Tackling GDPR compliance goes way beyond changes to database security. To help simplify compliance, organizations must consider data being handled in production systems that’s often far more vulnerable than stationary warehoused information. That starts with systems that have robust security controls implemented with GDPR in mind.
When we think about the General Data Protection Regulation (GDPR) and addressing compliance, it’s often easy to simply think about large volumes of data residing in databases and warehouses. But in reality, that’s only half the picture.
Only a relatively small amount of your data exists in the database, with the rest being handled in your production systems. Here, it’s often far more vulnerable to malicious attacks and breaches.
To make sure that you cover all bases as part of your GDPR compliance efforts, you need to look beyond databases, and also take a systems-focused approach to data security. Having the right robust and secure systems in place could make the difference between mitigating the risk of a data breach and being extremely vulnerable to attack.
In this blog, I’ll outline 4 key things that I believe systems need to support, enable, and deliver for midsized companies in order to help simplify and streamline GDPR compliance.
1. Confidentiality (making sure data is only accessible on a need-to-see basis)
Ensuring data is only accessible by those who actually need it makes up an important part of mitigating the risk of a data breach under GDPR. The fewer people with access to a particular set of data, the less likely it is to be compromised – and the easier it is to track down the source of the breach in the event of a breach.
Robust policies can help you control access, but alone, they will only go so far. To enable deep confidentiality, your systems need to be able to encrypt and decrypt data automatically, without consuming CPU performance.
Oracle’s SPARC CPUs contain crypto cores that offload and handle decryption workloads, designed to ensure that security doesn’t compromise performance. The process is simple: flip the switch and enable greater security through in-hardware encryption.
In addition, role-based access helps you control who can see what, and helps you track access – something that’s also incredibly important when it comes to meeting the GDPR requirements around accountability.
Controls can even be taken a step further using time-based access. This enables you to set hard and fast policies for who can edit what – and crucially – when. This is particularly useful for minimizing the risk of the nightmare scenario of an out of hours breach – when systems are at their most vulnerable.
2. Integrity (accounting for data and tracking modifications)
We’re creating more data than ever before, much of which needs to be accessed and altered on demand. With such a huge volume of data requests happening 24/7/365, traditional approaches to file integrity checking simply aren’t up to the task.
Oracle ZFS storage systems, for example, use end-to-end checksums to detect and correct silent data corruption. If a disk returns bad data transiently, ZFS will detect it and retry the read. If the disk is part of a mirror or RAID-Z group, ZFS will both detect and correct the error: it will use the checksum to determine which copy is correct, provide good data to the application, and repair the damaged copy.
3. Availability (ensuring data is always available on-demand)
The GDPR requires you to ensure that data you hold on individuals is conveniently available at all times. But this can be particularly difficult to ensure if you’re struggling to maintain system availability.
Fortunately, modern systems have made processes such as patching (that can cause system downtime) much easier. For instance, Oracle SPARC systems running Solaris enable you to take snapshots of production environments. These snapshots can then be used to test and experiment with patches and changes, and can be instantly rolled out as a new production environment.
The result: no downtime to apply the patch, fewer instances of patching errors in production environments, and ultimately, greater system and data availability.
4. Accountability (knowing who’s done what, when)
Proving who is accessing and using data, and reporting on that to provide accountability has been security best practice for years. But with the arrival of GDPR, it’s now a real obligation.
In today’s developing threat landscapes, modern systems not only need to log every activity, they must have remote logging enabled, meaning all logs are sent to another center so that they can’t be modified. The upshot is if someone breaches the system, it’s very difficult to cover their tracks.
GDPR security compliance should be no different to data best practice
Systems are an important part of the compliance puzzle. Indeed, having the right systems capabilities and procedures in place can go a long way towards facilitating compliance with GDPR’s security requirements, and can simplify many of the most complex parts of the puzzle. What’s more, it’s vitally important to enable security best practice in your organization, which ultimately is what GDPR is all about.
So as you prepare your organization for GDPR compliance, think beyond your databases and consider how more sophisticated and secure systems could help you adopt a holistic approach to compliance and data security.