With GDPR officially going into effect last week, what does this really mean? For some organizations it meant an entire revamp of how they run and manage their business, for some it was let’s do just enough so we are not made an example of and for others it is a let’s wait and see what happens. Whether you do or don’t need to be complaint with GDPR, it should be taken as a wakeup call that additional regulation is coming and it is time to take action when it comes to protecting and securing critical data.
GDPR and really any previous regulation really focuses on Data Protection and Data Awareness. You can sum up a large percent of GDPR with a few simple questions:
1) What is your critical data?
2) Where is it located?
3) Who has access to it?
4) How is it protected?
The one big difference with GDPR over other regulations is the “right to be forgotten”. Essentially if a customer says that they no longer want to do business with you, they can request that all of their information be securely removed from their systems. While a simple concept to understand, it is a difficult concept to actually implement in practice when you look at the large number of places data is typically stored and the lack of awareness that most companies have with regards to data protection.
Data Classification
The fundamental component that GDPR is really driving home is the need for data classification. It is an area that in classified governmental environments, organizations are very familiar with, but in other commercial sectors is a term that receives occasional lip service but no real action. It is like saying driver safety is important as you run a red light, while talking on your cell phone.
Compliance is coming to every organization no matter how big or how small and if you wait for the regulation to be passed, it will be too little too late. The bottom line is data classification is a key foundation item that is required to properly run any business that stores information in electronic form. If your organization currently does not have a data classification program and it is not currently on your security roadmap, verify that every other item you are working on is a higher priority than data classification.
Remember the golden rule of cyber security, before you spend a dollar of your budget or an hour of your time on anything in the name of cyber security, always ask yourself 3 questions:
1) What is the risk?
2) Is it the highest priority risk?
3) Is your solution the most cost effective way of reducing the risk?
An organization will never be risk free so it is critical to always focus on the highest priority risks.
Implementing Data Classification
While data classification is not simple, organizations make it a lot harder than it needs to be. In implementing data classification as a foundation for GDPR remember a few simple tricks:
1) Keep it simple – instead of implementing a multi-tier complex system implement a basic classification scheme of two initial levels: public and private. If over time you want to add a few additional levels, you can but initially keep it simple. Just think of the change in the security breach landscape if this general level of protection was in place. Public information can be accessed from the Internet and leave the organization with minimal to no impact. On the other hand, private data is very sensitive, can never be accessible from the Internet. If personal data was marked private, monitored, tracked and not allowed to be downloaded from the Internet, many of the major breaches that have happened would be not existent.
2) Make everything private by default – many organizations when they roll out data classification they assume the default level is public. The problem is if there is critical data that takes 9 months to get to and it is sitting as public for that time period, it could lead to a major compromise. Instead make everything private by default, and only declassify data to public data if access and exposure would cause no harm to the organization.
3) Start with new data first – many organizations roll out data classification by starting with the existing data first. The problem is that while they are focused on classifying the existing data, the new data grows at a faster rate which means the project will continue indefinitely. Instead focus on classifying all new data first. By doing this the amount of existing data will be bounded and not grow.
Centralized Storage and Control
While data classification is a key component of GDPR because you cannot protect what you do not know, centralized storage and control is another key component in order to implement the “right to be forgotten”. If data can be stored in many places and in many locations not only is it difficult to manage but it is difficult if not impossible to delete.
With many organizations, if asked what is your critical data and where is it stored, they could tell you. Most likely they would state client information is the most critical and it is stored on 5 servers. While they are partially correct that it is stored on the 5 servers identified, it is also stored on 12 other systems they are not aware. Not only is this problematic when trying to implement security controls and protection, but becomes extremely problematic when the “right to be forgotten” requirement is added.
What all of the data breaches over the years, combined with GDPR, it really emphasizes the need for centralized and controlled storage of critical data. While this is being attempted, the most dangerous culprit are laptops. Why are we giving 30,000 employees laptops that each contain 2 TB hard drives and if that is not bad enough, allowing them to plug in USB drives to make copies of that data. If an organization wants to win this data compliance game, users laptops need to be thin clients or systems with hard drives that are bigger enough to contain an operating system but no data. If we want to control and manage data, it cannot be allowed to be stored on laptops and personal devices. I recognize that this is a big paradigm shift, but is necessary to get to the level of data protection that is not only required by law but demanded by our customers.
GDPR- The Next Steps
Whether GDPR directly or indirectly impacts you, it needs to serve as a wake-up call that it is time to take a data centric approach to security. All of the money, people, and resources does very little to secure an organization if there is no proper data classification and centralized storage. If you are like many organizations where you are not really sure all of the locations critical data is stored, start with a data discovery exercise and start building a plan.