European Union regulators recently passed new rules for shielding data from cyber criminals. Every company that operates in or does business with EU citizens must comply, which is virtually every mid-to-large sized company in the world.
Known as the General Data Protection Regulation, or GDPR, this package of new laws gives greater control to consumers, requires faster notification in the event of a breach, and greatly increases fines for violations. Companies are also required to name "data protection officers" who are responsible for checking compliance and advising on changes.
GDPR requirements aren't due to become effective until 2018, but it's never too soon to start preparing for these regulations, because changes will take time. Getting smarter about data encryption is the place to start.
Why encryption and not better network safeguards? The majority of cyber criminals are after the sensitive data itself, and the traditional network perimeter is disappearing in the age of IoT and the cloud. Defining the right perimeter to defend has become all but impossible in the current era.
It's impossible to build sturdy walls around data – a better approach is to add locks to the data, ensuring only those with the right keys can access an enterprise’s sensitive information. A data-centric approach to security that encrypts the data throughout its lifecycle is critical to keeping this information secure.
In addition, the GDPR also has expanded the definition of sensitive information. Under the new rules, everything from people’s location to their genetic markers are now deemed personally identifiable information (PII). Name and account numbers are just the tip of the iceberg, which makes sense when considering the rising influence of Big Data and analytics tools; the more data there is to analyze, the more data there is to protect.
As a result, IDC pegs the total GDPR related security software spending in Europe will reach $811 million in 2016, $1,335 million in 2017, and $1,713 million in 2018.
A good chunk of that spend could go to beefing up existing encryption and key management techniques.
Consider disk encryption. Many hardware devices are now protected with a style of encryption that turns the contents of a drive into unreadable data by default. Only when a password is given is the real information revealed. Databases are encased similarly, unlocked only by cryptographic keys that act as algorithmic counterparts to the encoding software.
This can be an excellent approach for safeguarding information that is permanently archived, as long as, keys are managed and protected in an infrastructure-level secure key manager.
For information needed for real-time decisions that can affect retention, profit, and cash flow, the act of decrypting data wholesale -- even for a few seconds -- can make it vulnerable to a breach. Therefore, approaches such as stateless tokenization and Format-preserving Encryption (FPE) provide data security at the data-level without breaking existing business processes or impeding business analytics and decisions.
How does this work? FPE securely de-identifies and encrypts the sensitive data without changing the format. This means with stateless tokenization and FPE technologies, organizations can perform complex analytics on sensitive Personally identifiable information (PII) while addressing the GDPR guidelines.
As an example, imagine a company that wants to run analytics on an encrypted customer database with a number of sensitive fields while keeping the data secure and anonymous. By using FPE to de-identify names and account numbers, while keeping visible location data, average spend, and other key metrics, the company can provide insights to partners without compromising sensitive customer data. Also, since there is not the need to decrypt, there's no new vulnerability for an attacker to exploit.
Never in the history of computing has data been more widely available or more valuable. The GDPR recognizes this truth and creates new requirements for EU companies to safeguard sensitive information.
But in a global economy, everyone has a responsibility of protecting data. As such, many organizations will be required to enact some or all of the GDPR requirements before they become active in 2018. Don't wait. The sooner a strategy for complying with the GDPR is in place, the more customers will trust you with their data.
Terence Spies is Distinguished Technologist for HPE Security – Data Security at Hewlett Packard Enterprise.