Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/3/2018
10:30 AM
Rick Bilodeau
Rick Bilodeau
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

GDPR Requirements Prompt New Approach to Protecting Data in Motion

The EU's General Data Protection Regulation means that organizations must look at new ways to keep data secure as it moves.

The EU's General Data Protection Regulation (GDPR) will take effect on May 25, a response to data breaches and demands for greater oversight relating to security of personal identifiable information (PII). As shown by the recent Equifax and Cambridge Analytica debacles, the risks to PII are real as digital transformation makes all interaction data usable and the Internet of Things (IoT) causes an explosion of new data sources.

GDPR is the latest of numerous laws around the use of PII. These laws often vary by jurisdiction, industry, and data type, making for a complex puzzle for enterprise data governance. For companies with large global customer bases, compliance with the strictest regulation across the customer base ends up being the prudent course, as it can be difficult to apply only geographic-specific restrictions to PII.

Adding to this complexity is the fact that digital data takes many forms. Efforts to analyze data to improve the business end up distributing PII throughout the enterprise. This business imperative to move and change data means that organizations must look at novel ways to keep it safe and secure.

This complexity bears itself out with the Gartner prediction that by the end of 2018, more than one-half of organizations affected by GDPR won't be in compliance. Given the high stakes of noncompliance, organizations must have technology and processes in place to protect PII.

Keeping the Genie in the Bottle
Many organizations already have solutions that scan for and protect personal "data at rest." However, in the time between when the data arrives and when it's masked or encrypted, it might have already been shared. And, with the growth of real-time stream processing, the time between arrival and sharing compresses to almost nothing. In short, the genie may be out of the bottle before you even know you have PII. 

Additionally, any arriving PII is moved across data stores and computing platforms for a valid business reason and to be available for use. A balance must be established between data protection and data availability. This balance can be achieved through governance zones that allow different levels of access based on the type of data and the type of user; however, achieving this adds another layer of complexity to data protection and compliance.

The problem of big data sources and data drift (where fields are added or data types are changed without notice) further complicates matters. New data sources such as IoT devices, API data, and log files are added all the time in the name of digital transformation and business agility, and they may include PII. Plus, many of these data sources that are governed by others or loosely governed — such as unstructured data sources — are subject to data drift. As a result, a data protection solution that is compliant on day 1 may be noncompliant by day 3.

Data Protection Should Start When Data Is Born
The pressures of real-time data, data sharing, and data drift mean that sole reliance on "scan at rest" across every data store is risky. Discovering PII and mitigating compliance exposure must start at the point of data ingestion. A multilayered strategy that includes both incoming pathways and the data stores is optimal.

First, inspect for patterns in the live data because your chief vulnerability is around sensitive data that you don't expect to see but arrives because it's impossible to keep track of all data efforts across the company, or simply because of data drift. To catch this data, you must scan the contents of your data flows, inspect the data, and compare it to known or likely PII patterns. Some form of probabilistic match capability will allow you to catch patterns and those that may be new or specific to your industry or company.

Second, you must be able to act on that data as soon as the PII pattern is detected and have a wide variety of actions to take. Then you can customize the approach based on the potential uses of the data.

Third, due to the need to classify the use of different data types as well as different user groups, the ideal approach should be based on centrally driven policy management that is integrated with how you protect data at rest to ensure completeness. Enterprise risk teams should set up security service-level agreements for data and expect the system to alert on violations and stop insecure data delivery before it happens.

Tooling > Coding
Monitoring and discovering sensitive data in stream can be very difficult. As GDPR takes effect, solutions must mature from ad hoc or DIY approaches focusing on data at rest to tooling that can discover and track data starting with its first appearance. Moving protection from data stores out to first detection is a critical step that will help ensure the integrity and security of PII.

Related Content:

Rick Bilodeau is a marketing leader with deep experience with enterprise data, networking, and security innovators. Before joining StreamSets, Rick led outbound marketing functions for B2B technology companies Qualys (IT security), iPass (enterprise mobility), and 3Com ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...