GDPR and the cloud: three main features

New consumer protection legislation, including the General Data Protection Regulation (GDPR) adopted by the European Union a year ago, or the new California Consumer Privacy Act (CCPA), offer consumers additional protection, guaranteeing the confidentiality of their data and helping to prevent problems related to data theft or misuse. To do this, the laws define the concepts of personal data or personally identifiable information (PII), establish uniform compliance standards that are mandatory for all organizations, and if organizations fail to protect the personal information of their customers, the law provides for severe penalties.

At the mercy of users

Among the most important advantages of the new legislation are a clear and unambiguous definition of what is meant by personal data; detailed rules on how this data can and cannot be used by any organizations doing business in a particular region-where citizens live, work or visit, including remotely; an explicit definition of what constitutes a personal data leak, as well as uniform standardized requirements for notifying users of such leaks; and providing users with full control over how their personal data is used and stored.

The GDPR provides a more General and broad interpretation of personal data than in previous attempts by lawmakers, including definitions of IP addresses, biometric data, mobile device identifiers, and other types of data that can potentially be used to identify individuals, determine the location of users, or track their activities. In the CCPA law, this definition is even broader, in particular, such things as geolocation data and information about purchases, views and search history were added.

Алексей Андрияшин, технический директор Fortinet в России About the author:

Alexey Andriyashin, technical Director of Fortinet in Russia

According to Wikipedia: Fortinet is an American multinational Corporation specializing in the development and promotion of software, solutions and services in the field of information security: firewalls, antivirus programs, intrusion prevention systems and endpoint security, and other products. In terms of revenue, the company ranks fourth among all companies specializing in network security.

Moreover, organizations that are subject to the new legislation are required not only to obtain explicit consent from citizens to preserve and use their personal data, but also to comply with their "right to be forgotten" – which allows individuals to require the organization to delete any personal data about them, whatever the reason.

Data privacy and the cloud

The difficulty lies in the fact that in today's highly distributed networks, cloud data can be copied many times and located almost anywhere. The recent rapid transition to multi-cloud networks, platforms, and applications further exacerbates the situation. To meet the requirements for sensitive data in such environments, organizations are forced to implement security solutions that cover the entire distributed network in order to centralize management and ensure transparency. This allows organizations to ensure consistent data protection and enforcement of appropriate policies, detect and report cyber incidents, and delete all instances of personal data at the request of customers.

To do this, you must adhere to the following three basic principles:

1. Security solutions must work in multi-cloud environments. Security standards should be applied comprehensively across the entire distributed infrastructure. Although data privacy laws may apply to a particular region, cloud technologies allow data to easily cross these boundaries. Policies and protections for data hosted in a physical data center that is subject to regional legislation must "follow" this data as it moves in the cloud or to other data centers, for as long as it is located within that region.

Thus, there are two problems that need to be solved.

  • First, you need a mechanism that allows you to track each instance of this data, especially when it gets into different applications or moves between workloads. Data tends to multiply, and you need a way to manage all this information.
  • Second, you will need to ensure consistent segmentation across the entire distributed infrastructure. Difficulties arise when security policies are applied only in a separate physical or cloud environment, and security solutions, due to the fact that the requirements in each cloud environment differ, are not able to provide comprehensive implementation of these policies or the necessary functionality. Security tools should be natively integrated into cloud platforms to enable segmentation of multi-cloud environments, and security policies should be translated on the fly to account for differences in cloud platforms as data moves. And data centers located elsewhere in the world must support these new security requirements, otherwise they may become a weak link in the security chain.

2. You must use technologies to prevent data leaks. To track and manage personal data, you need to implement data loss protection (DLP) technologies that can be used as embedded solutions (inline) or at the level of cloud infrastructure APIs. Such solutions should be able to identify, track and maintain a "register" of all personal data. Here are some key principles to follow when working with and sharing personal data:

  • DLP monitoring should start from the point of receiving or creating any personal data.
  • Data that contains personal information and is used by applications or users must be monitored and monitored to ensure that this data is accessed and processed with the appropriate level of protection.
  • It is necessary to ensure the protection of data to be transferred, especially when they move between different applications or cloud environments.
  • You need to monitor and protect your stored data, regardless of whether it is hosted in the cloud or on a physical point.
  • DLP technologies must also track different versions of this data, or even fragments of this data, when they are copied or used by different applications or stored in different locations.

3. Reporting on compliance must have centralized management. Compliance reporting should be conducted across the entire distributed infrastructure. As with other requirements, it requires close integration with the entire cloud and on-premises security infrastructure. To do this, you need to implement a centralized management and orchestration solution, such as SIEM, or implement any other single management console that provides full transparency across the entire multi-cloud infrastructure and the entire security infrastructure. This will avoid manual comparison of data from multiple systems – it is at these moments that something can be overlooked, which can result in serious fines during the audit.

Instead of passive solutions to implement integrated strategies, operating ahead of the curve

The best approach to security is to stop an attack even before it has been launched, and limit its scope in the event of a leak. To do this, organizations must use certain technologies and policies, such as:

  • State-of-the-art threat prevention and detection tools, including rapid threat analysis technologies, enhanced access control, behavioral analysis tools, and ATP solutions that allow them to be fully prepared in the event of leaks.
  • Intent-based network segmentation, both of the network itself and micro-segmentation, to limit the scope of a leak to a specific data set or network segment.
  • Integrated security solutions that can interact closely with each other, share accumulated threat data, and coordinate responses to threats. These tools should be natively integrated with the API and infrastructure of various cloud environments, allowing you to monitor policy implementation and respond consistently to network-wide leaks.
  • DLP solutions allow you to monitor data and prevent unauthorized access, use, or transfer of data, regardless of where the data is used, where it is transmitted, or where it is stored. For these solutions, an important aspect is the ability to exchange information between different secure infrastructures.
  • Centralized management tools that provide a single point of transparency and management of all data, which will ensure consistency of policies and configurations, leak detection and appropriate reporting, compliance with consumer requests, and consistency and completeness of compliance reporting.

With proper understanding of the regulations in relation to data privacy does not only protect consumers ' personal data, but also allow you to raise the security bar for the entire organization. This forces organizations to go back to the beginning, rethink processes and policies, identify and address gaps, and centralize their management tools and transparency solutions. Many of these basic security principles have been overlooked in the race for digital transformation, and this is a good reason to regroup, rethink, and rebuild the security of your infrastructure.

Alexey Andriyashin

Read also:

Healthcare and ransomware: how to protect your organisation

Ransomware attacks are on the rise. After a surge in remote working and with employees accessing organisational networks in ways that aren’t always perfectly secured, cybercrime has spiked over the past few months as malicious parties have ta...