Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Law

11/23/2018
09:05 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli
50%
50%

GDPR Presents New Challenges in Backup & Disaster Recovery Management

GDPR applies not only to primary systems, but also to backup and recovery systems. Cloud storage, combined with a modicum of common sense, may prove essential to helping with GDPR compliance for these systems.

It hardly takes a William Blackstone to figure out that the European Union's General Data Protection Regulation (GDPR) applies not only to primary work systems, but also to backup and recovery systems.

While very openly worded, including lots of uses of the term "appropriate," Article 32(1) of GDPR specifically identifies Business continuity and disaster recovery (BC/DR) concerns -- including potential mandates for the abilities "to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services" and "to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident."

Moreover, to the extent that Article 32(1)(a) and other relevant portions of GDPR require encryption and data masking, a fairly obvious yet often overlooked consequence is that enterprises should similarly encrypt or mask data in their backup systems.

The same could also be said for best practices in data stewardship -- and enterprises are still confused on these finer points.

Perhaps the seminal case study on how not to do BC/DR is represented by Adobe's 2013 data breach -- which saw some 150 million accounts compromised when an intruder accessed a backup authentication system marked for decommissioning. Making matters worse, apparently figuring that the system was "just a backup," Adobe failed to properly encrypt the account data on this system -- declining to use salting and hashing on what data were encrypted, while leaving password hints in plaintext.

Where GDPR is concerned, this sort of behavior falls under the category that EU Data Protection Authorities are perhaps most on the lookout for -- to wit: utter data malfeasance. When it comes to more nuanced applications of GDPR to BC/DR management, IT administrators and security pros should again look to GDPR's use of the word "appropriate." (See My Cybersecurity Predictions for 2018, Part 2: GDPR Hype Is Hype.)

And yet, many enterprises may be bringing more GDPR pain upon their data-storage practices than needed.

Appropriate & inappropriate sensitivities
To a certain extent, although many compliance-sensitive organizations may fail to realize it, object storage -- whether on-premises or in the cloud -- may address some of these GDPR compliance needs for BC/DR by virtue of its very nature. Linda Zhou, director of research and life sciences solutions at Western Digital, relayed that organizations that use object storage for sensitive yet large and unstructured datasets, like medical images, have an inherent protection against physical access.

"If you go to the data center and you pull out one of the drives," Zhou told Security Now at the 2018 Bio-IT World Conference & Expo, "you won't get anything."

Nonetheless, continued Zhou, she is seeing and hearing from enterprises that are so hypersensitive about BC/DR compliance with GDPR that their concerns do not align with reality -- to the point that enterprise organizations are insisting that their backups of EU-specific data are not just in the EU, but reside in the self-same EU member-state as where their primary systems and data stores are located.

To be fair, some of this may be less about GDPR and more about compliance with EU member-state implementations of the EU's Directive on Security of Network and Information Systems ("NIS Directive"). After all, healthcare organizations, such as those Zhou may deal with, are categorized as potential "operator[s] of essential services" that are subject to elevated reporting and data-management requirements under the NIS Directive. (See EU's NIS Directive Compounding GDPR Burdens & Confusion.)

On the other hand (and particularly considering how much less attention the NIS Directive has received compared to GDPR), for European enterprises and organizations that service and partner with European enterprises, such worries about backup storage are just as much about conservative European sensibilities as they are about European legal frameworks. Consider that in its 2016 Cloud Services Trends survey of IT professionals -- conducted a few months before the EU even adopted GDPR in April 2016 -- Spiceworks reported that nearly 40% of European respondents indicated that their organization's policies dictated that all of their respective data must be located not just within the EU but in a specific EU country. (See My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption.)

"I think it's in part cultural," Steve Yemm, vice president of sales at laboratory-software firm BioData, told Security Now at Bio-IT World. "It's not concern about GDPR that's stopping biotechs from putting data in the cloud; it's an attitude of 'Well, we just have never done this before.'"

Accentuating access over possession
Regardless of where it is stored, however, organizations must practice discretion when it comes to what they back up. In addition to other-than-intelligent, yet nonetheless prolific data-protection practices such as in the Adobe example, part of the whole reason we have GDPR is the everyday business practice of data over-retention. This presents a direct security risk in and of itself, privacy concerns and European rightsto be forgotten aside -- after all, attackers can't compromise data you don't have. (See Four Enterprise Security Lessons From Maury.)

There is also a secondary, indirect security risk to data over-retention: a poorly conceived, poorly maintained secure development lifecycle (SDLC). As various business units have grown data-gluttonous, enterprises have grown lazy in maintaining SDLCs -- leading to a broader attack surface for production data (as seen in Adobe's case).

Funnily enough, addressing the problem of data hoarding is where the Internet of Things (IoT) -- long criticized for security and privacy failings -- can come in handy. We have long since transitioned from the Information Age to what has been called "the Systems Age." (See IoT Regulation Could Save the Internet.)

This means that -- because of how commoditized data has become, and how easy and ubiquitous data access has similarly become because of the proliferation of IoT and cloud computing alike -- business success is no longer about who has the most data. Instead, the spoils of agility go to those enterprises that (1) have the best access to data and (2) stay lean by disposing of and declining to retain data, instead relying on that ready data accessibility whenever it is needed.

GDPR itself emphasizes the management of data access over data ownership. After all, the underlying philosophy driving GDPR is that human data subjects -- and not enterprises -- are the rightful owners of personal data.

Related posts:

— Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.