There is a lot of heated debated about the GDPR (General Data Protection Regulation) – is it a Y2K damp squib or PPI/Libor/Forex all over again?
The General Data Protection Regulation is more certainty much more than Information Security and Privacy-by-Design which are just table stakes in the future.
The Regulation covers:
- the right to be informed of personally identifiable information gathered and processed
- the right of access to personally identifiable information
- the right to rectification of mistakes
- the right to erasure of personally identifiable information
- the right to restrict processing personally identifiable information
- the right to data portability to a new supplier
- the right to object to marketing, scientific and historical research
- the right to not be subject to automated decision making and profiling.
I agree that the maximum fine will probably never be levied but the range is sufficient to put it in the same impact levels of the fines that banks have suffered in the last decade. The fine will be based on the ability to pay and the perceived damage caused by a breach. There is also threat of private civil action by those individuals who can claim damages for breaches of the regulation.
The challenge for technologists is to provide compliant holistic solutions that meet the very inexact wording of the regulation around what are reasonable measures. These requirements themselves will be driven by newly formed governance bodies, internal and external compliance, legal counsel, marketers, external suppliers and data processors. A technology programme with a multitude of stakeholders and vague requirements is seldom a success.
The personally identifiable information itself is usually scattered among a number of front office, back office and supplier systems usually without good links to relate the information. There is also the risk that the data resides in the Shadow IT of the organisation away from the control of the technology department.
There are also technical challenges in the solutions proposed, for example, the regulation says that data must be encrypted but as any infosec expert will attest encryption is only as good as the algorithm and where you store the encryption keys. As for the right of erasure, that will be the topic of a future post on the technical challenges of achieving that requirement.
I applaud vendors such as Microsoft this week certifying their solutions can support making an organisation GDPR compliant but that shouldn’t take the focus off the overall organisational and technological change required.
At the moment, it seems we suffer from the streetlight effect in only looking for problems that are perceivably the easiest to fix.
The key theme for protecting IT systems from unauthorised access is to offer multiple layers of protection in terms of people, technology and physical environment. This is known as defence-in-depth when referring to technology, separation-of-concerns when referring to people and compartmentalization when referring to the physical environment. Ultimately all these techniques resemble lamination as applied to bulletproof glass or car windshields where multiple layers of different materials are used each with different physical characteristics of strength, hardness and brittleness which are stronger in a composite form.
Defence in depth is the use of different technologies to offer layers of protection which protect some aspect of the system such as vulnerable protocols, incorrect content, hard to resolve bugs or enabling a single person to compromise the entire system. Such technologies are firewalls (web, layer-7 or network), DMZs (network zones between two firewalls), content inspecting proxies (anti-malware and data loss prevention) and Virtual Private Networks. They work with IDAM (Identity and Access Management) solutions which also include authorisation, authentication, auditing and logging.
Separation of concerns for people involves the dividing roles between developers, administrators (including DevOps) and security operations staff. The developers design and write code which is turn deployed and managed by administrations and the previous two roles are monitoring by security operations staff. The logging and monitoring provided by the IDAM solutions needs de-duplication, correlation and analysis for behavioural changes to avoid intrusion and infiltration by new techniques (zero day threats) which emerge or are deliberately engineered to overcome the defence in depth solutions. The people aspects of security need a strong security policy, good background checks on candidates, regular training against social engineering and a culture of continuous improvement.
Physical security is still very important aspect of the overall security defence regime and technologies such as strong encryption only mitigates the risks and does not end them. Strongrooms, multiple doors, biometric security, multiple physical sites, CCTV, intrusion detection alarms and in some cases TEMPEST/SCIF techniques are the foundation of good information management. Managing and monitoring physical security in the same way as digital security is paramount to achieving the right level of control. Cloud environments enable the shift some of this responsibility to third parties for Storage, Compute, Network and Backup who are constantly improving through achieving ISO27001, PCI-DSS, HIPAA and FedRAMP certification which benefits all their customers.
Technology security lamination using different technologies/techniques/people at each layer provides the best approach to meet the challenge of continual improvement in the arms race that is Cyber-Security.