2023-02-03 - Version 2 Limited

NordLayer features in review: Site-to-Site

Can any employee access company resources from anywhere and at any time? It depends on the company’s infrastructure. Recently established businesses have more chances to provide access wherever their teams are. However, companies with legacy architectures need to readapt to have the same time and place flexibility.

Every company infrastructure setup is unique. Therefore, it may require a different approach to solving the same challenges — like how users can access office-based data, applications, or devices while not being present on that particular site.

The most common solution is to choose VPN for security purposes and enablement of distributed teams. However, the VPN selection depends on its type and existing company network arrangement.

If your target is to enable employees to securely connect to different offices and branches of the organization despite being elsewhere, Site-to-Site VPN is the option to explore.

Site-to-Site solution using NordLayer

Site-to-Site allows users to reach office-bind resources on HQ, your assigned office, or another company branch while not actually being on-site. It is a type of VPN that establishes an encrypted connection to a requested resource on the company network.

NordLayer’s cloud-based feature elevates typical industry Site-to-Site capabilities by connecting not just different corporate sites and resources but by enabling both on-site present and remote users to connect to any company resource on the network.

Click to tweet

Therefore, connection to a single physical location via a virtual private gateway using VPN translates into user connection to all devices and resources assigned to a company router or firewall.

How does NordLayer’s Site-to-Site feature work?

The cloud-based feature can be enabled by connecting NordLayer’s virtual private gateway to the company’s router or firewall.

Moreover, cloud-based Site-to-Site makes it possible to configure a dedicated VPN server to connect to cloud service providers like Amazon AWS, Google Cloud, or Azure.

Users with VPN access – whether present in the branch office, HQ, or remote – can connect to the company network and access the added internal resources and the on-site devices connected to the router/firewall, even though they don’t support a VPN connection.

Remote user connection:

Connection from a company branch:

Connection from HQ:

NordLayer’s Site-to-Site feature requires virtual private gateways and physical location configuration. Once it’s ready, a VPN connects users to the local company network and allows them to access company resources like applications, data, computers, or printers.

The same logic applies to users accessing the company’s cloud service provider resources. VPN established connection and router/firewall configuration to support IKEv2 Site-to-Site functionality with a static public IP address can provide access to resources for employees despite their location.

Shortly, suppose an employee for a job needs to access your organization’s customer information stored in a database located in HQ, the email server that stands in an office branch on another continent and needs to print it out while working from home. In that case, it’s all available via NordLayer’s Site-to-Site VPN functionality.

How NordLayer’s Site-to-Site is different?

Traditional WAN companies have an architecture based on an all-to-one setup when business units – remote locations and resources of the corporate – are connected to one main point.

Such organizations exploit extensive legacy Site-to-Site architectures that employees use to connect to the network’s main point, allowing them to access company-enclosed resources from different locations. This type of network architecture delivers interconnectivity yet lacks remote flexibility and has downsides affecting network performance, efficiency, and scalability.

As a solution to legacy Site-to-Site, NordLayer is developed to provide flexible and simple problem-solving to the general downsides of using legacy networking. When focusing on the feature functionality, the distinction between legacy setup and cloud-based remote network access solution comes from overcoming the limitations of traditional Site-to-Site solutions.

Cloud-based NordLayer solution handles legacy infrastructure challenges of increasing remote connections with quick integration to the existing architecture. It reverts performance–efficiency–scalability limitations to company advantage:

Decreased deployment time and expenses. NordLayer solution is fully hardware-free and compatible with hardware-based or hybrid existing infrastructures. Functionalities can be deployed within minutes and don’t require complex costs and long delivery times, focusing on time-to-value for the organization.
Maintained security and productivity levels. NordLayer Site-to-Site distributes encrypted user traffic to company resources based on the request nature without affecting connection quality instead of bulk processing all users to a primary point of connection and allocating to requested resources afterward.
User traffic distribution. The feature decreases the heavy traffic load directing users to the internet resources, internal data centers, servers, or applications in a more streamlined manner. Therefore, the increased remote user traffic peaks don’t impact performance quality as with a traditional Site-to-Site setup.
Efficiency and scalability. Naturally, user traffic distribution significantly reduces on-site equipment use managing the ad-hoc demand to upgrade. On the contrary, cloud-based Site-to-Site functionality enables the company to scale on demand without resource-intensive planning.

The feature brings another level to team performance in business operations using Site-to-Site. NordLayer’s cloud-based feature ‘helps cut hardware-ing and distance corners’, bringing efficiency to secure data sharing and authorized access of on-site devices within the organizations, even if physically impossible.

Benefits of Site-to-Site VPN

Primarily, Site-to-Site VPN allows for establishing non-office-only based connections. The VPN enables secure data transfers and trusted user activity between the on-premise network and the public network established over the internet.

Implementing NordLayer on top of your existing infrastructure, Site-to-Site unlocks effective and robust cybersecurity measures for various organizational aspects.

Increased network security

Sensitive data and confidential information is the target of most cyber attacks. Thus, encrypted data transfers between organization members utilizing Site-to-Site, whether in the office or remote, help safeguard against data breaches.

Streamlined business operations

Team performance is heavily related to the availability and capacity of the company network. Therefore, Site-to-Site feature maintains a good speed and stable data traffic flow to provide users with quality connectivity and constant access to resources that influence business continuity.

Flexible and scalable protection

Hardware-free Site-to-Site configuration is a beneficial add-on to the existing company network, even the largely hardware-based ones. Thus, the reaction-to-action time to solve ad-hoc challenges is multiple times shorter and easier. It requires minimal resources and provides a solution based on business needs within minutes.

Entering NordLayer’s Site-to-Site

NordLayer solution provides a modern approach-based Site-to-Site VPN. The feature allows present and remote employees to access data and devices in multiple corporate environments.

Using our remote network access solution to enable Site-to-Site VPN for the organization, IT admins have to follow simple actions to configure the feature. First, they need to create VPN gateways via the Control Panel as entry points into the network and assign teams or role-based employees to access the gateway so they can enter the company network. Site-to-Site has to be configured for every company unit for the seamless cooperation of teams.

With fewer systems to manage, unlimited scalability, flexibility, and easy setup, companies can ensure smooth and productive connections for their users and maintain high-security levels of the business.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

Why on-prem backup for Azure Active Directory isn’t enough

And 5 reasons why you should back up Azure AD in the cloud

Imagine a busy city with multiple roads leading to various destinations, such as a hospital, a shopping mall, and a stadium. Just like a traffic light controlling the flow of vehicles to and from these destinations, Active Directory (AD) and Azure Active Directory (AAD) control the flow of and access to information from apps and services such as Microsoft 365, Salesforce, Google Workspace, and others. Organizations rely heavily on AD and AAD to ensure a smooth flow of and access to their data.

However, just like how a city can experience traffic jams, frustrations, accidents, and general chaos when the traffic light is out, when AD or AAD are not accessible, the flow of and access to control-plane information can cause severe business disruption. This post will explore the importance of data protection for Azure AD.

The evolution of identity management: From Active Directory to Azure AD and the need for different backup solutions

But first, how did we come to rely so heavily on AD and AAD? Active Directory was introduced in 1999 as a solution for on-premises identity management, providing a centralized repository for user and device information and allowing administrators to manage these resources effectively and efficiently.

As the use of cloud-based services grew, the need for an identity management solution that could integrate with cloud-based resources became more important.

This led to the creation of Azure Active Directory, which was designed to serve as the bridge between on-premises and cloud resources, not only creating a seamless and secure identity management solution for cloud computing, but also offering a range of features and capabilities (including single sign on, multi-factor authentication, and conditional access) to help organizations meet their security and compliance requirements.

Microsoft Azure Active Directory and Active Directory seem to be a bit shrouded in mystery. For many, the distinction between them is not always clear, and this distinction becomes even more blurred when it comes to the topic of backing up and protecting the data within each.

Instead of covering all the differences between AD and Azure AD, this post will mainly focus on backup for Azure AD, and it will explore five ways in which AAD requires a different backup solution from the traditional backups used for on-premises AD. Before we can do that though, we need to quickly establish — roughly — what the difference is.

What’s the difference between AD and AAD?

As Stephen Covey put it, “the main thing is to keep the main thing the main thing.” That quote might make more sense if you consider the key difference between cloud and on-prem AD to be the main thing… and in this case, the main difference between the two is that Active Directory is designed for managing user access and application infrastructure for an on-premises world; Azure Active Directory is for managing user access to cloud applications in a cloud-based environment.

Even more simply? Sure: AD is on prem, AAD is cloud based.

If you’re interested in exploring the differences further, here’s what Microsoft has to say: Compare Active Directory to Azure Active Directory.

Every object in either AD or Azure AD has one permanent home. That’s the primary copy of the object, and the copy to which changes are applied. If you are on-prem-only, or cloud-only, then there’s only one copy of each object.

In hybrid mode, though, no matter where the object is homed, there will be two copies of it: the primary copy and a synchronized copy on the “other side.”

For organizations using both Active Directory and Azure AD in a hybrid environment, you can think of the cloud copy of an on-prem object as being like a shadow. When you look at a shadow on the pavement, you’re only getting a partial set of information about the real object.In the same vein, Azure AD only has a partial set of attributes from on-premises AD objects because not every object attribute is replicated to the cloud. However, all the attributes of cloud-based Azure AD objects are stored in full in the cloud. This allows organizations to use Azure AD as an identity provider for on-premises resources and allows for SSO for cloud-based resources.How does this distinction change backup strategy?

The distinction of where (which environment) your identity objects are homed is paramount. Active Directory backup via on-premises solutions is exactly that: making a backup of on-prem data by copying it to/from an on-premises solution. Azure Active Directory, as a cloud-based application utilizing cloud-based data (and metadata), creates and manages cloud data in the cloud.

Why it matters: Comprehensive data coverage requires the ‘right’ backup

“Some” Azure AD data and metadata only exist in the cloud environment. You could copy these objects to an on-prem storage location (which is roughly as useful as putting backup tapes on top of the server they’re made from), but these objects must be restored to the cloud.

Therefore, with clear gaps in coverage, the data and metadata are not covered holistically. This means your data may not be fully protected when you back up your cloud data with an on-premises Active Directory-oriented tool as your Azure AD backup solution.

In other words: what’s homed on premises and what’s homed in the cloud are physically separate. You introduce new problems for yourself when you cross the streams, including speed of access, data fidelity and quality, and security.

Let’s dive into five reasons why on-prem AD backup is not a viable option for comprehensive backup of Azure AD.

5 things you should consider if you’re backing up AAD on premises

1. Some attributes in Azure Active Directory are not available on premises

If you take an on-prem AD account and sync it to the cloud, the sync process (and Azure AD) adds some attributes to it. Some of these may be synced back to on prem (a process called writeback) but some will not. Backing up Azure AD captures these; backing up the on-prem AD won’t.

2. Azure AD may have user objects or attributes that do not exist on premises

You can define your own users, groups, roles, et cetera, that exist only in the cloud. If you do not back these up independently, they will not be preserved nor well protected, and your only recourse is to recreate and define these custom entries every time.

And yet not everyone sees the value in protecting these objects when their identity management (IdM) anchor is on prem. Even if an organization’s IdM anchor is on premises, objects and attributes like Intune and conditional access policies are important for several reasons, often forming a key part of organizations’ zero trust security, and, as such, need to be protected against loss or damage. (Read our article on the zero trust principle here.)

Still not convinced of the value of protecting control-plane objects? Here are five reasons highlighting the case for securing data protection:

Cloud-based management: Intune and Azure AD conditional access are both cloud-based services that can be accessed and managed from anywhere. They cannot be accessed from on-prem systems, so if you lose the copy in the cloud, it’s gone.
Security: Azure AD provides additional layers of security, such as multi-factor authentication and identity protection, that can help to protect against potential security threats such as compromised credentials or unauthorized access.
Compliance: Intune and conditional access can help organizations meet compliance requirements, such as HIPAA by providing features such as device compliance and role-based access control.
Scalability: Azure AD allows organizations to scale their IdM infrastructure as needed, without the need for additional hardware or software.
Remote work: Intune and conditional access can help organizations to secure and manage remote workers’ devices, even if they are not connected to the on-premises network.

Now are these objects and attributes vital to operations? You can decide for yourself. But, considering the impact that could result from losing these in one data loss scenario or another (and the resource investment required to manually recreate and administer them, not to mention the security concerns of not ensuring the right users have the permissions to access company data), adequate data protection of these should be a business imperative.

3. Azure AD will have configuration/state objects that don’t exist on prem

Enterprise apps, app registrations, Conditional Access (CA) policies, and many other policy- and security-related objects exist only in the cloud. Microsoft’s native protection for these objects is mostly non-existent — delete a conditional access policy, for example, and it’s just gone. Let’s drill down into two important-to-protect Azure AD features:

Conditional Access: Azure AD Conditional Access is a feature that allows you to set policies that determine how users are granted access to resources based on conditions such as device compliance, location, and user identity. It allows you to control who can access your resources and under which conditions. This feature can be used to protect against security threats, such as compromised credentials, by requiring multi-factor authentication or other forms of authentication.
Intune: Intune is a mobile device management (MDM) and mobile application management (MAM) service that is integrated with Azure AD. This feature allows you to manage and secure mobile devices, desktops, and apps, including those used by remote workers. It allows you to set policies for devices and apps, such as requiring a passcode or encrypting data, and to remotely wipe a device if it is lost or stolen.

What about the Active Directory Recycle Bin? As these AAD-only configurations/state objects only exist in the cloud, there’s no available recycle bin for these policy objects, so there’s no undo. It’s akin to an immediate hard delete, meaning there is no 30-day or 90-day grace period as there is with soft deletions.

How to recover from hard deletion? Microsoft shares that “hard-deleted items must be re-created and reconfigured. It’s best to avoid unwanted hard deletions.”

Let that sink in for a moment: “It’s best to avoid unwanted hard deletions.” This advice is nigh impossible to follow as common data loss scenarios, like accidental deletions), are a question of when, not if. It highlights how the Recycle Bin was never intended to be a replacement for dedicated backup. Read our post on why backup is a risk-management imperative here.

4. Record preservation

How long does Azure AD store reporting data? That’s a very good question: According to Microsoft, activity reports are stored as follows:

As you can see, there is no point-in-time record preservation. With a backup, you can preserve and review cloud-only Azure AD data at a specific point in time and examine which permissions, users, groups, and role assignments existed in your directory, as well as whether an object has changed within a specified time period and preserve these records for as long as required or needed to comply with company or governmental policies.Clearly, these benefits are useful for forensic purposes but also for governance and compliance reasons. Learn more in our eDiscovery post (with a customer Office 365 use case).

5. Microsoft doesn’t provide native protection for many cloud-only objects

Microsoft doesn’t provide the same recovery tools in Azure AD as they do for Active Directory itself. According to Microsoft recoverability best practices, it’s clearly important to understand the object types that are protected by Microsoft under soft-deletion and hard-deletion scenarios, visualized here:

The recovery features for soft deletions are typically limited to 30 days retention, so if you want to recover on day 31, it’s too late! The data is gone, as Microsoft shares here in its Azure Active Directory fundamentals:

Soft-deleted objects are hard deleted after a deletion time of 30 days. The only object types that support a soft delete are Users, Microsoft 365 Groups, Application registration, Service principal, administrative unit.

So, the question is this: Are these objects that are automatically hard deleted important to your business operations? And a natural follow-up question is this: Is the 30-day restore period for soft-deleted objects enough protection for your data? (Often, mandatory minimum data retention periods are determined by governments.)

Note: It’s important to mention that changes are not covered by the recycling bin, such as editing or overwriting, even to objects that would normally be soft deleted . Any change, intentional or otherwise, replaces the previous version with no option of reverting or recovering. When these changes are done accidentally, we euphemistically refer to them as an “oops,” but they are quite serious and actually one of the leading causes of data loss, so this gap in coverage should concern those tasked with ensuring data protection.

The writing on the wall is that native coverage is insufficient for recoverable, comprehensive coverage and that the solution to this coverage gap is having your own third-party backup. This extends your ability to recover these objects for as long as your backup exists.

Explore this in more depth here: Azure Active Directory recoverability best practices from Microsoft.

What’s Next? Choosing a Backup Solution for Azure Active Directory

Now that we’ve highlighted the need for dedicated cloud data backup for Azure AD, let’s explore what Keepit provides with its Azure AD service offerings (one of which — Azure AD Standard — is offered completely free of charge).

Leading AAD data protection for your cloud security strategy

Keepit helps you recover business-critical identity and application objects that Microsoft doesn’t protect. Extend your retention period and strengthen security with protection of policies as well as full auditing and traceability of changes. Protect against day-to-day data loss and improve IT efficiencies with the ability to roll back changes and speed up troubleshooting.

Azure Active Directory Backup Coverage

The Azure AD connector protects the following Microsoft 365 Azure Active Directory objects: Users, Groups, Administrative Units, and Roles. It also protects Audit logs (and Sign-in logs with audit logs enabled).

For an exhaustive coverage list, visit our AAD support site here.

Interested in Backing up (and Restoring) Azure AD with Keepit for Azure AD?

To learn more about how you can protect your business-critical data and ensure disaster recovery resolve with Keepit for Azure AD – the leading protection for your cloud security strategy – click here.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

Keepit 2023

Is Google Drive secure?

Jump to section

Privacy is freedom from unwanted or unpermitted observation. When we talk about data privacy, we usually mean personal data privacy: the expectation that our personal information is not shared without our consent.

Personal data

Data is another word for information. When we call it “data,” we usually mean digital traces of that information. When the data is categorized as personal, it’s about us. In this section, we’ll cover four types of personal data:

Personal identifiable information (PII)
General or biographical personal data
Behavioral data
Biological data

Personal identifiable information

Personal identifiable information (PII) is any piece of information that can be tied to you directly. Your full name, passport number, home address, and email address are all examples of personal identifiable data.

Your LinkedIn profile, your Amazon account, and most apps on your phone are all rich resources for personal data. Chances are you have trusted the internet with your personal data on hundreds if not thousands of occasions — each time you have ticked “agree” on a terms and conditions checkbox. But you are not the only source of your personal identifiable information.

PII can also be financial or medical in nature. For example, your credit card number and health insurance beneficiary numbers also qualify.

In general, formal distinctions of types of data are useful insofar as they relate to data privacy legislation, which depend on where organizations and their clientele are located.

In the United States, personal medical data is a distinct category, called protected health information (PHI). Dates of medical procedures, your birthday, and medical record numbers are formally called PHI so that they can be protected by HIPAA.

Biographical data

Biographical data, sometimes called “personal data,” is more general. This category pertains to data collected about you that’s not specific to you and only you.

Your ethnic background, religion, country of residence, and workplace are some examples. Though not identifying in itself, you might consider some of the information in this category to also be private, especially when it’s stored alongside PII.

Behavioral data

What you do online can also be part of your personal data when it’s quantified and collected. In general, websites require fewer or no permissions from you when the data collected is anonymized. Most often, they collect this data for marketing purposes.

Biological data

What you are is also considered data. Beyond what you look like in pictures or on video, the unique physical characteristics that can be used to identify you — such as your bone structure, fingerprints, or the patterns in your iris — are called biometrics. Because they are by nature unique, biometrics are always PII, which is why they can be used for authentication.

As you can tell, when personal data points are combined, they can paint a detailed picture of who you are and what you do — both online and in life.

Beyond the personal: other types of private data

When we move away from what’s strictly personal, a broader conversation about data privacy will inevitably touch on “sensitive data,” which can apply to information that individuals or organizations want to keep from becoming public.

Usually, when data is called sensitive, that indicates its high value — to both its owners and to others, including cybercriminals.

Individuals may have vastly different definitions of private or sensitive data. Examples could include family photos, journal entries, text messages, or an unfinished manuscript.
For government organizations, sensitive information might pertain to national security, for example, the location of a military base.
Private businesses might consider their secret sauce recipe, product strategy plans, or contracts to be sensitive data.

However, just like protected health information, what’s considered sensitive data can also be a formal category that is defined by the law.

Data privacy and data security: What’s the difference?

The terms data privacy and data security are sometimes used interchangeably and occasionally, incorrectly. That can make it difficult to know what situations they apply to. So before we dive deeper, let’s set the record straight.

Privacy, as we talked about in the first section, is about concealing information about you or what you do. Curtains on your window provide privacy even when people know where you live. Online, a VPN works the same way. By encrypting your connection to the internet, it prevents snooping by advertisers and cybercriminals. With a VPN, no one can see your location, device information, or browsing activity.
Security is protection from or resilience against threats. Steel roller shutters on storage lockers and store windows (or “hurricane shutters” as they’re sometimes called) provide both privacy and security.
Cybersecurity is protection against digital threats and mitigation of their damage. This term can also be applied to systems, networks, and programs. A password manager protects your online accounts, for example, by making it much more difficult for cybercriminals to gain entry by exploiting weak and reused passwords.
Information security (also called data security) refers specifically to the protection of data or information. Because data is largely kept in digital spaces, you can interpret information security as a subcategory of cybersecurity. NordLocker’s encrypted cloud bolsters both cybersecurity and information security.
Online privacy and digital privacy are broad terms that usually refer to individuals’ data privacy while online.
Digital rights refer to the application of human rights in the digital realm, which is very likely to involve privacy.

Why should you care about data privacy?

Practical concerns

To understand the importance of data privacy, it’s helpful to understand the risk of not having it. A violation of privacy involves your data being in the “wrong hands.” Who or what entity has taken your data and for what purpose determines the consequences of the breach.

Consequences for individuals

When your data is stolen or used without your consent by a malicious actor, it can be used to spy on you, manipulate you, discriminate against you, and/or steal from you. Not strictly limited to cybercriminals, a malicious actor can be any person or entity who is using your data in a way that you have not agreed to.

The United States’ National Security Agency’s unlawful telephone records surveillance and the Facebook-Cambridge Analytica political advertising scandal are two memorable examples of large-scale data privacy violations that threatened civil liberties.

On a smaller scale, you may be personally targeted, either by someone you know or a financially motivated cybercriminal. For example:

our online diary could be hacked by your frenemy, causing you embarrassment or reputational harm.
A cluster of your PII might be collected by a criminal to spoof your identity, subjecting you to a lengthy legal battle or piles of paperwork to restore it.
Your credit card number could be stolen, putting you on the hook for purchases you never made.

Consequences for businesses

Businesses share many of the same concerns as individuals, including reputational and financial losses, but on an even greater scale. A data breach that makes headlines can stay in the public consciousness long after it’s addressed. And that’s aside from the financial burden associated with recovery which has reached an all-time high this year at $4.35M.

When businesses keep stores of personal data from clients or consumers, they carry an additional burden: respecting the law.

Failing to meet legislative compliance, otherwise known as breaking the law, can result in fines and, in some cases, jail time for executives. We’ll address this topic in detail in the next section.

Today, financially motivated cybercriminals are the biggest threat to businesses and institutions’ data privacy.

In recent years, the rise of ransomware — the criminal practice of holding access to files for ransom — has been of particular concern. Breaches caused by ransomware have grown an impressive 13% year over year, which is an increase greater than the last five years combined.

And to be clear, cyber threats are not only a risk to “big fish.” According to NordLocker’s own research, small and medium-sized businesses are the top targets of ransomware attacks

In addition to “external threat actors,” businesses also have to be vigilant about the risk of “insider threats.” In other words, mistakes or mishaps involving their own employees.

Have you ever realized, only after pressing “send,” that you texted or emailed sensitive information to the wrong person? In a corporate context, this is called misdelivery, and it is among the top actions associated with data breaches caused by human error in 2022.

Privacy as a human right

On many occasions a lack of privacy does not result in immediate danger or consequences. However, you might still want to protect it. If you value privacy for reasons beyond how useful it is — at preventing cybercrime, for example — that probably means you believe privacy has value in its own right.

The reasonable expectation of privacy has a long history, but the topic has renewed relevance today for a number of reasons.

For one, a dramatic evolution in information technology has all but necessitated that internet users pay more attention to this topic. Never has data been more available: Our use of a growing number of web-connected devices means practically everything we do and say can be recorded. In parallel, it has never been easier to store, manage, and interpret that data.

What’s more, a series of now-infamous data privacy violations have brought the need to protect it into sharp focus. This year, global Google searches for “data privacy” hit their highest volume ever.

Before the concept of data privacy gained mainstream recognition, a European human rights organization founded Data Privacy Day to raise awareness. Data Privacy Day is celebrated on January 28th and is observed by more than 50 countries, including the United States.

Objections to the need for data privacy

A common and very old objection to the right to privacy is the “nothing to hide” argument. It can be summarized this way: If you haven’t done anything wrong, you have nothing to hide. And with nothing to hide, you have no need for privacy.

Critics object to this argument. One counter-argument is that regardless of your personal feelings on privacy, it still makes sense to respect and protect others’ desire for privacy. Edward Snowden articulates this position with an apt analogy:

A more pragmatic argument supporting the right to privacy is that what and from whom you want to “hide” certain information can change over time.

At the top of this section, we discussed what can happen when data gets into the “wrong hands.” Depending on your country of residence, you might consider the government a trustworthy entity that always has its citizens’ best interests at heart. However, a new statesperson or law could change that.

In a tyrannical government, for example, legislation might be out of step with ethics. So, for example, you may not be doing anything “wrong,” but that same action might be punishable by law.

What laws govern data privacy around the world?

We can look at data privacy legislation in two ways. On one hand, you are the owner of data, in which case you are protected by the law whether or not you read the terms and conditions for every app you download.

On the other hand, you might be a keeper of data as well. Many professions involve working with or having access to personal or private data. In this case, you are bound by data privacy laws.

Since the 1990s, technology has evolved faster than legislation surrounding it. Even still, most countries have implemented, or are in the process of implementing, laws that protect personal data. That is, at least in part, because consumers demand it.

What these laws have in common is their goal: to compel businesses to provide more transparency and agency to individuals over the data that is collected about them.

Usually the legislation defines:

Which kinds of data are protected by law
How it can be collected
What counts as consent
For what purpose the data can be kept and used

Almost always, the laws are “extraterritorial” — they protect the data of residents of their country even when the businesses collecting data operate outside of that country. That means Europe’s data privacy law, the GDPR, applies to American companies when they are handling personal data from people living in the EU.

Where the laws tend to diverge is their degree of specificity, application, defined roles, and penalties. The following is merely a glimpse at some of the data privacy laws that exist around the world.

The United States

While lawmakers have made many endeavors, the US does not currently have a federal law concerning data privacy.

The most current iteration is a bill called the American Data Privacy Protection Act (ADPPA), which takes legislation of data privacy further than its predecessors.

Despite the US not having a general data privacy law, personal health and financial data is protected by HIPAA (The Health Insurance Portability and Accountability Act of 1996) and the GLBA (The Gramm–Leach–Bliley Act) respectively.

Without a federal law, personal data privacy legislation is up to each state. On this front, California’s data privacy law has led the charge. The CCPA (California Consumer Privacy Act) is similar to Europe’s robust GDPR.

Under the CCPA, consumers residing in California can bring civil action against businesses in the event of a data breach. The breaches must involve specific pieces of PII combined with the consumer’s name.

Since its enactment in 2020, three more states have followed suit with similar legislation. Virginia’s Consumer Data Protection Act (CDPA), Colorado’s Privacy Act (CPA), and Connecticut’s Data Privacy Act (CTDPA) will take effect in 2023.

Europe

The GDPR (General Data Protection Regulation) is arguably the most influential data privacy legislation in the world. It is robust in its protections and, especially at the time of its enactment, considered to be the toughest legislation protecting personal data privacy in the world. Since coming into force in 2018, it continues to inspire similar laws around the globe.

One of the hallmarks of the GDPR is the requirement for businesses to get express consent, “by a clear affirmative action” from their patrons for data collection. This requirement was a crackdown on marketing and sales initiatives that took for granted users’ consent to a business sending them emails or tracking their behavior with cookies.

In its 99 articles, the GDPR legislation defines the roles of “controller” and “processor” as well as their responsibilities.

The GDPR applies to all residents of countries in the European Union, including Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden. Notably, unlike the state laws that specify data quantities or profit thresholds, small businesses are not excluded from the GDPR.

The penalty for a severe violation can reach 20 million euros or up to 4% of the business’ global turnover during the previous year, whichever is higher. In recent years, fines issued have increased, with tech giants among the hardest hit.

Because it is far reaching and among the oldest laws of its kind, it is often used as a benchmark against which new data privacy laws are compared and contrasted.

Australia

Australia’s Privacy Act applies to government organizations and businesses with a turnover exceeding three million annually. In addition to personal information, the act regulates credit reporting, tax numbers, and medical data.

Belarus

Belarus’ Law on Personal Data Protection will enjoy its one year anniversary of enforcement on November 15, 2022. It is the country’s first law that pertains specifically to personal data protection. The law includes criminal penalties such as jail time for serious or intentional violations.

Brazil

Brazil’s General Data Protection Law, called the Lei Geral de Proteção de Dados (LGPD), is perhaps the most well known data privacy legislation in South America.

The law is very similar to Europe’s GDPR, but not identical. One key difference is data security regulation. The measures to protect data are less specific under the LGPD than the GDPR.

Canada

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been in effect since 2001. The act uses a broad definition of personal data that include opinions, comments, and intentions.

While it has been updated through the years, many argue that it is due for a significant review. One complaint of the regulation is that its financial penalties are too low to compel businesses to comply.

The proposed Consumer Privacy Protection Act (CPPA), if passed, would represent a complete overhaul of the legislation including much harsher fines.

China

China’s Personal Information Protection Law (PIPL) came into effect in November of 2021. The PIPL has strict consent requirements, a generous definition of “sensitive data,” and harsh penalties. Fines can reach up to 5% of a business’ annual turnover, and any infringements may be recorded in the country’s social credit score.

Egypt

Like much of the legislation discussed already, Egypt’s Personal Data Protection Law (PDPL) is similar to Europe’s GDPR — with a few key differences.

In effect from October 2020, the PDPL sets shorter timelines for data breach notification and responding to subjects’ requests for access to their data. The former should be done in no more than three days, and the latter within six.

Additionally, for violations deemed both intentional and severe, jail time may accompany sanctions

Japan

Enacted back in 2003, The Act on the Protection of Personal Information (APPI) was one of the first data protection laws in Asia. It has been dramatically amended since that time.

In 2019, Japan earned an “adequacy decision” from the European Commission — they determined that the law provides an equal amount of protection as the GDPR.

Similar to the GDPR, there is no small business exclusion. Financial penalties for violation max out at the equivalent of less than one million dollars, but may also include imprisonment.

Turkey

Turkey’s Law on the Protection of Personal Data (LPPD) defines four additional legal bases for collecting personal data than the GDPR, for a total of ten. And while both the GDPR and LPPD require reporting data breaches to relevant authorities, the LPPD demands only a “reasonable” timeline, versus the GDPR’s stricter 72 hours.

Korea, Switzerland, the United Kingdom, and New Zealand have also received an adequacy decision from the European Commission, indicating that their data privacy laws are at least as strong as Europe’s.

Ukraine and Indonesia have both drafted data privacy legislation, but neither country has enacted it yet.

If a country has no dedicated or recent data privacy law, that doesn’t mean that it has no laws protecting personal data privacy. Rather, it means that online activities are subject to “offline” legislation.

However, because of the vast differences in scale and approach to data collection in person and online, laws that don’t specifically address the digital landscape tend to be less powerful than those that only protect offline privacy. As a result, it is unlikely that they can offer as much protection to citizens.

What can you do to protect data privacy?

Protect yourself

One of the best ways to keep your data private is to limit the private information you share. In other words, before disclosing your private information to a website or app, stop to question whether you have a reason to do so. Be suspicious of requested permissions that seem irrelevant to the product or service you are using.

Assuming you don’t have a spare 250 hours a year to comb terms and conditions for every web service you use, you should only provide private information to apps and websites that you trust.

Finally, enhancing your cybersecurity can protect privacy — like putting a lock on a closed door. Excellent cyber hygiene can reduce the risk and mitigate the damage of having your data privacy violated through malware, spyware, phishing, and other types of cyberattacks.

Here are some simple steps you can take to keep your data private.

Protect your business

For organizations, the same data privacy principles discussed above apply but on an even larger scale. Why? Organizations handle more data and have a larger attack surface because of complex IT infrastructures. And since data is currency for cybercriminals, businesses are top targets — increasing the risk that any vulnerability will be promptly exploited.

For that reason, it might be helpful for businesses and organizations to consider addressing data privacy with a more holistic approach to information security.

A good place to start is by addressing the three core tenets of data security: The CIA Triad stands for confidentiality, integrity, and availability.

Confidentiality is similar to privacy. It ensures that intruders or unauthorized members are kept out of your data.
Integrity protects the data itself from being altered or damaged.
Finally, availability ensures the data is not destroyed and that those who need access can get it.

How NordLocker can help

If the idea of a stranger rifling through your most private notes, documents, and photos gives you the heebie-jeebies, NordLocker can help you protect your personal data privacy. At work, NordLocker for business can help protect both the confidentiality and availability of your data.

NordLocker is a private vault with secure cloud storage for your data. It encrypts your data in an instant before syncing and backing it up — making your files readily available to you but out of reach to intruders.

With NordLocker, you are the owner of your data and no one, including us, can get access. That means your files are protected from cybercriminals, surveillance, malware (including ransomware), and anyone you don’t give access.

The software is backed by the highest global security standards and uses:

State of the art end-to-end encryption (E2EE)
Zero-knowledge architecture
Multi-factor authentication

With NordLocker, you can store and encrypt files of any type without being slowed down: simply drag and drop. Once your files are added, you remain in control, with the option to:

Save them locally or in your secure cloud storage
Organize files into lockers and folders
Share them privately whenever you like
Get access from anywhere

In addition, NordLocker for business provides access to your entire organization via a handy Admin Panel and the ability to manage it with customizable Groups, permissions, and sharing settings.

About NordLocker
NordLocker was developed by Nord Security, a global leader in all things cybersecurity.

Nord Security 2023 NordLocker