Russian cybersecurity software maker Kaspersky Labs has announced it will be moving core infrastructure procedures to Zurich, Switzerland, as part of a switching announced last year to try to win back customer trust.
It also said it's arranging for the process to be independently supervised by a Switzerland-based third party qualified to conduct technical software reviews.
” By the end of 2019, Kaspersky Lab will have established a data center in Zurich and in this facility will store and process all information for users in Europe, North America, Singapore, Australia, Japan and South Korea, with more countries to follow ,” it writes in a press release.
” Kaspersky Lab will relocate to Zurich its' software construct conveyer’ — a situated of programming tools used to assemble ready to use software out of source code. Before the end of 2018, Kaspersky Lab products and threat detecting rule databases( AV databases) will start to be assembled and signed off by a digital signature in Switzerland, before being distributed to the endpoints of clients worldwide.
” The relocation will ensure that all freshly assembled software can be verified by an independent organization, and show that software builds and updates received by clients match the source code provided for audit .”
In October the company unveiled what it dubbed a” comprehensive transparency initiative” as it combated suspicion that its antivirus software had been hacked or penetrated by the Russian government and used as a road for scooping up US intelligence.
Being a trusted global cybersecurity firm and operating core procedures out of Russia where authorities might be able to lean on your company for access has essentially become untenable as geopolitical concern over the Kremlin's online activities has spiked in recent years.
Yesterday the Dutch government became the latest public sector customer to announce a move away from Kaspersky products( via Reuters) — saying it was doing so as a “precautionary measure”, and advising companies operating vital services to do the same.
Responding to the Dutch government's decision, Kaspersky described it as “very disappointing”, saying its transparency initiative is” designed precisely to address any fears that people or organisations may have “.
” We are implementing these measures first and foremost in response to the evolving, ultra-connected global landscape and the challenges the cyber-world is currently facing ,” the company adds in a detailed Q& A about the measures.” This is not exclusive to Kaspersky Lab, and we believe other organizations will in future also choose to adapt to these trends. Having said that, the overall aim of these measures is transparency, checked and proven, which means that anyone with concerns will now be able to see the integrity and trustworthiness of our answers .”
The core processes that Kaspersky will move from Russia to Switzerland over this year and next — include client data retention and processing( for” most regions “); and software assembly, including menace detecting updates.
As a result of the shift it says it will be setting up ” hundreds” of servers in Switzerland and establishing a new data center there, as well as drawing on facilities of a number of local data center providers.
Kaspersky is not exiting Russia solely, though, and products for the Russian market will continue to be developed and distributed out of Moscow.
” In Switzerland we will be creating the' worldwide’( ww) version of our products and AV basis. All modules for the ww-version will be compiled there. We will continue to use the current software build conveyer in Moscow for creating products and AV basis for the Russian market ,” it writes, claiming it is retaining a software build conveyor in Russia to” simplify local certification “.
Data of customers from Latin American and Asia( with the exception of Japan, South Korea and Singapore) will also continue to be stored and processed in Russia — but Kaspersky says the list of countries for which data will be processed and stored in Switzerland will be” further extended, adding:” The current list is an initial one … and we are also considering the relocation of further data processing to other schemed Transparency Centers, when these are opened .”
Whether retaining a presence and infrastructure in Russia will work against Kaspersky's wider efforts to win back trust globally remains to be seen.
In the Q& A it claims:” There will be no difference between Switzerland and Russia in terms of data processing. In both regions we will adhere to our fundamental principle of respecting and protecting people’s privacy, and we will use a uniform approach to processing users’ data, with strict policies applied .”
However other pre-emptive responses in the document underline the trust challenge it is likely to face — such as a question asking what kind of data stored in Switzerland that will be sent or available to staff in its Moscow HQ.
On this it writes:” All data processed by Kaspersky Lab products located in regions excluding Russia, CIS, Latin America, Asian and African countries, will be stored in Switzerland. By default only aggregated statistics data will be sent to R& D in Moscow. However, Kaspersky Lab experts from HQ and other locations around the world will be able to access data stored in the Transparency Center. Each information request will be logged and monitored by the independent Swiss-based organization .”
Clearly the robustness of the third party oversight provisions will be essential to its Global Transparency Initiative winning trust.