Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //


09:05 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli

GDPR Presents New Challenges in Backup & Disaster Recovery Management

GDPR applies not only to primary systems, but also to backup and recovery systems. Cloud storage, combined with a modicum of common sense, may prove essential to helping with GDPR compliance for these systems.

It hardly takes a William Blackstone to figure out that the European Union's General Data Protection Regulation (GDPR) applies not only to primary work systems, but also to backup and recovery systems.

While very openly worded, including lots of uses of the term "appropriate," Article 32(1) of GDPR specifically identifies Business continuity and disaster recovery (BC/DR) concerns -- including potential mandates for the abilities "to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services" and "to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident."

Moreover, to the extent that Article 32(1)(a) and other relevant portions of GDPR require encryption and data masking, a fairly obvious yet often overlooked consequence is that enterprises should similarly encrypt or mask data in their backup systems.

The same could also be said for best practices in data stewardship -- and enterprises are still confused on these finer points.

Perhaps the seminal case study on how not to do BC/DR is represented by Adobe's 2013 data breach -- which saw some 150 million accounts compromised when an intruder accessed a backup authentication system marked for decommissioning. Making matters worse, apparently figuring that the system was "just a backup," Adobe failed to properly encrypt the account data on this system -- declining to use salting and hashing on what data were encrypted, while leaving password hints in plaintext.

Where GDPR is concerned, this sort of behavior falls under the category that EU Data Protection Authorities are perhaps most on the lookout for -- to wit: utter data malfeasance. When it comes to more nuanced applications of GDPR to BC/DR management, IT administrators and security pros should again look to GDPR's use of the word "appropriate." (See My Cybersecurity Predictions for 2018, Part 2: GDPR Hype Is Hype.)

And yet, many enterprises may be bringing more GDPR pain upon their data-storage practices than needed.

Appropriate & inappropriate sensitivities
To a certain extent, although many compliance-sensitive organizations may fail to realize it, object storage -- whether on-premises or in the cloud -- may address some of these GDPR compliance needs for BC/DR by virtue of its very nature. Linda Zhou, director of research and life sciences solutions at Western Digital, relayed that organizations that use object storage for sensitive yet large and unstructured datasets, like medical images, have an inherent protection against physical access.

"If you go to the data center and you pull out one of the drives," Zhou told Security Now at the 2018 Bio-IT World Conference & Expo, "you won't get anything."

Nonetheless, continued Zhou, she is seeing and hearing from enterprises that are so hypersensitive about BC/DR compliance with GDPR that their concerns do not align with reality -- to the point that enterprise organizations are insisting that their backups of EU-specific data are not just in the EU, but reside in the self-same EU member-state as where their primary systems and data stores are located.

To be fair, some of this may be less about GDPR and more about compliance with EU member-state implementations of the EU's Directive on Security of Network and Information Systems ("NIS Directive"). After all, healthcare organizations, such as those Zhou may deal with, are categorized as potential "operator[s] of essential services" that are subject to elevated reporting and data-management requirements under the NIS Directive. (See EU's NIS Directive Compounding GDPR Burdens & Confusion.)

On the other hand (and particularly considering how much less attention the NIS Directive has received compared to GDPR), for European enterprises and organizations that service and partner with European enterprises, such worries about backup storage are just as much about conservative European sensibilities as they are about European legal frameworks. Consider that in its 2016 Cloud Services Trends survey of IT professionals -- conducted a few months before the EU even adopted GDPR in April 2016 -- Spiceworks reported that nearly 40% of European respondents indicated that their organization's policies dictated that all of their respective data must be located not just within the EU but in a specific EU country. (See My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption.)

"I think it's in part cultural," Steve Yemm, vice president of sales at laboratory-software firm BioData, told Security Now at Bio-IT World. "It's not concern about GDPR that's stopping biotechs from putting data in the cloud; it's an attitude of 'Well, we just have never done this before.'"

Accentuating access over possession
Regardless of where it is stored, however, organizations must practice discretion when it comes to what they back up. In addition to other-than-intelligent, yet nonetheless prolific data-protection practices such as in the Adobe example, part of the whole reason we have GDPR is the everyday business practice of data over-retention. This presents a direct security risk in and of itself, privacy concerns and European rightsto be forgotten aside -- after all, attackers can't compromise data you don't have. (See Four Enterprise Security Lessons From Maury.)

There is also a secondary, indirect security risk to data over-retention: a poorly conceived, poorly maintained secure development lifecycle (SDLC). As various business units have grown data-gluttonous, enterprises have grown lazy in maintaining SDLCs -- leading to a broader attack surface for production data (as seen in Adobe's case).

Funnily enough, addressing the problem of data hoarding is where the Internet of Things (IoT) -- long criticized for security and privacy failings -- can come in handy. We have long since transitioned from the Information Age to what has been called "the Systems Age." (See IoT Regulation Could Save the Internet.)

This means that -- because of how commoditized data has become, and how easy and ubiquitous data access has similarly become because of the proliferation of IoT and cloud computing alike -- business success is no longer about who has the most data. Instead, the spoils of agility go to those enterprises that (1) have the best access to data and (2) stay lean by disposing of and declining to retain data, instead relying on that ready data accessibility whenever it is needed.

GDPR itself emphasizes the management of data access over data ownership. After all, the underlying philosophy driving GDPR is that human data subjects -- and not enterprises -- are the rightful owners of personal data.

Related posts:

— Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.