Sign up for our newsletter - Navigating the horizon of business technology​
Policy / Big Tech

GDPR Encryption Clause: Is This the “Get Out of Jail Free” Card for a Data Breach?

2018 has been a data privacy landscape turning point. What’s your view of current market dynamics? And  where do you stand on the GDPR encryption debate?

With a record number of highly publicised career ending data breaches, it has been a difficult time to be a CIO/CISO over the past 12 months, and there are no signs of things getting easier in the near future. The industry is facing the coming together of two key trends in data security: stronger regulatory requirements from authorities across the globe, and increasing levels of sophistication shown in the tactics of malicious hackers.

Regulations such as GDPR in the EU and HIPAA in the US healthcare industry have redefined what is considered a data breach, and the threats to businesses are increasingly involving human targeting and social engineering to gain access to valuable personal data.

According to Verizon’s 2018 Data Breach Investigations Report, 93 percent of breaches were caused by phishing attacks sent to the company’s internal employees. Today’s phishing attacks are more sophisticated than ever, utilising social-engineering, which can fool even the most savvy employees into clicking on malicious links or sending sensitive data to fraudulent parties.

White papers from our partners

Some are arguing of GDPR that it is so inchoate  (guidance was very late to the party before implementation) and complex that proving full compliance is unfeasible. Do you agree?

No one’s denying that GDPR is a long and complex piece of regulation, but many businesses that see compliance as impossible are missing one standout moment of clarity within the regulation relating to data encryption.

Clause 3 in Article 34 of GDPR states that in the event of a personal data breach, a business is not required to communicate the breach to affected individuals if measures such as encryption have been applied to render the breached data unintelligible. Encrypted data is stored as what appears to be random and meaningless text, so if this data finds its way outside of the organisation, it is of no use to any malicious actors.

gdpr encryption
“It was all encrypted!”

To put it simply, if breached data is encrypted, it is practically immune to the definition of a data breach under GDPR. The knock on effects of this are ground-breaking. If a business can be confident that it has applied encryption to all personal data it holds, the horror stories of fines, lawsuits, and crippling reputational damage are immaterial.

GDPR encryption: How does a business go about encrypting the personal data it stores?

You would be hard pressed to find a business that doesn’t recognise the importance of encrypting data to mitigate the effects of a catastrophic data breach. However even some of the most security-savvy firms are focusing their encryption efforts in the wrong place. Encryption of data can occur at many levels throughout the datacentre stack right from inside the storage array to the application itself.

See also: GDPR? 25 May Was Just the Start

Encrypting data at the storage layer (‘at rest’) has always been the go-to strategy, as storage arrays can encrypt the data instantly without any performance penalty. The CIO is therefore happy as they can check the ‘encryption’ box under the impression that the data is fully secure. However, this is far from the case, as the attack surface for businesses is broader than a direct attack on data storage.

Cybercriminals target the employees within an organisation who have access to the data they want. If businesses only encrypt data at the storage level, the data that these employees have access to and are working with is completely unencrypted and therefore at risk as it transitions across layers such as databases, applications, and virtual machines. One human compromise and a malicious attacker has unfettered access to personal data.

“Djd I encrypt it in transit too?” Credit: Victoriano Izquierd, via Unsplash

 

As such, encryption must be applied much further up the business and more comprehensively across the technology stack, so that wherever the data resides or is in transit, it is immune to a data breach and the consequences of such an event. This is known as encryption ‘in flight’ or ‘end-to-end encryption’ (E2EE). After a data breach, CIOs who don’t adopt this updated gold-standard to protect customer data will undoubtedly be asked why they haven’t?

What should businesses be aware of when looking to implement this type of protection?

Whilst implementing encryption at the application level is an emerging critical requirement to combat security threats, it can present a huge problem in the face of the realities of modern data storage. The common use of All-Flash Arrays (AFAs) in datacentres, hailed by many as the future due to their perceived performance benefits, is colliding head-on with the ability to implement E2EE where it is needed most.

AFAs rely heavily on data reduction to deliver their high level of performance at a workable cost to enterprises. The existential problem for AFAs in this scenario is that implementing E2EE fundamentally defeats data reduction! If a business’s data reduction ratio goes down from 4:1 to 1:1 as a result of encryption for example, the already sky high cost of all-flash is multiplied fourfold – a proposition that is simply untenable for the business.

Therefore, minimising this unhealthy reliance on data reduction is really the only option for delivering an acceptable cost per terabyte alongside data encryption. In direct contrast to all-flash, storage solutions that take a software-defined approach to achieve this will be the foundation needed to achieve the level of data security required by today’s regulatory environments, and tomorrow’s cyber threats.

Businesses must realise that their technology investments must support them on their future data security trajectory. Any infrastructural decision made now that is unable to implement end-to-end encryption is simply another accumulation of technological debt, and could be the undoing of businesses in the new era of personal data protection.
This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.