The enactment of the European Union’s General Data Protection Regulation (GDPR) is a significant milestone for virtually every international business. Under the standard, organizations need to comply with an extensive set of requirements—or potentially face significant fines for failing to do so. Thales eSecurity and DataStax have come together to draft “Aligning GDPR Requirements with Today’s Hybrid-Cloud Realities,”which outlines a number of the issues organizations need to address to be GDPR compliant. The paper examines the regulation’s security standards and the capabilities security teams need to comply with those standards in the face of more hybrid IT environments that encompass both on-premises and multiple cloud services.
The following overview touches on some of the most critical elements that are required for GDPR compliance. They are covered in more depth in our White Paper.
Internal and External Authentication
To address GDPR requirements and security best practices, security teams need to establish strong controls around who can access sensitive data. This will require strong authentication mechanisms that can be used not only for employees, but third-party contractors, partners and customers.
Fine-Grained Access Control
Many areas of the GDPR standard detail requirements that underscore the need to restrict access to sensitive data, so that the only people who can access or modify it are those who have a legitimate need to do so. Addressing these requirements requires the ability to establish granular access controls, based on user’s roles and responsibilities, and to apply these controls uniformly across multiple clouds and data centers.
Encryption for Data in Transit and at Rest
Strong, granular and flexible encryption capabilities are a key requirement for preventing unauthorized access to private data. By encrypting specific data sets, organizations can ensure that no matter where the encrypted data may be transported or copied, it will remain consistently safeguarded by established policies.
Strong Key Management
As the reliance on encryption grows so does the need for robust key management. To establish the highest levels of security, keys should be stored in hardened, tamper-resistant appliances that have been certified to be compliant with such standards as FIPS 140-2 and Common Criteria.In addition, it’s critical to establish key management capabilities that are aligned with on premises and hybrid, multi-cloud environments.
Auditing and Central Visibility across Disparate Environments
GDPR requirements place increased emphasis on visibility, auditability and accountability for both users and administrators. Within this context, application-level auditing across multiple environments is an important requirement.
Simplified Data Deletion
For many organizations, the ability to permanently and with certainty delete sensitive data, when no longer needed, is a challenge. That challenge will be compounded as operations teams seek to comply with customers’ right- to-be-forgotten requests under the GDPR. Consequently, it will be vital to gain capabilities for efficiently controlling and scheduling removal of information.
Data Autonomy and Sovereignty
GDPR makes clear that the organizations that collect personal data are responsible for that data. These responsibilities apply as data is sent across borders. Specifically, Article 56 explains that supervisory authorities are responsible for overseeing controllers’ cross-border processing of personal data.GDPR therefore places an increased emphasis on data sovereignty and autonomy. Within data management environments, it will be important to establish controls at the key-space and schema level that specify which data centers data should be replicated to. This is critical in hybrid, multi-cloud environments to ensure data isn’t transported to unauthorized locations.
GDPR compliance is a massive undertaking, and knowing the tasks you must manage to achieve compliance is the first step. To learn more about the challenges and solutions, check out “Aligning GDPR Requirements with Today’s Hybrid-Cloud Realities.”