Regulatory mandates add to the challenge that enterprises face when protecting customer data against intrusion and theft, as well as demonstrating to authorities that compliance requirements have been amply met. Legacy enterprise content management (ECM) systems may use a patchwork of security provisions across a disconnected collection of servers and networks. Within this type of fragmented environment, data subject to compliance regulations can be difficult to track, monitor, delete, and present in order to demonstrate compliance with local and international laws.

Not only is it necessary to make sure that data is protected throughout its lifecycle—in use, in transit, or in storage—some regulations require that an individual’s private data be removed from the system at a certain time. The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) are two early examples of regulations that give consumers the right to be forgotten. And at least fifteen other states in the US are considering similar consumer privacy legislation.

Failing to respond adequately to cybersecurity threats and compliance mandates often results in costly breaches and fines. Accenture and the Ponemon Institute analyzed cybercrime trends and determined that the costs and consequences of cybercrime for an organization grew from $1.4 million to $13 million in the span of a year. Cyberattacks increased on average 11 percent in that same year from 130 to 145. Over the five years analyzed, security breaches increased by 67 percent. After compiling estimated cybercrime costs, Accenture and the Ponemon Institute built an economic model to assess the global value at risk over a five-year span. They determined that the value at risk from direct and indirect cyberattacks cumulatively amounted to $5.2 trillion.

Better Record-Keeping is Needed

Record-keeping for certain kinds of organizations—such as those engaged in financial or healthcare services—have long-term requirements to protect and preserve customer data at a precise, granular level. The traditional physical means of record-keeping—printed statements, billing information, benefit descriptions—have been eclipsed by digital transformation. Within a modern digital environment, enterprises are discovering that the right platform and better management tools can serve as a strong foundation for meeting the challenges of security and compliance.

Compliance today requires having greater management controls over content residing in the cloud or on premises. Reliable services for governing data, managing retention, and ensuring data protection are vital both from a regulatory standpoint and as best practices for doing business. A Content Services Platform (CSP) offers an effective means to unify disparate systems and data so that security provisions can be systematically implemented at whatever level is needed to ensure compliance. As businesses increasingly rely on microservices running in the cloud for enhancing processes and introducing new business offerings, a modern-platform-based architecture for protecting data and meeting mandates offers substantial benefits.

Peerless Availability and Reliable Continuity

Secure content management takes place in Nuxeo Cloud, with content services running on Amazon Web Services (AWS). The built-in security framework is validated by third-party auditors and exceptional service availability—99.9%—is achieved across this infrastructure. To ensure that mission-critical operations are continuously available, full disaster recovery is a part of the service and organizational continuity is ensured. Globally distributed data centers contribute to fast access to content, as well as providing capabilities to address regional data sovereignty requirements.

Maintaining effective security is always an evolving challenge, as new threats and malware apps emerge on a frequent basis. Nuxeo works closely with the open-source community, participating in projects such as Okta AWS CLI, IvoryShield, and AWS SMTP Relay to identify risks and implement appropriate measures to protect organizational data.

Fulfilling Compliance Requirements with Nuxeo Retention Management

The complexities of managing documents and records for corporate policies, as well as legal requirements, are strengthened by the Nuxeo Retention Management module. Complete control over each document’s lifecycle is maintained, determining whether to keep or delete documents based on usage rules that are linked to time, specific events, or metadata details.

For financial services organizations that must comply with the U.S. Securities and Exchange Commission SEC Rule 17a-4, this add-on module to the Nuxeo Server also helps ensure mandates are followed for retaining, holding, and accessing records related to the trade or brokering of stocks, bonds, and futures. To learn more about this module, visit Nuxeo Retention Management.

Other security standards to which we adhere include:

  • PCI DSS - Specifying privacy and security protocols in respect to credit card holders
  • SOC2 - Establishes Trust Services principles, as reported by the AICPA
  • GDPR - Regulates the collection and processing of data of all EU citizens

Flexible, Rule-Based Security Policies

The Nuxeo approach to information security includes these four pillars: authentication of users, access to all permissible data and content, content verification and encrypted protection, and robust audit trails detailing system activity.

Rule-based security provisions can be developed and administered easily through a pluggable interface that supports creation of customized security policies. Document metadata properties, group membership, and other factors can be used to implement policies. A flexible, secure Authentication Filter handles access from the web interface or the application programming interface (API) and can be customized by means of special-purpose authentication plugins.

Nuxeo Security Schema

The entire security package can be integrated as a Nuxeo Marketplace package. To stay ahead of security threats, we routinely perform security testing that includes bi-yearly penetration testing, automated scanning, and third-party audits.

Ultimately, the potential costs and repercussions from cybercrime, as well as possible damage to reputation, should motivate every organization to carefully evaluate its security policies. With strong, built-in security capabilities, Nuxeo delivers effective data protection and helps ensure compliance with important regulatory mandates.
Learn more about our approach to security and compliance.