outside hackers, malicious insiders and accidental data loss.  However, if they don’t focus on internal processes around their organization’s employees’ changing roles and responsibilities, organizations are missing a key area of risk.

Manual processes within IDM could introduce mistakes and open the door to both privilege creep and account latency.  Automation of new employee onboarding, promotions or transfers, administrative requests and terminations reduces risks and implements processes that alleviate these mistakes.

New employee onboarding

If done manually, the security implications of hiring a new employee can be daunting and prone to error.  The provisioning process starts: computer access, id and password, network access, and application access are all just the tip of the iceberg.  HR processes have to be followed; FERPA or HIPAA tests need to be passed.  Automation of this process guarantees new employees base system access and allows security teams to focus on the more challenging processes below.

To accomplish this, the hiring event starts the automated process of providing least privileged access.  By providing this,  new employees should only have access to the initial set of self service functions such as enrolling in benefits.  This allows the account provisioning to be triggered automatically from other IDM solutions that may be in use without introducing institutional risks.  Granting higher privileged access is covered in the next section.

Newly hired, promoted or transferred workers

When a person starts new job functions or his/her job changes, it is imperative that the PeopleSoft privileges are accurate, made in a timely manner and can be monitored. Automating this procedure guarantees access changes don’t go unnoticed and lowers a company’s risk of data breach and privilege creep. Privilege creep occurs when employees move from job to job inside of an organization and system access no longer matches their role within the organization.

To accomplish this, job codes should be mapped to privileges so that automated processes can be built to modify privileges upon changes in job responsibilities.  That way the system naturally mitigates privilege creep through job migrations.

Administrative access requests

Some administrative functions are very specialized and cannot be automatically assigned based on job codes in the HR application.  Therefore, tracking the systems is absolutely critical.  These high privileged users have access to the institutions most prized data or intellectual property.

Organizations should establish a change control process over administrative privileges that may be project related or on going. Tracking and understanding what access a user has within each application, network device and computer is critical to managing their movement throughout the organization or out of the organization.

Terminations – there goes the data!

Termination is a critical security event.  When an employee is terminated (whether involuntarily or involuntarily) the clock is ticking on restricting their access.  An article from the Wall Street Journal suggests 50% of employees take data with them upon termination.

To address this concern, access must be removed from numerous systems precisely and efficiently especially for high privileged users.  When an employee gives a two-week notice, data security requirements should log or remove all access besides base HR self-service functions to ensure data loss is kept to a minimum.

Automating this process involves tying the termination request to the modification of the users privileges. To accomplish this, the termination will trigger a removal of all roles and permissions other than base self service HR functions. This has to be done immediately upon the termination event and logging all access for these users is critical.

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives