Page 48

EETE JUNE 2013

Data Security Compliance in the Cloud with regard to data protection EU rules By Richard Walters The European General Data Protection Regulation (GDPR) was outlined on 25th January 2013. It proposes to provide a single set of data protection rules binding all twenty seven member states. Penalties for non-compliance include fines of up to two per cent of an organisation’s global turnover. Key parts of the GDPR proposals include the requirement for data controllers to inform the relevant Data Protection Authority within twenty four hours of becoming aware of a breach. Affected individuals also have to be informed if there is a potential for the breach to cause additional harm, for example if the security breach compromised passwords, email addresses or other personal information that could be used to perpetrate identity theft. The scope of GDPR extends to both European organisations and companies based outside of the EU that process the personal information of EU citizens. The rules are still being hotly debated and the content of the regulation is yet to be finalised, however, the goal of the European Commission is to have GDPR adopted by 2014, with regulation enforced from 2016. Compliance in the Cloud One of the main aims of the European Commission is to enable business transactions through a trusted internet. EU Justice Commissioner, Viviane Reding Fig. 1: The traditional approach to data protection has said: “This piece of legislation is one of the biggest market-openers of the last few years.” To underpin that trust, the EU GDPR aims to provide consumers with the reassurance that their information is being governed and protected by data controllers and gives citizens the right to request that their data is deleted if they stop using the services of a provider. With so many organisations currently adopting cloud services for storage and backup of data and services such as email; CRM; file sharing; and enterprise resource planning, the European GDPR has caused many European CIOs to pause for thought. How do they effectively control employees’ access to corporate and customer data that is within scope of EU GDPR, when the data might be processed outside of the corporate firewall, using Web applications that are accessed using personal devices? Enabling visibility in the Cloud Currently, Web application use represents a blind spot for CIOs and CISOs. They can authenticate users and secure employees’ access to applications using single sign-on linked to enterprise directories, but they cannot see what employees are doing between logon and logoff. If they don’t know what’s happening to data, how can they prove governance and compliance with EU GDPR, or PCI DSS, or HIPAA ? The issue with adopting Software as a Service (SaaS), or any other public cloud service, is that this forces organisations to accept the security policies of the SaaS vendor. Often, this results in security being downgraded to a “one size fits all” model, which may not be sufficiently granular for the organisation adopting that service. What is required is a method of managing and auditing the use of Web applications that is an extension of the existing security policies and controls used by the organisation for its on-premise applications. The browser is the common access point The first thing to recognise is that Web-based applications are not going away. The productivity, accessibility and cost benefits of consuming services hosted in the cloud are too attractive for businesses to ignore. CIOs who have delayed adoption of Web-based applications have often discovered that employees have simply gone ahead and subscribed to their own applications in order to facilitate flexible working and maximise their productivity while travelling. This “shadow IT” is now creating a growing governance, risk and compliance issue for organisations. If CIOs don’t know an application is being used to store or process corporate data, then how can they prove that user access was managed appropriately and how will they know if there is a breach? This lack of visibility will make it extremely difficult for organisations to comply with the EU GDPR mandatory breach disclosure. Shadow IT is not a symptom of malicious employees, it is a result of employees becoming more familiar with consuming Web applications such as Dropbox in their personal lives and then applying the ‘search, download, use’ principle to their professional life. In fact, the growth in browser-based application use led to SaaSID developing a radically new approach to authentication, management and auditing of employees’ application use. “Work” is an activity not a place. The browser is the new endpoint. Figure 1 shows the traditional layered approach to data protection. The rising adoption of public cloud services and consumer Web applications, along with bespoke enterprise Richard Walters is Chief Technology Officer of SaaSID - www.saasid.com 40 Electronic Engineering Times Europe June 2013 www.electronics-eetimes.com


EETE JUNE 2013
To see the actual publication please follow the link above