As high-profile data breaches continue, enterprises scramble to protect their workloads. But sometimes, basic security...
practices, such as encryption and authentication, aren't enough.
And while legislative efforts in the United States have progressed slowly, the EU has made big strides around data privacy, with the enforcement this year of the General Data Protection Agreement (GDPR), a move that will affect both public cloud providers and enterprise compliance teams that do business in the region.
A quick overview of GDPR
The central tenet of GDPR, which goes into effect on May 25, is that any individual has a right to protect his or her personal data. From names and Social Security numbers to retail receipts, GDPR requirements dictate that businesses must meet a minimum data protection threshold. The regulation enforces severe fines for those who don't comply, with a maximum in the millions of euros per breach, per customer.
As a European regulation, GDPR clearly applies to companies that reside within the EU. The IT and business landscape of today, of course, is much more far-reaching. Even many small companies operate globally and use services that cross country borders. This, in effect, means that any companies outside the EU still need to meet GDPR requirements if they maintain records and personal data for European users.
Prepare cloud deployments for GDPR
Major public cloud providers, such as AWS and Google, have moved rapidly to make their data centers comply with GDPR requirements. Unfortunately, for enterprises that use these platforms to store and process personal data from the EU, the use of a compliant cloud service isn't enough.
The first step to ensure you are GDPR-compliant is to perform an honest data protection audit. In addition to your primary cloud provider, make sure any on-premises or SaaS applications you use are compliant; ask for a copy of the software vendor's internal compliance reports.
Also, make sure you have encryption keys for each data set your business owns and your data backups are secure. Similar to SaaS applications, backup encryption requires a review of the vendor's software compliance report.
GDPR implications beyond cloud
The effects of GDPR will extend beyond cloud and mobile computing. The internet of things (IoT), for example, creates lots of personal data that is ripe for exploitation. And with most IoT vendors still focused on basic functionality rather than more advanced data security and compliance features, some enterprises might hold off on IoT deployments.
Next, address any potential issues you find. It should be fairly straightforward to fill in any gaps in encryption or authentication, as most major cloud providers offer tools and services for these tasks. At a minimum, be sure to apply these practices to all the personal data you handle.
Only open sensitive data sets to those who need access -- usually senior and trusted employees. Limit access to hot files especially, and don't grant systemwide access. Unless business executives absolutely need to see encryption key files, don't give them access, either.
Apply identity access management and intruder detection software. It might not stop every attack, but it will demonstrate a willingness to act to EU regulators.
There are also companies, such as IT Governance and Egnyte, that offer services to help businesses comply with GDPR requirements. If you are late to starting this process, this might be an essential step.