Things are about to get interesting in Security Operation Centers around the world, GDPR is going to hit like a bunch of bricks.
General Data Protection Regulation (GDPR) also known as EU Regulation 2016/679 is about to become “enforceable” on May 25th 2018. It requires that EU member states standardise on data protection rules, with the founding principle that data is inherently owned by the resident/citizen that the data references, meaning that organisations are essentially custodians of their end users data.
Just like when you borrow your neighbor’s lawn mower, you are expected to take all reasonable precautions to protect the item and if something goes wrong, like someone steals it, you have to report it and provide the details of the who, what and where. Now if someone steals your neighbor’s lawn mower, worse case you buy them a new one, a few hundred euros out of pocket, no big deal. But failure to meet the new GDPR regulations can end up with your organisation slapped with a 4% global turnover fine, not 4% of global profit, 4% of every dollar your company has brought in! For HSBC as an example that would be a 2.4 Billion dollar fine, for Amazon 5.3 Billion and for Apple 8.6 Billion, numbers that make board members sit up and take notice.
So what are your obligations under GDPR? If you store or process personal end user data of an European Union resident you must implement measures which meet the principles of data protection by design and data protection by default. Let’s break that down.
“If you store or process personal end user data of an European Union resident”, it doesn’t matter where your servers are stored, where you are processing the data, if it pertains to an EU resident you must adhere to this regulation. Moving your servers to an offshore location in the hopes that it falls outside of European restrictions isn’t going to work, if the data pertains to an EU Resident, you are on the hook, that’s why the fine is on your GLOBAL revenue, not just your EU revenue.
When talking about “personal end user data” it means anything that can identify a user and their activities, such as a photo, homme address, location data, browsing habits, non-anonymous forum posts, videos etc etc.
A good rule of thumb is, if the data can be traced back to a specific user that user has an inherent right to that data and what happens to it. If it is completely anonymised data such as a survey on users Nutella eating habits, as long as answers can not be traced back to an end user, so no keeping IP information for example, then it would not fall under the obligations of the regulation.
The final part of the statement is “implement measures which meet the principles of data protection by design and data protection by default”, this places an obligation on the organisation to implement best practice data protection. Most organisations are interpreting this as applying best practice benchmarks, such as CIS, ISO or NIST, to data and organization security, which seems like a prudent interpretation of the regulation.
Importantly consent must be provided by the end user if you want to process their data, so for example, if you collect user data to setup a new user profile on a social network, you must get their permission to show the data on the network, not to difficult. However if you then want to use that data for another use, for example selling it to a data broker that will use the user activity to customise adverts seen by the users, you must get explicit permission to do so.
All of this seems reasonable, and doable, popping up a new “terms of service”, even if you are required to be very specific about how the users data will be used is not the end of the world, users automatically click agree and will not likely bother reading the terms in any depth.
However, the breach reporting requirements are likely to be a burden for most organisations around the globe. You are under an obligation to report on all data breaches, where user personal data has been leaked within a 72 hour window, to local data authority, such as the Information Commissioner Office in the UK. The important qualifier here is “user personal data”.
Earlier we stated that a general principle is that if the data can be traced back to a user, it is “user personal data”, if it can not be traced back to a user then you are all good. I see three types of vendors making a killing in the new GDPR world, Encryption vendors, Pseudonymisation vendors and Tanium.
If you encrypt the data, it cannot be traced back to a user, hence is no longer considered “personal data”, if it gets leaked, you have no obligation to report it, because it cannot be used to identify a user or their activities.
Pseudonymisation vendors essentially anonymise data, instead of a specific IP address visiting that foot fetish porn site twice a week, you see a hash identifier has visited the website. If a hacker manages to breach the organisation and views the log file all they see is some random hash has a foot fetish, it can not be tracked back to a specific user, so does not require you to report the breach under the requirements of the regulation. If however the breach leaked the hash to IP/User mapping database, this can be used to identify the user so must be reported, unless it was encrypted.
Now in reality rolling out a new encryption or pseudonymisation solution globally is going to take a few years minimum, especially for the HSBC, Amazon and Apple’s of the world, it is going to be an enterprise wide change program. This effectively means the efforts to comply with GDPR will focus on meeting the reporting requirements of the breach.
The first step in reporting a breach is detecting it, there are plenty of tools out there focused on detection and prevention and to a large extent these vendors have already been deployed in to large enterprises, so I don’t see a huge driver for these vendors to help resolve GDPR concerns. However, once you have been breached you need to quantify the extent of the breach, and if you have 100,000 plus endpoints that is not an easy task.
Think about it, if you have been breached, it will be because of an unknown trojan or virus sitting on your network, somewhere on your network, somewhere on one or two or dozens of those 100,000 endpoints. If it was a known virus, your next gen AV would have detected it and removed it, but it hasn’t, that’s why you are infected and leaking data. So how do you check 100,000 endpoints when you don’t have AV to help you?
That is where a vendor like Tanium comes in to the picture. They are essentially an endpoint agent that allows you to write your own scripts to query the endpoint for information and when you find something troubling, you can write another custom script to remediate the troublesome issue. It allows you to quantify the extent of the issue and remediate it, almost in real-time. When the clock is ticking and you have only got 72 hours to quantify, remediate and report on the breach, you need the flexibility to create your own content, customised to remediate this unique breach in your organisation, this capability is invaluable.
Now before any Tanium peeps jump all over me and complain that they do lots of other stuff like, Patching, CIS Compliance, Vulnerability compliance and other protection and detection capabilities, that’s not the point, the gap that organisations have is post-breach. There are plenty of tools out there to help with protection and detection and I am sure those vendors will argue they are best of breed and have better capabilities than Tanium, but when those solutions fail and you get breached, and they do every single day, you need to be able to quantify and remediate on 100,000 endpoints and you have got 72 hours to do so, that’s the challenge.
If you are on every single endpoint and you can say, “check for this running process” and get answers back in seconds for 100,000 endpoints you are on to a winner. Ask yourself, how long does it take for you to roll out a global update to 100,000 endpoints today? If it is more than 72 hours you are already in trouble, because that is the window you have to quantify, remediate and report on the breach under GDPR.
I am sure another peer-to-peer competitor will pop up eventually to eat some of Tanium’s cake, but in the meantime along with the encryption and pseudonymisation vendors, it is going to be financially rewarding time for their stakeholders.
However, the breach reporting requirements are likely to be a burden for most organisations around the globe. You are under an obligation to report on all data breaches, where user personal data has been leaked within a 72 hour window, to not only the user but also your local data authority, such as the Information Commissioner Office in the UK. The important qualifier here is “user personal data”.
This statement is inaccurate…organizations are only required to report to the data protection authority (DPA) in 72 hours. There may be many factors and/or guidance from the DPA that will guide the timing and method of notification to those effected.