Counting Down, Getting Ready: GDPR In A Multi-Cloud World

(Originally posted to CenturyLink’s blog on November 10)

To help save time and money, a growing number of enterprises are storing sensitive customer data in the public cloud. Increasingly, they’re also leveraging multiple cloud providers. According to IDC, nearly 80% of IT organizations currently deploy multi-cloud or plan to implement multi-cloud environments within 12 months. Securing data in a multi-cloud environment can be especially problematic for organizations seeking compliance, since they need to prove they can control their data by following best practices around cloud data security shared responsibility models.

One compliance mandate with teeth, GDPR, is set to go into effect in May 2018 – and its list of requirements (which includes breach notification within 72 hours of occurrence and fines to organizations set at €20M or 4% of annuals revenues) is stringent. Recently, executives from CenturyLink, Thales and Park Legal LLC participated in a webinar about “preparing for GDPR in a multi-cloud world”. The recommendations, which addressed a range of GPDR pain points, placed particular emphasis on how to best handle data in the context of a multi-cloud environment. Bottom line? If an organization handling the personal data of EU citizens uses a third party provider to store or handle that data – such as a cloud provider or providers – the organization is still responsible for its correct handling and protection. Even if the company isn’t headquartered and the data centers in use aren’t in the EU, holding EU citizen data alone enables the long arm of the EU to fine your company.

One comment made by conference moderator Joan Antokol, Managing Partner, Privacy and Data Protection Practice, Park Legal LLC, is that EU regulators already view cloud deployments as more risky than traditional on-premises technologies. Because of that, businesses collecting or processing personal EU data and deploying cloud technologies need to be particularly diligent. A smart way to get off on the right foot with EU regulators is to be cooperative from the start, and avoid treating them as adversaries.

The webinar spanned almost two hours, so I’d be remiss to try and recap everything here. Instead, I’ll share advice on how to even begin approaching GDPR:

While credit for this readable design goes to the Aberdeen Group’s Derek Brink, Scott is a firm believer in the powerful role of encryption in readying businesses for GDPR. Unsurprisingly, encryption and tokenization are two of the most called out (for their effectiveness!) security controls in the GDPR regulation. Why? Because the GDPR encourages “pseudonymization” of personal data. This is defined as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.

But (and this is a big one), both security strategies must be implemented with secure key and token management. Additionally, tokens and encryption keys should never be stored with the pseudonymized data. Ultimately, encryption is only as good as its key management.

Encryption, when not done right, can also be costly and arduous. However, it certainly doesn’t have to be. As noted by Scott during the webinar, organizations should never try implementing different types of encryption one-by-one. Rather, the best course of action is to find a solution that offers encryption, tokenization, key management and access controls, all in one comprehensive package. While there are many types of encryption options available (full-disk or media, file system, database, and application), a good data protection solution is one that is broad and allows you control over what you do with each type of data your company is handling.

Missed the live webinar? It’s not too late; you can listen in on-demand here. For more information about GDPR best practices, I recommend you visit Thales dedicated GDPR page. You can also take the Thales readiness assessment to determine if you’re #FITforGDPR.