GDPR AN ACTION PLAN FOR CLOUD READINESS

Transcription

1 GDPR AN ACTION PLAN FOR CLOUD READINESS

2 TABLE OF CONTENTS 1.1 Data in the Clouds; Compliance on the Horizon 1.2 GDPR Changes Compliance Globally 1.3 Data-Centric Action Plan for Addressing GDPR in Cloud Apps (SaaS) 1.4 Moving Toward GDPR Compliance 1.5 Your 12 Month Roadmap to GDPR Compliance Glossary 29

3 DATA IN THE CLOUDS; COMPLIANCE ON THE HORIZON With less than a year left until the May 2018 deadline for compliance with the General Data Protection Regulation (GDPR), security and compliance leaders are looking for smart strategies to prepare their organizations and reduce their exposure to GDPR sanctions. The GDPR s mandate that businesses of respondents said more than 50 percent of their applications are public SaaS applications. The quantify, but it s safe to assume that it s large. For a single organization there may be dozens of cloud applications, hundreds of data types and thousands of customers.

4 03 CipherCloud has extensive institutions, healthcare organizations, government agencies, and other highly regulated industries protect sensitive cloud data and maintain compliance. The action plan presented here draws on this expertise to help security and compliance leaders develop a strong foundation for meeting important components of GDPR compliance. Using this plan, organizations can elevate compliance and data protection to key enablers of cloudbased SaaS services and fully reap

5 GDPR CHANGES COMPLIANCE GLOBALLY The GDPR focuses on protecting the privacy and personal data of European citizens, regardless of where their personal data exists in the world. It goes beyond existing EU data protection laws to include all foreign entities processing EU citizen data. Although most organizations have already been down the road of compliance with a myriad of national and international regulations, the GDPR stands out for It also expands the scope and complexity of data protection by encompassing not only data within the organization but also data in the cloud that can easily cross national boundaries.

6 05 Examples of Global Data Protection Laws

7 As the ultimate controller of sensitive customer information, the organization bears full responsibility for protecting data in the cloud, regardless of whatever data protection controls or guarantees SaaS providers may offer. Because it focuses on protecting the privacy of individuals data instead of protecting where data resides, the GDPR may require substantial changes to processes, systems, and policies within many organizations. 06

8 07 The following GDPR requirements have particular relevance to organizations that use SaaS or other cloud services: Privacy protection by design and by default This concept refers to building in privacy protection during the development of business processes and maintaining it throughout the data lifecycle; in essence, compliance with this requirement mandates the default. Although the GDPR does not explicitly state which practices should be used to comply with this requirement, examples include minimizing the processing of personal data, pseudonymizing personal data as soon as possible in the data lifecycle (i.e., before it moves beyond the organization), encrypting the data locally, and keeping decryption keys separate from where the encrypted data is stored. Pseudonymization Pseudonymization is an important strategy for minimizing the risk of data leaks, helping controllers meet their data-protection obligations, and avoiding or encrypted data that cannot be deciphered without access to a separate key or secret. If personally techniques such as encryption or tokenization), it is not subject to GDPR controls and penalties. However, compliance requires that the key to unlock the data be stored separately and held exclusively by the controller.

9 08 Right to be erased / forgotten of a data breach within 72 hours if breached data is required if breached data is adequately pseudonymized (i.e., encrypted or tokenized) or anonymized to make the personal data unrecognizable. Organizations can avoid pseudonymization or anonymization to limit the scope Many SaaS providers maintain customer data services. Organizations need to know where personal data exists in order to ensure its removal or protect it in a way that complies with this GDPR requirement. They can use encryption to digitally shred legacy information in cloud applications, if the keys are destroyed, or not made accessible to the data processor.

10 09 GDPR AT A GLANCE Impacts any company that handles EU citizen data Focuses on data protection and personal privacy Encompasses SaaS and other cloud-based services Gives data subjects the right to be erased/forgotten Recommends pseudonymization to reduce scope of exposure Goes into effect May 25, 2018

11 10 GDPR Scope Focuses on data protection and personal privacy Encompasses SaaS and other cloud-based services Gives data subjects the right to be erased/forgotten Recommends pseudonymization to reduce scope of exposure The GDPR impacts any company that handles EU citizen data. What Are the Potential Penalties? Regular data protection audits Fines up to 4% of worldwide turnover or 20 million EUR, whichever is greater

12 DATA-CENTRIC ACTION PLAN FOR ADDRESSING GDPR IN CLOUD APPS (SaaS) When it comes to personal data in the cloud and complying with the GDPR, enterprises need to shift from securing infrastructure and physical systems to securing the data itself. In other words, instead of protecting places in the extended enterprise ecosystem, organizations need to protect data as it travels through and across the ecosystem often to unknown pieces of data at a granular level before the data ever enters the cloud and maintaining control over all aspects of that data, including encryption keys.

13 12 The following action plan prepares organizations for key aspects of compliance with the GDPR. It includes the following steps: 01 Know your cloud footprint 02 Understand your sensitive data 03 Apply the right data protection methods 04 Enforce access control and compliance

14 13 01 KNOW YOUR CLOUD FOOTPRINT To protect personal data and to address the GDPR s provision that individuals have the right to be forgotten or erased, organizations need to know where sensitive data exists across multiple clouds. To gain visibility into the scope of personal, cloud-based data that they must protect, organizations should: Analyze sanctioned and unsanctioned clouds Based on audits of numerous enterprise customers, CipherCloud has found more than 85 percent of cloud applications used through corporate networks are unsanctioned. As end users and individual business units adopt multiple SaaS applications, the IT team can easily lose control over security and compliance. Organizations need to systematically track all the SaaS applications being used within the enterprise. In addition, they need to ensure that users are using approved applications in accordance with policies and that they are not using sensitive data on unsanctioned applications (i.e., shadow IT). Track sensitive data Personal data can exist anywhere in the cloud, both in structured and unstructured formats, and in multiple clouds of personal data throughout its entire lifecycle, including who is accessing and sharing the data and from where. In addition, organizations need a methodical way for analyzing and scoring the risk associated with each cloud and with each piece of data, and then applying policies to protect the data appropriately. Before they can determine the best way to protect personal to do with the data, at what point in the process access to the data is needed, who needs access, and where. Different require different levels of protection, depending on the format and sensitivity of the data as well as what it is used are rarely deployed in isolation. Be sure to consider personal data within sanctioned clouds, internal and external

15 14 DEFINING PERSONAL DATA Although it may seem obvious, it s important that of what constitutes personal data within the different business units may have different requirements. Individuals need to understand that essentially applies to any information that can be used to identify a person. As described by the European Commission, It can be anything from a name, a photo, an address, bank details, your posts on social networking websites, your medical information, or your computer s IP address. Although the GDPR applies only to the personal information of European citizens, organizations may want to strengthen their overall security posture by including the data of non-europeans in the scope of

16 15 02 UNDERSTAND YOUR SENSITIVE DATA To apply the right data protection methods, organizations need to understand the ways in which data exists in their ecosystem and the residency requirements related to that data. (structured) Structured data (e.g., credit card information and medical records) is highly organized and occurs in databases, forms, and other Because the data placed in it is easier for organizations protection and then apply the proper methods. Unknown data (unstructured) This type of data resides in s, unstructured formats that frequently exist in cloud-based applications. and control because organizations don t always know whether personal data resides within them; the risk is that unstructured data will not be properly protected. The GDPR to unstructured data. Organizations need mechanisms to scan such content and apply appropriate data loss prevention (DLP) policies. Data residency requirements The GDPR requires that organizations prevent personal data from being stored in or travelling through countries that do not have data protection standards that are equivalent to the EU s. While by the EU as having adequate data protection laws, the United States is not one of them. This situation creates a complex challenge for organizations that rely on cloud-based applications. Cloud service providers (CSPs) often maintain data centers across multiple regions in order to ensure availability and improve application latency, and their service level agreements (SLAs) don t usually guarantee that their own company. Keeping track of where personal data exists in the provides a way to avoid data residency requirements and can relieve organizations from the task of tracking where data lives and travels across multiple clouds and regions.

17 COUNTRIES WITH EU ADEQUACY 16 EEA Countries Adequate protection US-EU Privacy Shield ADEQUATE PROTECTION EEA COUNTRIES Andorra Israel Austria Denmark Hungary Lithuania Portugal Argentina Jersey Belgium Estonia Iceland Luxembourg Romania Canada New Zealand Bulgaria Finland Ireland Malta Slovakia Faroe Islands Switzerland Croatia France Italy Netherlands Slovenia Guernsey Uruguay Cyprus Germany Latvia Norway Spain Isle of Man Czech Republic Greece Liechtenstein Poland Sweden United Kingdom

18 17 03 APPLY THE RIGHT DATA PROTECTION METHODS The most effective data protection solutions enable organizations to meet GDPR compliance requirements by applying data protection policies without diminishing the functionality of cloud applications or interfering with the organization s ability to use personal data to meet business requirements. They offer an array of data protection capabilities apply precise, granular controls on a case-by-case basis. In addition, they are complemented by advanced policy controls that automatically and consistently apply the correct type of data protection for any given situation including mobile device usage. Applying the right data protection method is important not only for protecting personal data but also for reducing exposure to breach pseudonymization or anonymization) has been applied to personal data To protect data from end to end, organizations must: Encrypt data Tokenize data Provide endpoint protection for mobile devices

19 18 ENCRYPTION AND TOKENIZATION Encryption and tokenization are the two most robust and proven be part of every organization s GDPR compliance strategy. Each has combination of both to protect data in the cloud. Encryption Encryption pseudonymizes data by using a mathematical algorithm to make data unintelligible. An encryption key is required to encrypt the data and decrypt it. Encryption is encryption provides robust support for GDPR compliance. Tokenization This form of protection replaces sensitive data with randomly generated values that have no mathematical correlation to the original data. The original data and mappings for the substitutes are stored in a secure, local database. Tokenization provides the best assurance of data residency, because the original data never leaves the organization and remains in a known location. Encrypting and tokenizing data for cloud use presents unique challenges. The following capabilities and considerations are important when selecting encryption and tokenization solutions: Note: Although some SaaS providers offer encryption, it only applies to data at rest. This means that applications, external processes, and administrators can still access the data on-demand while it is in use. Organizations need an end-to-end solution that persistently protects data whether it is at rest, in use, or in transit and regardless of device.

20 19 Application functionality require the at symbol within the encrypted address. Format-preserving encryption (FPE) helps preserve application functionality by ensuring that encrypted data within database Location and management of encryption key or token mapping The GDPR requires that pseudonymized data is kept separate from the mechanism used to decrypt or re-establish the data. Best practice is for the organization to maintain exclusive control of its encryption/decryption keys. Doing so helps prevent unauthorized use by the cloud service provider s employees or malicious actors that gain access to the service provider s resources. It also gives the organization more control over the sharing of personal data in the event of legal disclosure inquiries, subpoenas, or other demands for information. Searching and sorting capability Authorized users must be able to search for and sort data that is encrypted or tokenized within SaaS applications. Organizations should look for data protection solutions that allow users to employ wildcards, natural languages, and other advanced search methods. Integration with third-party applications Cloud applications are rarely deployed in isolation. Be sure that applications and processes within the cloud ecosystem can decrypt and re-encrypt data as needed.

21 20 With the increasing use of mobile devices to access cloud-based applications, it s important that organizations protect personal data that employees and third parties download and share via smartphones, tablets, and other devices. Mobile data protection should include the following capabilities, which are typically implemented within an application that is separate from but integrated with traditional encryption and tokenization mechanisms: Apply appropriate access controls for authorized users on ios, Android, Mac, and Windows devices Enable only authorized, authenticated users to open encrypted documents at the endpoint Remotely revoke encryption keys in real-time in the event of a lost or compromised device SharePoint)

22 21 04 ENSURE ACCESS CONTROL AND COMPLIANCE It is not enough to encrypt and tokenize sensitive data. SaaS applications such as Salesforce and Microsoft 365 enable and promote advanced communication and collaboration in the cloud, and without the proper controls users may share personal data insecurely or with the wrong individuals (or devices). In a recent Cloud Security Alliance survey, 59 percent of organizations reported cloud security incidents related to unwanted external sharing and 47 percent reported incidents involving access from unauthorized devices. Besides preventing unauthorized sharing, organizations need to ensure that cybercriminals cannot obtain access to personal data. To meet GDPR requirements, organizations need to: Prevent unauthorized individuals from accessing sensitive data Enforce who, what, where, and how policies Monitor users, data, activity, and anomalies

23 22 When adopting adaptive controls for GDPR compliance, organizations must include not only but also the following capabilities: CONTROL ACCESS AND ENFORCE POLICIES Adaptive access controls help ensure that only authorized users can open, decrypt, and view protected data. Using these controls, organizations can enforce DLP policies at a very granular level that takes into account the content itself as well as the context (i.e., user group) in which it is used. This approach allows organizations to accommodate and control for all the unique combinations of data, data formats, users, user locations, SaaS applications, compliance requirements, and other variables that exist in cloud environments. organizations can control access to structured data all the way down context-sensitive collaboration policies so that personal information is not shared with unauthorized users. Real-time decryption authorization and policy enforcement Organizations must be able to revoke decryption keys and enforce policies immediately and on a granular level. For example, a business unit may need to revoke the keys for a single document, device, or user. Exclusive key ownership for zero knowledge security Zero-knowledge protection allows organizations to perform certain data operations (such as searching, sorting, and reporting) without exposing the clear-text data to applications, servers, or administrators. To control where data is encrypted and decrypted for zero-knowledge security, organizations must maintain exclusive control over encryption keys.

24 23 MONITOR USERS, DATA, ACTIVITY, AND ANOMALIES Once enterprises have data protection mechanisms, adaptive access controls, and policies in place, they need to demonstrate that these controls are effective. Compliance monitoring enables enterprises to discover, report on, and respond to policy violations and anomalies that put personal data at risk. Although compliance monitoring is not an explicit GDPR requirement, it is a best practice for maintaining compliance over time. Compliance monitoring should include the following capabilities: Compliance scanning for sensitive data This capability allows organizations to discover and classify new and historical content for User behavior monitoring This capability allows organizations to monitor user activity and detect unusual behavior such as excessive downloads, content policy violations, or geographic anomalies.

25 24 WHY YOU CAN T RELY ON CSPS FOR GDPR COMPLIANCE Although SaaS and other cloud service providers (SaaS Providers) protect data at rest (i.e., data in storage), most do not protect data in use; nor do they guarantee data security and privacy. This potentially leaves clear-text data in SaaS applications vulnerable to breaches and attack. In addition, many of the interfaces used to connect and integrate various cloud-based applications (i.e., application programming interfaces [APIs]) have security gaps, opening the door for third parties and malicious actors to access personal data via an API. Reliance on SaaS Providers alone for data protection presents drawbacks. For one thing, SaaS Providers encryption only protects data in the SaaS Providers cloud, leaving gaps in protection when data is used in other clouds. Another issue is that key management policies and processes may not support GDPR compliance or an organization s internal best practices. Part of the concern is that the SaaS Providers not the organization controls the encryption keys, meaning that the SaaS Providers can access the data that organizations have allowed into the cloud. Finally, SaaS Providers cannot provide tokenization, which is an important tool for meeting strict data residency requirements in the GDPR and in many individual countries.

26 25 For the purposes of GDPR compliance and stronger data control, organizations should avoid reliance on providers data protection mechanisms and assume sole responsibility for compliance and data protection. Threats to Cloud Data WHAT CSP S (SaaS) CAN T DO AT A GLANCE Protect multiple clouds Extend data protection to broader ecosystems Provide tokenization Provide zero-knowledge protection Ensure that CSP personnel, processes, and apps can t access data Control government or subpoena access

27 MOVING TOWARD GDPR COMPLIANCE Compliance with the GDPR is not a trivial task. As the countdown to GDPR enforcement whittles away days, weeks and months, organizations cannot afford to delay their readiness efforts. Organizations can start by determining where they stand in terms of compliance; developing a roadmap for what they need to do; and budgeting for personnel, technology, processes, policy updates, and other items required to achieve and maintain GDPR compliance. To navigate the complexities of GDPR compliance, most organizations will want to work with a third-party that has expertise in compliance and data protection for cloud environments. They will also need a suite of tools that are CipherCloud has deep expertise in data protection and compliance for industries that depend on SaaS and other cloudbased services to conduct mission-critical business. Its data-centric protection model uses encryption, tokenization, and mobile data protection to pseudonymize data before it enters the cloud and then persistently protect it in its journey through the extended cloud ecosystem.

28 27 CipherCloud s data-centric model, best practices, and state-of-the-art tools for data discovery, data protection, adaptive access control, and monitoring prepare organizations to comply with key aspects of the GDPR, including: Using encryption and tokenization to pseudonymize private data Protecting data as soon as possible and while still in the organization Minimizing the scope of exposure to data residency Building in privacy by design and default, including: Organization control over encryption and tokenization processes Exclusive organization control of encryption keys Separation of encrypted/tokenized data and encryption keys/tokens Real-time, organization-controlled revocation of encryption keys on mobile devices For more information on how CipherCloud can help your organization prepare for GDPR compliance, please

29 1.5 CHECKLIST: YOUR 12 MONTH ROADMAP TO GDPR COMPLIANCE 28 Step GDPR Risk ACTION Complete Phase 1: Know Your Cloud Footprint 1 Analyze sanctioned & unsanctioned cloud usage Personal data can be exposed in unsanctioned, risky or insecure clouds Use Shadow IT discovery tools and block risky or unauthorized clouds 2 Discover where sensitive data is going Accidental collaboration mistakes can easily cause GDPR violations Use DLP tools to scan and detect sensitive content across multiple business clouds 3 other clouds, multiplying GDPR risk Phase 2: Understand Your Sensitive Data 4 5 data can cause a major GDPR violation contain unintentional GDPR protected data with sensitive personal data Limit sharing of sensitive documents, scan and protect unstructured content with DLP policies 6 Data residency requirements Transferring personal data to countries without adequate data protection may violate GDPR Understand data residency requirements for your region, and don t assume cloud data is static Phase 3: Apply Data Protection Policies 7 Encryption & key management Encryption is a critical GDPR control, but keys must be kept separately from the cloud data based on data types. Never share keys externally. 8 Tokenization & data residency Some jurisdictions prefer highly sensitive data to remain within the enterprise Use tokenization tools to substitute random data for 9 Mobile data protection Files downloaded from cloud collaboration tools to mobile devices are a GDPR threat mobile authentication and authorized decryption Phase 4: Enforce Access Controls & Compliance 10 Eliminate data exposure to outsiders Data controllers must ensure that sensitive data is not accessed by unauthorized outsiders Apply data-centric access control policies ensuring that only authorized user access personal data 11 Enforce who, what, when, where policies Personal data shared in the wrong context can cause GDPR violations Implement context aware policies around users, content, and context with intelligent remediation 12 Monitor users, data, activity & anomalies Compliance monitoring must be continuous and vigilant to prevent future violations Apply intelligent monitoring that uses machine learning to spot changes and potential problems

30 GLOSSARY Anonymization Once data is anonymized, it cannot be reconstituted to its original form or content; that is, it has been destroyed. Data processor Per the GDPR, the entity that processes data on behalf of the data controller; that is, the cloud service provider. Cloud access security broker (CASB) An application or service that acts as a gatekeeper for data leaving an organization and ensures that security policies are applied before data enters the cloud. Data residency The physical location of an organization s data, whether being stored, processed, or in transit. The GDPR and many individual countries have strict data residency requirements for personal data. Data controller Per the GDPR, the entity that determines the purposes, conditions, and means of the processing of point to the organization and not the cloud service provider as the data controller and therefore the party responsible for compliance. Encryption A process for pseudonymizing data by using a mathematical algorithm to make data unintelligible. An encryption key is required to encrypt the data and decrypt it.

31 30 Encryption key A randomly generated string of data used to encrypt and decrypt data. Organizations seeking compliance with the GDPR should maintain possession and control of the encryption key and should not share it with CSPs or other third parties. Extraterritoriality This concept refers to the geographic reach of a given regulation or law. With the GDPR, regulations apply to all personal data of EU citizens, regardless of where that data is handled. Format-preserving encryption A data protection mechanism that helps preserve application functionality by ensuring that encrypted or addresses) complies with what the cloud application requires. File-based encryption A data protection mechanism that uses separate encryption keys for different user groups so that organizations can control access at an extremely granular level. Pseudonymization other randomized or encrypted data that cannot be deciphered without access to a separate key or pseudonymized (using techniques such as encryption or tokenization), it is not subject to GDPR controls and penalties. Pseudonymization is an important strategy for minimizing the risk of data leaks, meeting dataprotection obligations, and avoiding GDPR breach Tokenization A form of pseudonymization that replaces sensitive data with randomly generated values that have no mathematical correlation to the original data. The original data and mappings for the substitutes are stored in a secure, local database. Tokenization provides the best assurance of data residency, because the original data never leaves the organization and remains in a known location.

32 CIPHERCLOUD LOCATIONS SILICON VALLEY, HQ READING SYDNEY HYDERABAD TOKYO 2581 Junction Ave. Suite 200 San Jose, CA USA Davidson House, The Forbury Reading RG1 3EU UNITED KINGDOM Park Street Suite #1364 Sydney, NSW 2000 AUSTRALIA Block 2,Cyberpearl Hi-Tech City Hyderabad INDIA W22F Shibuya Mark City Dogenzaka Shibuya-ku Tokyo JAPAN CIPHER ( ) sales_australia@ciphercloud.com jp-sales@ciphercloud.com