Harness The Power of Data Centric Security to Overcome GDPR Challenges Data privacy challenges associated with the GDPR and how organizations with
complicated IT landscapes can overcome them with fit for purpose technology to achieve compliance and inspire trust.
Harness the Power of Data Centric Security to Overcome GDPR Challenges
What is the GDPR? OVERVIEW
A
pplicable globally, to all industries and organizations, the General Data Protection Regulation (GDPR) is the European Union’s new legal
framework for the privacy and protection of its citizens’ personal data. Created with the intention of unifying data protection regulations within the EU and strengthening citizens’ rights to privacy and control of their personal data, there is less than 18 months for businesses as well as regulators to adapt their data protection practices accordingly by the May 2018 deadline. The GDPR raises the bar for any company or service provider that holds or processes personal data, requiring records of data processing activities, appointment of Data Protection Officers (DPOs), privacy impact assessments, enhanced transparency in terms of privacy notices and consent forms and the rights to be forgotten and portability. Data Controllers and Processors face stiff financial and reputational penalties for failure to comply. All use cases processing data pertaining to the privacy of EU citizens are affected by the GDPR. Any organization collecting and receiving EU personal data should thoroughly assess their responsibilities and consider the complexities of transferring data across borders in global ecosystems, capturing, holding and sharing information and identifiers about European individuals and their habits into data stores accessed via multiple screens in different countries.
IMPACT OF THE GDPR TO ORGANIZATIONS The GDPR applies to every company—even if they are established outside of the EU—that offers products and services to EU citizens. The GDPR is considered by many to be the gold standard in data security, and U.S. organizations in particular are considering how it could be adopted throughout the enterprise.
1
White Paper
PENALTIES
WHAT IS PERSONAL DATA? The definition of personal data from a European point of view is extremely broad, intended to cover any information directly and indirectly “relating to an identified or identifiable natural person (‘data subject’).”1
It can be anything from a name or an email address to, in a digital world, identifiers such as device IDs, IP addresses and even social or location data. In every industry, as big data projects and collection sources become increasingly complex, data gets merged together and something seemingly not sensitive certainly becomes so when other information is added to it. Every organization must be vigilant given the Regulation and the increase in data.
1 OJ L 119, 4.5.2016, p. 48.
2
Companies face fines of up to 4 percent of global revenues or €20 million, whichever is highest, for noncompliance of GDPR with significantly increased regulatory responsibilities for collecting, processing or storing EU personal data.
4
€ 20
MILLION
ANNU AL GL OBAL
REVENUE
TOUGH PENALTIES: Fines up to 4% of annual global revenue or €20 million, whichever is greater. Additionally, the GDPR introduces a breach notification requirement. Applicable to Data Processors and Controllers in all industries and areas, incidents must be reported within 72 hours. Under the Regulation, notification of a breach of personal data is not required if the information was kept sufficiently secure. All organizations should thoroughly assess their ability to meet their obligations.
Harness the Power of Data Centric Security to Overcome GDPR Challenges
Data Security is a Requirement for GDPR Compliance
D
esigned with the intention of strengthening and unifying the multiple regional data protection regulations of the EU member
states, each with limited reach, the GDPR recognizes the need for information to remain protected in a data-driven world that is virtually borderless. As a result, the regulation applies to personal EU citizen data globally regardless of where it flows, is stored or processed. The GDPR increases data protection requirements and liabilities of Data Processors while making Data Controllers responsible for the protection of individuals’ rights and the actions of the Processors they engage. Processors and Controllers face the onerous compliance burden of not only knowing what personal information exists within their organizations, but also where and how it is being accessed and used; with this knowledge they must then prove that it is appropriately protected “by design and by default” throughout its lifecycle.2 While the GDPR identifies the need for Data Controllers to “implement appropriate technical and organizational measures” to keep data protected from unlawful access, it is left to each organization to decide what that means in practice.3 The Regulation specifies that Data Controllers and Processors, “implement appropriate technical and organisational measures to ensure a level of
Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
security appropriate to the risk,” and organizations with, “the existence of appropriate safeguards, which may include encryption or pseudonymisation” will be enabled in their duty to prove compliant with the regulation’s requirements for lawfulness and security of processing personal data.4 Pseudonymisation means “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information” while encryption is considered to “render the personal data unintelligible to any person who is not authorised
Processor: The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
to access it.”5 2, 3 OJ L 119, 4.5.2016, p. 48.
4 OJ L 119, 4.5.2016, p. 51, 37. 5 OJ L 119, 4.5.2016, p. 33, 53.
3
White Paper
How Data-Centric Security Helps
Many companies rightly focus on data protection as a
means to address the challenges posed by the Regulation
but there is a general realization that it is no longer
sufficient to secure data silos in isolation because personal
information is proliferated to non-secure systems across the enterprise.
T
his is true for all technology siloes: data warehouses, mainframe, traditional RDBMS, the Business Intelligence layer and applications on premise and in-
cloud. While all offer some proprietary data protection, few can genuinely support today’s heterogeneous data architectures. Reality demands security across the enterprise and companies are mobilizing teams with the business, IT and data protection expertise required to find solutions. One by design and by default approach to addressing the need to protect data wherever it is—at rest, in transit and in use—is data-centric security. Data-centric security is the concept of protecting data itself across the entire environment using encryption, tokenization, or pseudonymisation regardless of where it is stored. By centrally enforcing a privacy policy which consistently defines and controls by role, system and context how data is protected and accessed, personal information remains secure throughout the dataflow. Data-centric security addresses core aspects of the GDPR such as the breach notification rule by making data no longer identifiable to the person it pertains to.
4
Harness the Power of Data Centric Security to Overcome GDPR Challenges
The GDPR suggests encryption as one example among many methods for protecting data, but encryption requires a mathematical process which can be broken and users might experience some challenges when modifications to database schemas and application data structures are required.
ENCRYPTION
TOKENIZATION
PSEUDONYMISATION
DATA-CENTRIC SECURITY
An alternative method of pseudonymising data is tokenization, a reversible process that substitutes sensitive data with non-sensitive random values with no mathematical association. Tokenization can maintain data type and data length while protecting it, allowing legacy architecture underneath to be maintained and enabling secure data processing and analytics of personal data.
5
White Paper
Data-Centric Security Makes It Easier to Comply with GDPR Requirements
P
seudonymisation and encryption data security technologies are explicitly referred to several times within the language of the Regulation in relation to
safeguarding personal data pertaining to EU citizens, particularly in these three circumstances:
1. Evaluating security risks and implementing measures to mitigate them 2. Using and protecting personal data beyond subject’s original consent 3. Rendering personal data unintelligible to any person not authorized to access it
Provision 83 of the Regulation specifically refers to implementing means such encryption as a measure to mitigate risks:
(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected[...]6
6 OJ L 119, 4.5.2016, p. 16.
6
Harness the Power of Data Centric Security to Overcome GDPR Challenges
Other areas of the GDPR reference encryption and pseudonymisation as mechanisms for organizations to lawfully and securely process individuals’ personal information:
Article 6
Lawfulness of processing 4 [‌] the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia: (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.7
Article 32
Security of processing 1 [‌] the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data;8
Data-centric security helps satisfy these requirements with in-place tokenization or encryption of the data values themselves. Unique identifiers and names are replaced with unreadable values. The actual personal data values are replaced. As organizations determine their inventory of personal data, data-centric security can protect this information in a manner which not only meets the legal mandates of the regulation but provides the strongest protection possible.
7 OJ L 119, 4.5.2016, p. 37. 8 OJ L 119, 4.5.2016, p. 51.
7
White Paper
Silo oriented security, such as disk or file based encryption, only renders the data container unreadable in situ; once the data is moved outside of the container for consumption or use, it is dependent on the new environment for protection. GDPR provisions, however, require that data is protected at rest, in transit and in use:
(83) […] In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.9
Data-centric security protects personal information at all times, and when utilized with strict policies that dictate who can see what data, where and when, it enables compliance with the GDPR’s personal data protection requirements. An inherent advantage of employing data-centric security lies not only in compliance with regulatory statutes, but in the ease of implementation as it pertains to existing system infrastructure. While traditional encryption techniques such as AES-256 are highly effective in rendering data secure, the lack of format preservation requires recoding existing applications and modifying database tables—a very costly endeavour. Use of data-centric security such as tokenization or format preserving encryption provides the protection required by the GDPR while allowing existing applications and data storage to remain untouched. This allows for GDPR satisfaction with minimal impact to the organization. The Regulation requires data processors to report all data breach incidents to data controllers. However, breach notification from data controllers to data subjects and the supervisory authority can be mitigated if data controllers can show “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Data is considered breached in circumstances where measures fail to prevent “the accidental or unlawful destruction, loss, alteration, unauthorised
9 OJ L 119, 4.5.2016, p. 16.
8
Harness the Power of Data Centric Security to Overcome GDPR Challenges
disclosure of, or access to, personal data transmitted, stored or otherwise processed.� Data controllers are not required to notify data subjects of a data breach if they can adequately prove that the breached information will not cause physical, material or non-material damage to the data subjects by using technologies such datacentric security:
Article 34
Security of processing 3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: (a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.10
The regulation suggests appropriate safeguards to reduce risk to data subjects, but it is left to each organization to decide how they should be implemented to keep information protected from unlawful access within their increasingly connected IT ecosystems. In a data-first legislation, such as the GDPR, it is evident in the language that its priority is protection of EU citizen data everywhere it goes. In this context, datacentric security provides the ultimate satisfaction of the law by securing the data anywhere it goes across any political or geographical boundary or system.
10 OJ L 119, 4.5.2016, p. 17, 37, 53.
9
White Paper
Why Protegrity In this cloud-first, SaaS-ready era, data protection needs to move to the point of use to be effective in a world with only virtual boundaries—security focus needs to shift from the systems to the data itself.
P
rotegrity allows organizations with complex IT ecosystems to maximize security and compliance with the GDPR across all platforms without
compromising day-to-day operations. High performing, scalable, and transparent, the Protegrity Data Security Platform integrates seamlessly with all applications, allowing businesses to meet stringent GDPR mandates while ensuring appropriate, quick, and easy access to critical data to those who need it.
Applications
Hadoop
BIG DATA
Databases NoSQL
ASSESS
Know Data Flow
PROTECT
Close Data Gaps
DATA CENTER File Servers
ENTERPRISE SECURITY ADMINDISTRATOR
Application
AUDIT & REPORT
CLOUD
Mainframes
Track Usage & Alert
SaaS EDW
DATA PROTECTORS
10
Harness the Power of Data Centric Security to Overcome GDPR Challenges
PROVEN DATA-CENTRIC SECURITY Organizations of all sizes use Protegrity’s data-centric security to protect sensitive data within their databases, files, and applications while leveraging centrally controlled data security policy, keys, and auditing to enable everyone involved—from the data security stewards creating policies for the access and use of data, to the CISO securing and protecting data assets and the analysts seeking data insights—to securely perform their duties by design and default. By managing how data is protected and accessed so it is appropriately protected everywhere, Protegrity simplifies compliance with increasingly demanding regulatory requirements, all while maintaining critical accessibility for infrastructure management and business insight.
MULTIPLE METHODS OF PROTECTION Protegrity provides a variety of GDPR compliant data protection methods for securing personal data, including patented Vaultless Tokenization, masking, strong encryption, data-type preserving encryption, and monitoring for anomalous behaviours. Masked or tokenized data embedded with business intelligence allow for secure storage of de-identified personal information and seamless analysis without the need to re-identify the data.
CENTRAL CONTROL Protegrity not only identifies personal data but also automates centrally enforced security policies across the enterprise to protect and control access to it—in transit, at rest and in use—allowing data security to be truly ‘by design.’ Native access control is combined with Protegrity’s central policy-level control and data protection for multiple layers of security. Protegrity’s Enterprise Security Administrator provides a Separation of Duties to isolate security administration to Security Officers, further ensuring data protection from external and internal (privileged user) threats.
11
White Paper
FLEXIBLE DEPLOYMENT FOR ENTERPRISE AND CLOUD Designed for large and small deployments, Protegrity applies data security policies consistently across big data, databases, cloud applications, file servers, applications and more. Protegrity makes it easy to manage the security of various systems by integrating with Protegrity Data Protectors located at various endpoints. Protegrity enforces consistent, efficient security enterprise-wide, and unifies all auditing and reporting into a single interface.
SCALABLE PERFORMANCE Beyond the industry leading benchmarks for Protegrity’s unique vaultless tokenization, Protegrity also leverages parallel processing and clustering, where available, to provide strong, flexible security with optimal performance and availability. Vaultless Tokenization servers can be deployed directly on nodes to allow for high performance in process data tokenization with greatly reduced bottlenecks in performance and scalability.
PROFESSIONAL AND MANAGED SECURITY SERVICES Protegrity’s end-to-end data protection partnership starts with the highly skilled Professional Security Services to establish a corporate data protection strategy, followed by optimal strategy deployment and implementation. Protegrity’s continuous protection and impeccable support services maintain the highest level of data security after implementation.
12
Harness the Power of Data Centric Security to Overcome GDPR Challenges
Protegrity was born of the need to deliver a new kind of data security that is equipped to meet the challenges of modern enterprises: security that protects the data itself everywhere it goes while enabling businesses the freedom to transform and innovate with their data. The right balance between sophisticated data analysis and risk management can be achieved. Neither needs to be sacrificed. Data today is more than power – it is the lifeblood of the organization and needs to flow to the right data owners in realtime. If it can’t be mined and manipulated at or near real-time while still maintaining security and privacy, it’s not delivering maximum value. www.protegrity.com
Corporate Headquarters: Protegrity USA, Inc.
Protegrity (Europe)
Stamford, CT 06905
Maidenhead, Berkshire SL6 1DN | United Kingdom
5 High Ridge Park, 2nd Floor
Phone: +1.203.326.7200
Suite 2, First Floor | Braywick House West | Windsor Road Phone: +44 1494 857762
13
CopyrightŠ 2017 Protegrity Corporation. All rights reserved. ProtegrityŽ is a registered trademark of Protegrity Corporation. All other trademarks are the property of their respective owners.