Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/3/2018
10:30 AM
Rick Bilodeau
Rick Bilodeau
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

GDPR Requirements Prompt New Approach to Protecting Data in Motion

The EU's General Data Protection Regulation means that organizations must look at new ways to keep data secure as it moves.

The EU's General Data Protection Regulation (GDPR) will take effect on May 25, a response to data breaches and demands for greater oversight relating to security of personal identifiable information (PII). As shown by the recent Equifax and Cambridge Analytica debacles, the risks to PII are real as digital transformation makes all interaction data usable and the Internet of Things (IoT) causes an explosion of new data sources.

GDPR is the latest of numerous laws around the use of PII. These laws often vary by jurisdiction, industry, and data type, making for a complex puzzle for enterprise data governance. For companies with large global customer bases, compliance with the strictest regulation across the customer base ends up being the prudent course, as it can be difficult to apply only geographic-specific restrictions to PII.

Adding to this complexity is the fact that digital data takes many forms. Efforts to analyze data to improve the business end up distributing PII throughout the enterprise. This business imperative to move and change data means that organizations must look at novel ways to keep it safe and secure.

This complexity bears itself out with the Gartner prediction that by the end of 2018, more than one-half of organizations affected by GDPR won't be in compliance. Given the high stakes of noncompliance, organizations must have technology and processes in place to protect PII.

Keeping the Genie in the Bottle
Many organizations already have solutions that scan for and protect personal "data at rest." However, in the time between when the data arrives and when it's masked or encrypted, it might have already been shared. And, with the growth of real-time stream processing, the time between arrival and sharing compresses to almost nothing. In short, the genie may be out of the bottle before you even know you have PII. 

Additionally, any arriving PII is moved across data stores and computing platforms for a valid business reason and to be available for use. A balance must be established between data protection and data availability. This balance can be achieved through governance zones that allow different levels of access based on the type of data and the type of user; however, achieving this adds another layer of complexity to data protection and compliance.

The problem of big data sources and data drift (where fields are added or data types are changed without notice) further complicates matters. New data sources such as IoT devices, API data, and log files are added all the time in the name of digital transformation and business agility, and they may include PII. Plus, many of these data sources that are governed by others or loosely governed — such as unstructured data sources — are subject to data drift. As a result, a data protection solution that is compliant on day 1 may be noncompliant by day 3.

Data Protection Should Start When Data Is Born
The pressures of real-time data, data sharing, and data drift mean that sole reliance on "scan at rest" across every data store is risky. Discovering PII and mitigating compliance exposure must start at the point of data ingestion. A multilayered strategy that includes both incoming pathways and the data stores is optimal.

First, inspect for patterns in the live data because your chief vulnerability is around sensitive data that you don't expect to see but arrives because it's impossible to keep track of all data efforts across the company, or simply because of data drift. To catch this data, you must scan the contents of your data flows, inspect the data, and compare it to known or likely PII patterns. Some form of probabilistic match capability will allow you to catch patterns and those that may be new or specific to your industry or company.

Second, you must be able to act on that data as soon as the PII pattern is detected and have a wide variety of actions to take. Then you can customize the approach based on the potential uses of the data.

Third, due to the need to classify the use of different data types as well as different user groups, the ideal approach should be based on centrally driven policy management that is integrated with how you protect data at rest to ensure completeness. Enterprise risk teams should set up security service-level agreements for data and expect the system to alert on violations and stop insecure data delivery before it happens.

Tooling > Coding
Monitoring and discovering sensitive data in stream can be very difficult. As GDPR takes effect, solutions must mature from ad hoc or DIY approaches focusing on data at rest to tooling that can discover and track data starting with its first appearance. Moving protection from data stores out to first detection is a critical step that will help ensure the integrity and security of PII.

Related Content:

Rick Bilodeau is a marketing leader with deep experience with enterprise data, networking, and security innovators. Before joining StreamSets, Rick led outbound marketing functions for B2B technology companies Qualys (IT security), iPass (enterprise mobility), and 3Com ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...