This post is the first in a new series of posts focusing on the forthcoming General Data Protection Regulations (GDPR) and specifically focuses on data encryption.
One of the key tenets of the GDPR is that it requires businesses to implement appropriate technical and organizational measures to provide protection to the personal data they hold. The regulations give examples of how to achieve this, which include pseudonymisation and encryption of personal data the company may hold.
The GDPR regulations specifically mention encryption as follows:
- “…implement measures to mitigate those risks, such as encryption.” (P51. (83))
- “…appropriate safeguards, which may include encryption” (P121 (4.e))
- “…including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data.” (P160 (1a))
- “…unintelligible to any person who is not authorised to access it, such as encryption” (P163 (3a))
It was not so long ago that most company data was stored either on-premises and/or in the company datacenter, making governance and control of that data a far easier task than in today’s world, where data could also be stored in many of the public cloud services that are widely available.
The distribution of corporate data across private and public stores provides a conundrum, as companies want to embrace the flexibility and cost advantage of the cloud, but at the same time protect themselves from potential breaches and large fines.
The GDPR has a notion of ‘best effort’ ie. that a company has made the best effort it can to protect data, through both technology and process.
One may believe that using HTTPS to encrypt data in flight and storing data, encrypted at REST on some third party cloud service encompasses ‘best effort’, but, given the number of high profile breaches of public cloud services where both of these methods were in place, this is clearly not the case.
The UK Information Commissioner’s office ‘Action we’ve taken‘ website is illustrative in terms of action taken when such breaches have occurred. The reality is that the genie is out of the bottle with regards to a breach defence centred on ‘but I thought my application provider was storing the data encrypted and it would be secure’. Breaches occur on an ever more frequent basis and relying solely on a third party provider’s encryption at rest is unlikely to be a robust defence with the regulator if a breach occurs.
So what can be done? As best practice a company should also encrypt their own data, particularly if that data is going to reside on a third party cloud provider. Adhering to this should not be onerous to the company, as if it is, users will just bypass it if they can. Therefore the aim is to make it easy and indeed transparent for the whole company to encrypt data.
The Storage Made Easy File Fabric provides exactly this method of transparent encryption for companies.
The File Fabric can be installed on-premises or in a company data centre. As the File Fabric connects to over 60 storage and application endpoints, it has the means to connect, and therefore secure data that is stored, either locally or remotely.
It achieves this in a transparent fashion for an company using a combination of encryption and identity management.
The File Fabric can integrate with corporate identity management solutions, such as Active Directory, LDAP, SAML etc, allowing users to sign into it using their existing domain credentials (single-sign-on).
Also additional security can be added over and above the identity management in the form of two factor authentication which would result in a users entering their single sign on credentials but then also receiving a two-factor challenge before they could then proceed to login.
An Administrator can setup the File Fabric so that all data sources are transparently encrypted. This is done by setting an encryption policy.
(Note that there is an option for only certain nominated folders to be encrypted also)
The encryption module the File Fabric uses was independently FIPS-197 certified and is listed as such on the National Institute of Standards and Technology website.
Third Party Encryption Key Management systems can be used if required:
Once an encryption key is set then all data uploaded therein is encrypted. This happens transparently to domain authenticated end-users. Data is encrypted o upload and un-encrypted on download and users are not aware that this is taking place.
If a breach were to occur on a third party provider and resulted in access to company data stored there then this would be unreadable without the files being decrypted via the Enterprise File Fabric.
In summary the Storage Made Easy Enterprise File Fabric solution protects data, over and above storage data-at-rest encryption, using access controls and and encryption policies. Deployment of transparent file encryption to enforce data security and satisfy compliance regimes such as GDPR is simple, scalable and fast.
For our next GDPR Watch topic we will be discussing how the Enterprise File Fabric enables data event monitoring and logging and can be used as a means of data protection and to satisfy Subject Access Requests. Stay Tuned!