How to get your data GDPR ready in the Cloud

With the new regulations fast approaching and data breaches becoming an increasingly common occurrence, PCR investigates the best ways to secure data in the Cloud
Author:
Publish date:
cloud-question-marks-main.jpg

By the time you finish reading this article, more than 70,000 data records around the world will have been compromised (assuming it takes you around 10 minutes to read, and you make it to the end). In the first half of 2017, some 1.9 billion data records were compromised, according to Gemalto. That translates to 122 records exposed every single second. And that is just the breaches that go public.

There was a dramatic 164 per cent increase in the number of data records reportedly breached from the second half of 2016 to the first half of 2017. And the most worrying thing is that number will undoubtedly go up when GDPR comes into effect next May and European companies are obliged to declare all breaches that would have previously been swept under the carpet.

So what can we all do to protect our data and how can the Cloud help to alleviate both consumer and business concerns surrounding security and impending regulatory obligations?

With 47 per cent of data stored in the Cloud deemed as ‘sensitive’, 28 per cent personally identifiable information and a further 25 per cent recognised as either payment or health data (according to SkyHigh Networks), Karl Simpson, CSO at Calligo, believes that the first question that everyone should ask themselves is: ‘should I be storing this information in the Cloud?’

He says: “The stringent requirements around GDPR mean that while cloud may be convenient, managing the content that you do store becomes incredibly important. You need to be aware of where your data is being stored, the cloud provider may be required to provide access to your data under certain circumstances as applicable to the country in which your data is hosted rather than the country that you are in with potentially unexpected outcomes for access to your data. If you are unsure as to the answer to either of these questions then there is a good chance that you should look at alternative options.”

Hacker cartoon

However, if you are going to store data in the Cloud then the number one thing to remember is restricting access; creating distinct passwords, using dual-factor authentication where possible and finally (and this is the biggie, especially where GDPR is concerned) encrypt, encrypt, encrypt! And it is important to take responsibility for the data you store. As David Emm, Kaspersky principal researcher, says: “Companies might choose to outsource data storage, but they can’t outsource their responsibility for securing it. In other words, security needs to be part of their dialogue with a cloud provider before storing data in the Cloud; and they need to take their own steps to secure sensitive data, for example through encryption.”

And if you ignore the importance of encryption, or shirk the responsibility, then you are putting your data at risk (which will get you into serious trouble come GDPR day). Remember, with GDPR, implementing encryption is considered an appropriate control, to the extent that even in the event of a data loss you are not required to communicate a breach to the data subject. As Russell Crampin, UK managing director of Axians says: “For businesses, one of the main issues with storing data in a public cloud is the loss of control. If the cloud provider itself is compromised, your data in turn is vulnerable. Some SMEs, in particular, drawn in by the affordability and scalability of public cloud services, may not be fully aware of the risks presented by outsourcing their data. A hacker will target a vulnerable network, but won’t always know what they are looking for and will be seeking any opportunity. As a business user, can you really ensure that your provider of cloud connectivity has invested in their own security protection? This question is particularly pertinent if the provider has grown quickly - they are now a more profitable target for hackers, but their security defenses may not be strong enough to reflect this.”

But it is not just security that GDPR will impact companies using the Cloud. In terms of GDPR’s impact on businesses, Microsoft’s Server Guy Ed Baker outlines six steps that must be undertaken. “If cloud-consuming companies are serving European customers then there are a number of actions they should take,” he says. “Firstly, know the location where cloud apps are processing or storing data. Take adequate security measures to protect personal data from loss, alteration, or unauthorised processing. Close a data processing agreement with the cloud apps you’re using. Collect only ‘necessary’ data and limit the processing of ‘special’ data. Don’t allow cloud apps to use personal data for other purposes. And finally ensure that you can erase the data when you stop using the app.”

security-lock-main.jpg

A large part of GDPR is also making data storage much more transparent and accessible. GDPR will finally provide an answer to the biggest question that users have when using the Cloud, which is ‘where is my data going?’ As Chris Niggel, director of Security and Compliance at Okta says: “Ensuring strong visibility of how customer data is stored and managed will be critical in avoiding the strict financial penalties that could affect organisations if a data breach occurs. This includes any instance of personal identifiable information, such as emails or photos. In the event of a data breach, organisations will be required to report an incident within 72 hours of discovery of the incident, meaning the ability to quickly identify and report breaches is key. By using a centralised cloud management system organisations can quickly identify where data is located and who has access, considerably speeding up the process.”

Combine visibility with security and then you should have no issue with keeping your data secure. On top of that you will be meeting your regulatory obligations and giving customers peace of mind. 

Related