[BreachExchange] GDPR: The Compliance Conundrum

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 13 18:58:42 EST 2018


With the Global Data Protection Regulation (GDPR) on the horizon,
businesses that wish to operate in the European Union are having to spend
more time than ever thinking about compliance. Not only does all personally
identifiable customer data need to be accounted for – a task that is easier
said than done for many organisations – internal processes also have to be
updated and employees need to be educated to ensure the compliance deadline
of 25th May 2018 is met.

Of course, GDPR is just one legislative challenge facing businesses.
Financial services firms, for example, have a revamped version of the
Markets in Financial Instruments Directive (also known as MiFID II) to
respond to, while the UK telco industry is facing the prospect of new
legislations being enforced after Brexit.

And as falling foul of industry regulations has the potential to result in
massive financial penalties, as well as the threats of reputational damage
and a loss of customers, organisations simply can’t afford to be complacent.

However, fear of the complexity of managing compliance in new
infrastructure as well as the effort already involved in ensuring existing
systems are ready to go, is prompting many businesses to shy away from
cloud, despite the many benefits such services offer. Concerns are
primarily due to a misconception that cloud platforms, with data held by
third parties on shared systems, will be a more difficult undertaking than
traditional in-house systems and potentially less secure, but the truth is
very different.

Public cloud services can be  extremely secure and often can be a more
secure option than in-house systems. So, what exactly is behind this
misconception and why should businesses be trusting public cloud services
with their compliance needs?

Privacy Please

On the face of things, it’s easy to see why many people would assume
on-premise infrastructure is more secure and easy to manage. In theory,
businesses know exactly where their data is being stored and who has access
to it, both of which provide comfort for organisations.

They can also design the architecture to suit their own specific needs and
preferences, as well as reducing the risk of data loss if a public cloud
provider goes out of business. One could argue that such a setup would be
particularly appealing to businesses operating in highly regulated
industries, such as healthcare and financial services, which need to have
greater visibility and control over how their data is managed.

However, firms would be wise to remember that operating their own private
cloud places the responsibility of security and compliance squarely on
their shoulders. Businesses are at the mercy of the whims of nature and the
resilience of their local power grid, potentially leaving them helpless if
something goes wrong.

It also leaves them vulnerable to disgruntled employees and internal data
theft. Employees may have easy access to confidential data, sometimes with
very little to stop them from stealing corporate information simply by
pulling a disk from a server and leaving the building with it. Often
employees can also connect USB drives which have been used in home systems
and may contain malware or viruses. Huge faith is placed in the firewall as
an effective means of keeping intruders out, yet backdoors may well exist
in the form of legacy and unsecured modem connections, as well as poor
access control processes that leave user credentials in place long after
the relevant employee has left the company.

So just because infrastructure is in your data centre doesn’t mean it is
inherently more secure, resilient or suitable to meet the needs of
regulatory compliance than public cloud.

Going Public

While some businesses may feel more comfortable knowing their data is being
stored within their own walls, data location is only one small aspect of
security and compliance. Along with the provision of innovative new
services to enable business growth, it is the job of public cloud providers
to protect their customer’s data. A central component of their value
proposition, therefore, is the delivery of systems, tools and continuity
plans that make their cloud infrastructure safe and secure.

This applies to both virtual and physical means of protection. Corporate
data will be stored in a secure facility with multiple layers of physical
security that are often not present if businesses opt to run their cloud
infrastructure in-house.

And, with competition in the market continuing to increase at a rapid rate,
ensuring compliance is not only a valuable competitive advantage for those
businesses offering public cloud services, but also essential to gaining
customer trust and in turn, loyalty. In this respect, smart cloud providers
are leading the way with a value proposition focused very much around
regulatory compliance

Public cloud providers are also likely to carry out software patching on a
more regular basis which is essential to manage compliance. Businesses
running their own private clouds will generally be slower to patch security
gaps, leaving themselves exposed to potential data breaches and compliance
holes. The recent Spectre and Meltdown vulnerabilities are a great example
of this, with Google, Microsoft and Amazon all patching their system
quickly after the problems became public. Meanwhile many businesses will
still be trying to determine what systems they need to patch and how they
go about doing it.

Furthermore, public cloud providers tend to have highly skilled and
experienced IT teams, which isn’t something that can be said for all
businesses. The skills gap issue is an extremely prevalent one in the cloud
world and businesses are finding it harder than ever to attract talented
developers. This is causing problems when it comes to addressing the more
technical compliance challenges, which could be solved using third-party

Add in the fact that businesses will not be alone when defending against
attacks and the skills argument provides compelling support for the merits
of using third-party providers to ensure legislative compliance.

The combination of these factors means that in many cases public cloud can
actually be a better option than a private cloud for systems with high
security and compliance requirements . It can certainly be a less
complicated option for businesses and help to give them peace of mind
amidst shifting regulatory landscapes.

As end users become far more sensitive to security of their personal data
and initiatives like Open Banking come into effect, the challenges are only
going to grow. That’s why org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180213/2322aeff/attachment.html>

More information about the BreachExchange mailing list