The European Union’s far-reaching General Data Protection Regulation (GDPR) goes into effect May 25, Facebook has had to answer to Congress for its ties with Cambridge Analytica, and privacy issues and reports of massive data breaches are in the news on an almost daily basis.
For cybersecurity professionals, this focus on protecting privacy means that their concerns, and budget requests, are now getting attention from senior executives and corporate boards. Data security is now moving to the top of the agenda, with companies paying more attention to getting a handle on what data they have, how to encrypt it, rolling out more granular access controls, and upgrading monitoring and auditing capabilities.
Privacy and security go hand-in-hand, says Shahryar Shaghaghi, national leader of the cybersecurity and privacy practice at CohnReznick LLP. "There is no security implementation without a privacy consideration, and vice-versa," he says. "If you're talking about access controls, you're talking about both topics. If you're talking about encrypting and protecting data, you're talking about both topics. If you're talking about monitoring data, you're talking about both topics."
With GDPR, it's not just for companies doing business in Europe. "Even if their primary market isn't Europe, many companies are realizing that they'll have to make some changes," says Lorrie Cranor, computer science professor at Carnegie Mellon University and director of the CyLab Usable Privacy and Security Laboratory. "Given the potential penalties, that's where there is awareness. It's waking them up."
According to the 2018 Data Threat Report from Thales and 451 Research, only 13 percent of organizations say that they will not be impacted by privacy regulations — a steep drop from 28 percent last year. Even when companies don't do any business in Europe, they still need to be paying attention to the issue, as other regulators are dealing with the same issues. "I think we will see pieces of GDPR in the United States," Cranor says.
Meanwhile, GDPR is already having an effect on improving privacy controls for users around the world, since it's easier for some companies to simply comply with GDPR across the board. "We just did it across the board," says Michael Fauscette, chief research officer at G2 Crowd, an online software review site. "We have about half a million users, and there are too many pitfalls to the idea that you'd always know that this is a European user, this is a user from China, or whatever."
According to a survey released by ISACA, security and privacy are at the top of the agenda for companies of all sizes. Executives say that they expect to see several positive outcomes as a result of their preparation for GDPR. The top three were better data security, with 60 percent of respondents, followed by improved business reputations at 49 percent, and marrying data security practices with corporate culture at 43 percent.
In 2016, 30 percent of executives says that the lack of privacy controls was a top issue that kept them up at night, according to a survey released last month by Scale Venture Partners. That went up to 46 percent last year, nearly catching up to hackers at 49 percent.
The survey was conducted before the Cambridge Analytica news broke, says Ariel Tseitlin, partner at Scale Venture Partners. "There's been a steady stream of breaches over the past few years," he says. "CISOs have heard the message loud and clear, and boards have been discussing this. But the big changes now are coming from regulations, including GDPR. It's been the big warning bell ringing, and organizations have been waking up."
Encryption, encryption, encryption
The increased focus on securing data couldn't come at a better time. Cloud services, mobile and edge computing, and an increased reliance on third-party vendors mean that more and more data is outside corporate networks. With a larger attack surface, hackers have an easier time getting within the corporate perimeter to go after the data that's still held internally.
"We need to reach beyond this notion of perimeter-based security," says David Archer, principal researcher in privacy and cryptography at Galois, an Oregon-based technology research firm. "A lot of security mechanisms are about the walls, but inside the wall it's a soft center and very exploitable."
To secure the soft, chewy center, one of the core security mechanisms is encryption. LogMeIn, for example, offers the LastPass password management tool as well as other products that manage access and provide collaboration and communications. "Anything stored in the LastPass vault gets encrypted on the client side, and only then is sent over to us," says Gerald Beuchelt, CISO at LogMeIn. "In the event that we do get breached — and we are doing our to best to prevent that, but it is possible — the likelihood of it having any impact is very, very slim. Even if an adversary was able to extract LastPass vaults, they would get a large blob of data for which we don't have the passwords."
LogMeIn also has sensitive information that it does have access to, such as payment information for its customers. The company has more than two dozen different products, says Beuchelt. "Pretty much all of them have some level of encryption." That includes encryption of data in transit, he says. LogMeIn uses native file capabilities and database capabilities for data at rest. "It's important to do the right risk assessment," he adds. "Encryption at rest with the keys on the same system doesn't offer much more protection."
LogMeIn is also looking at new technologies that allow data to stay encrypted even if it is being used. "We are super interested," he says. "It is relatively new technology, but it's starting to mature to the point where they are truly deployable for enterprise solutions. As part of the planning for 2019 and beyond, I would definitely see us looking at this."
Organizations have long known about the benefits of encryption. Securing data at rest and in transit has been a core security recommendation for years. "There's overhead and cost associated with it, and it hasn't been prioritized," says Ashton Mozano, CTO at Circadence and a professor of cybersecuity at the University of San Diego. "These types of issues have been raised over and over again for the last 15 years."
According to Gary Southwell, general manager of the high-performance products group at CSPI, a cybersecurity vendor, encryption helps protect companies when there's security incident. "If you can prove the data was properly encrypted, you don't have to report the breach," he says. "You have to be able to say, here was the breach, here is the forensic detail, but the data was encrypted."
This can be difficult when the data is stored by cloud providers or third-party vendors, he says. "There are tools out there, but they're not being adopted by all the cloud service providers. Some will say it's really on our customers to deal with this; you're not going to get much help from us. Some of these providers are just slow to react, and now they're scrambling. They know they have to provide these tools, but they're trying to cover their butts until then."
According to a survey released by NetApp in April, only 39 percent of companies know where all of their data is stored by their cloud providers. Overall, however, cloud services are a boon to enterprises when it comes to compliance because the cloud vendors can focus more resources on the issue.
In fact, according to the latest McAfee adoption survey, fewer than 10 percent of organizations plan to decrease cloud investment as a result of GDPR. When it comes to public cloud investment, 49 percent of organizations plan to remain at the same level, and 37 percent say they will increase the investment as a result of GDPR.
Managing access to customer data
Financial firms depend on their customers' trust to stay in business. In addition, a breach could also result in immediate financial losses for the company and its customers. Then there are the regulations — so many regulations.
As a result, financial firms are some of the most sensitive about protecting customer data. Midland IRA, which provides administrative services for retirement plans, is no exception. "For us, protecting personally identifiable information has always been a priority," says Joe Stolz, the company's business systems manager at Midland IRA. "But with breaches in the news, we're definitely investing more heavily in helping our customers information as safe as possible. Just yesterday [May 2] it came out that Commonwealth Bank might have leaked up to 20 million records," he adds.
All this has caused the company to take another look at how it protects customer data. "We're much more motivated," he says. "We don't want to be another story."
To start with, the firm has taken a fresh look at how it manages data access privileges. "In the past, we had privileges that were more one-size-fits-all," says Stolz. "As the company has grown, we realized that this is not the best approach. Certain departments should only be allowed to do certain things in the system. We want to make sure people can't see what they don't need to see to do their jobs."
So, for example, a customer service representative would need to see customers' information to help them — but that doesn't mean that they need full access to every field. For example, they don't need the see the full social security number, just the last four digits. "In the last year, we've completely rewritten all the permissions within our business systems, including Salesforce, using the model of least privilege possible," he says.
Two months ago, the company added second-factor email authentication for its client portal. Now it’s working an update to add more authentication methods, such as text messages.
Better monitoring controls
Even when an employee — or a customer —has the right to access certain information, it doesn't necessarily mean that they should. To ensure that people are who they are supposed to be and aren't taking advantage of their access for nefarious purposes, Midland IRA added new monitoring controls.
"We have so much information on Salesforce," says Stolz. "It's a great program that we've been able to build a lot on, but we didn't have great visibility in what was going on. They have event monitoring, but it's really difficult to set up so that it's useful information."
About a year ago, the Midland IRA turned to FairWarning, a Florida-based data protection and governance vendor. It monitors Salesforce feeds for signs of suspicious logins, and looks at what reports are being run, what data is being accessed, and what data is being exported, he says. "Now we're able to know if there's something off about a transaction, off about an access, off about a login, and we're able to take care of that a lot quicker than we were able to do before," he says. "That has helped us feel a lot more secure."
Salesforce does have a set of native tools for encryption and event monitoring, says Kurt Long, CEO and founder at FairWarning. Salesforce Shield, for example, helps customers monitor data use and run compliance audits. "They're providing the raw data and raw controls," he says, "but that is absolutely not enough to help a company be positioned for GDPR compliance. If you're an expert and know what to look for, you can monitor all the activity. But if you're not an expert in this technology, then it would be very confusing and difficult."
There are more than 40 different data sources, he says, and the data elements can change as Salesforce updates its systems, meaning that home-grown tools need constant maintenance.
Trust through security as a selling point
For some companies, both those marketing to retail customers and those in the business-to-business space, top-tier data security could be a marketing or operating advantage. "If people weren't concerned about their data yesterday, they will be concerned about it today," says Elizabeth O'Callahan, VP of legal at NetApp, a cloud data services company. "A lot of the literature on this topic has really focused on the fear, fear, fear. That's missing the real issue here. If we can manage our data, we can really optimize our businesses process in a way that we couldn't before. You're turning a crisis into an opportunity, if you will."
Ryan LaSalle, lead of growth and strategy for Accenture Security, says he's had this conversation in several companies, especially those in banking and high tech. "What is the value of GDPR in how I differentiate my services? How do I build equity with my customers? How can I use some of those same concepts of user consent to have a better relationship with our clients? It's still early days, but there are some fascinating discussions with the heads of businesses of those organizations."
According to a GDPR benchmarking survey by Deloitte, 61 percent of organizations see benefits of their investments going beyond compliance. Of those, 21 percent expect to see significant benefits, including competitive advantage, improved reputation, and business enablement.
One company that already expected more customers to come knocking for help with securing data in preparation for GDPR is Optimal IdM. It helps enterprises manage employee access to cloud applications, and Optimal built a GDRP compliance dashboard that lets businesses provide access to GDPR-compliant tools such as viewing, updating, and deleting personal data. It is now working on offering extremely fine-grained access controls, especially for legacy applications that don't have those controls built in.
However, there hasn't been as much demand as expected, says Mark Foust, the company's chief product evangelist. "I think the ongoing opinion is that someone's going to have to be the first to go to litigation," he says. There are still a lot of details about GDPR are that are up in the air. "It's still a little vague," he says. "Until it's litigated, probably, and that's going to be the biggest push. Buying security is like paying for insurance. There's no urgency until there is — and then the wallet strings come completely undone."