I was fortunate to be one of the presenters at SecureWorld’s recent web conference on “Deploying Containers in the Age of GDPR.” I suggest you check it out. Here is a taste of what we discussed.
A real-time poll of webinar participants asked how ready they think their organizations are for the GDPR deadline of May 25, 2018. It indicated 40% “are doing everything they know about and should be pretty much there.” This suggests at least 60% will not be. And these numbers are for people aware enough and concerned enough about GDPR to attend the web conference.
My belief is that the worldwide numbers are much worse.
Conference moderator, Robert Scott, Managing Partner, Scott & Scott, LLP, noted that he continues to field questions regularly from clients seeking information and advice about the GDPR. He also commented on the complexity of the regulation and the need to take it seriously.
So, what should your organization be doing to secure containers and protect data in the “Age of GDPR?”
Joan Ankotol, Managing Partner, Privacy & Data Protection, Park Legal, LLC, outlined how GDPR differs from the EU Data Protection Directive, highlighting the regulation's expanded territorial scope, its broader definition of personal data, the additional rights of individuals, and more. She also noted some of the technical measures outlined within the GDPR, including its references to encryption and pseudonymisation to protect personal data.
Kirsten Newcomer, Security Strategist at RedHat, provided a deep dive into three key areas of container security: securing the container pipeline and containerized applications; protecting the container deployment environment; and leveraging the security ecosystem to extend the capabilities of a container security program. Throughout Kirsten’s presentation, she highlighted ways to use tools that automate security processes, which will greatly assist efforts to protect personal data in compliance with the GDPR. This alone is worth listening to the web conference.
I explained how signing container images helps to ensure that only authorized code makes it to the production repository, and how encrypting images prevents unauthorized access attempts. I also highlighted the need for file- and volume-level encryption of any personal data mounted to containers, supported by access controls and audit logs to document access attempts. Given the GDPR’s call for the use of encryption, access controls and auditable evidence (see Articles 5 and 32 for example), these efforts will directly impact an organization’s compliance posture.
Joan then answered audience questions including:
Q. How is the 72-hour breach notification window defined?
A. According to Joan, unfortunately, it's based on actual clock hours, regardless of weekends, holidays, etc.
Q. For U.S.-based processors, who have clients based in the EU, what is the liability as compared to the controller?
A. Joan bore bad news and summarized that, while the processor might get a slight pass in some areas, the GDPR's requirements still apply. So it behooves the organization to revisit their contract with the controller to fully understand their potential exposure.
Q. Do an organization’s efforts to comply with mandates like HIPAA and PCI DSS help with regard to the GDPR?
A. Here, Joan offered some hope. She stated that HIPAA and PCI DSS do, in part, map to the GDPR so those previous efforts will make it easier for the IT team as they conduct their risk evaluations.
In closing, Joan suggested that organizations maintain solid documentation as to their internal processes, which may demonstrate good faith efforts in the event of an audit. All the panelists noted organizations should seek assistance from industry professionals when necessary.
With the enforcement date about two months away, we at Thales welcome opportunities to help you get ready. Specifically, we can help you with the following GDPR requirements:
- Limiting access to data
- Encrypting or pseudonymization of sensitive data
- Monitoring and reporting user access patterns
For more information on securing containers for GDPR compliance, I suggest you look at my colleague Juan Asenjo’s recent blog post on that topic, review Thales eSecurity’s dedicated container security page, or check the company’s dedicated GDPR page. In the meantime, you can find me @JimDeLo