Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

// // //
01:43 PM
Giorgio Regni
Giorgio Regni
News Analysis-Security Now

Are You Ready for GDPR?

Multi-cloud and software-defined storage solutions may ease the way to GDPR compliance.

Cybersecurity is a hot topic. Most of the headlines focus on massive data breaches and foreign state-sponsored hacking. The true scope of damages caused by cyber incidents is starting to sink in for everyone from CEOs to casual consumers. The loss of control over one’s personal data is an alarming consequence, and governments are responding by holding organizations accountable for protecting their users’ private information. The EU’s General Data Protection Regulation (GDPR) is the most far-reaching of these efforts. Set to take effect in less than a year (May 25, 2018), the legislation is intended to fortify and harmonize data protection for all individuals in the European Union.

The global impact of GDPR
The impact will be felt far beyond the EU, however, and businesses must start preparing now if they hope to continue serving EU customers online. The requirements are extensive, and the potential penalties are heavy. The maximum fine for serious infringements is € 20 million (approximately $22.3 million) or 4% of worldwide revenue, whichever is higher. For large multinational corporations, such penalties could reach billions of dollars. Fines are tiered, but even a 2% penalty for failure to conduct assessments, report breaches or keep sufficient records could be very costly.

How far do you have to go?
The UK’s Information Commissioner’s Office has published a concise summaryof the primary preparations companies need to make to be compliant.

Big Internet players have long understood that data privacy and cybersecurity are complementary efforts, and may only need to tweak their privacy policies and processes in order to be GDPR compliant. However, businesses of all sizes and types continue to neglect the baseline security practices, and do not have a firm grip on where all their user data resides, who can access it and how it was obtained and processed. If you don’t know everything about your data assets, they are inherently vulnerable.

Moreover, failure to encrypt, monitor and defend data depositories is also rampant. This is evident in the rapid spread and alarming impact of ransomware like WannaCry as well as the recent negligent exposure of the Republican National Committee’s mega database (nearly 200 million records of potential voters) by one of their contractors. A Veritas survey found that worldwide, less than a third of global companies are prepared to meet the minimum GDPR standards; there is clearly a lot of work to do.

The multi-cloud approach
Making diligent efforts to implement and enforce strong data security and privacy policies across the enterprise is a good starting point. Investing in next-generation software defined data storage and data management technology is fundamental.

This is one of the reasons that multi-cloud strategies are becoming more common. Heeding the adage "don't put all your eggs in one basket," companies focused on improving data security, resiliency and availability across multiple locations are adopting multi-cloud infrastructure. This allows companies to use on-premise storage and public cloud services as they fit best, enhancing workflows by seamlessly moving data between clouds and leveraging the most effective services available within each cloud.

Storing and managing vast amounts of unstructured data has been made easier and even more secure with recent advances in software defined filesystem and object storage technology and S3 data services. Implementing these distributed, ultra-secure storage solutions increases performance, extends capacity, enables unprecedented scalability and provides greater location control. Versioning and WORM capabilities prevent accidental overwrites and enables tighter control over access rights and retention policies, important for data integrity and GDPR compliance.

You're invited to attend Light Reading's 11th annual Future of Cable Business Services event. Join us in New York on November 30 for the premier independent conference focusing on the cable industry's continuing efforts in the commercial services market – all cable operators and other communications service providers get in free.

Moreover, multi-cloud can help achieve compliance due to compliance certifications being achieved by certain cloud vendors, such as for HIPAA and SEC in the AWS cloud. In addition, compliance can be achieved through, multi-location (regional) data placement control to ensure data sovereignty (maintaining certain data "in country"), which helps compliance with GDPR locality requirements.

An opportunity to do data (and business) the right way
In the end, while compliance GDPR requirements will challenge most companies and seriously burdensome, it should be viewed as an opportunity. Experts go so far as to say that the EU’s GDPR will save the Internet. The requirements essentially add up to best practices for data management that all controllers and processors of personal data should be adhering to already. The potential fines are serious enough to grab executive and board attention and garner more resources for IT security and data management teams. A recent PwC survey found that almost all companies they polled (200 companies with more than 500 employees each) consider GDPR preparations a top priority and a majority (77%) plan to spend at least $1 million on GDPR compliance.

GDPR presents the strongest justification in many years for upgrading data storage infrastructure and management technology. In her Internet trends report, Mary Meeker highlighted a Bain survey that found top concerns about cloud computing are shifting as the technology becomes more widely trusted. While data security is still a top concern, it is less so than in previous years; concerns about compliance/governance and vendor lock-in, however, are rising significantly (see slide 183).

Data is the lifeblood of modern business and government. Well-managed data protected by visibly conscientious data privacy programs has proven to be a competitive advantage and differentiating factor. Compliant companies, especially big Internet players like Microsoft, Google, Cisco and Amazon already know this, and it is evident in their growth and success. They understand the intersection of privacy and security: Data is viewed as a critical asset, it's a constant board-level discussion and they have a lot of people working on it, from legal to engineering. They started several years ago, building in privacy controls, features and protocols.

The biggest Internet players have vast resources; smaller organizations playing catch-up have to be smart and deliberate about their next moves. With strategic investments in multi-cloud infrastructure and software defined storage solutions, companies can grow their data-driven business and programs with confidence, knowing that essential data is securely encrypted, disaster proof and highly available. They won't be locked in to vendors or proprietary hardware, and can procure the best solutions and services for diverse computing needs, partners and customers. With this approach and diligent attention to specific GDPR preparations on the business side, organizations will be ready for May 2018 and poised to reap the many rewards of robust and resilient data storage and management.

Related posts:

— Giorgio Regni is Scality's Co-Founder and Chief Technology Officer. He oversees the company's development, research and product management. He is a recognized expert in distributed infrastructure software at web scale, and has authored multiple US patents for distributed systems.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...