The increase in breach frequency is driving tremendous awareness (and pressure) in Washington, which likely means new, more strict regulations on data privacy. One such regulation companies are already prepping for is General Data Protection Regulation (GDPR), is the legal framework that sets guidelines for collecting, processing, and storing the personal information of individuals within the European Union.
This will include the Privacy by Design obligation requiring businesses to factor in data privacy at the initial design stages of a project, as well as throughout its entire lifecycle. The regulation goes into effect on May 25, which doesn't allow organizations a great deal of time to prepare, especially when added to the myriad of other activities occurring in day-to-day business operations.
So what does this mean for DevOps? With the speed at which applications must be brought to market and facing looming regulations like GDPR, organizations must integrate security into the development process to ensure that vulnerabilities are fixed ahead of production. Cutting corners with security or adding it in after-the-fact is no longer an option. Rather than make adjustments every time there's a new regulation or compliance mandate, organizations need to start improving security processes now to prepare and get ahead of any future regulations.
Increasing severity and cost of breaches
According to the Breach Level Index, more than five million records are stolen each day, and the associated cost of a breach is forecast to be $150m by 2020. On top of this, end users are becoming increasingly more concerned about the safety of their personal data, and massive breaches like the recent Equifax and Uber disclosures only add fuel to the fire of those fears. Under GDPR, there are some serious sanctions and penalties for not being in compliance. For example, regular data protection audits will be mandated after the first, non-intentional compliance infraction, which will also be accompanied by a notice in writing. Subsequent or intentional infractions will result in a penalty of €10-20 million or 2-to-4% of global annual turnover from the prior year, whichever is greater. To put that into perspective, Hilton was fined $700k for a data breach, but under GDPR that could have been a staggering $420 million.
It is apparent that the current disparate security initiatives leveraging manual processes and tools aren’t working, and arguably are falling further and further behind the techniques of sophisticated attacks. Automation and orchestration are two approaches that, along with the collaborative culture of DevSecOps, can help level the playing field and start increasing the cyber resiliency of organizations.
Transparency, full disclosure, and collaboration
The scope of what personal data is covered under GDPR includes the following:
● E-mail Address(es)
● Identification Number
● Social Media Posts
● Bank Details
● Online Identities
● Medical Details
● IP Address/ISP
Essentially anything that can be used to determine one's identity is covered under GDPR, which, given the plethora of Internet sites and apps that can potentially collect and store this information, creates a substantial challenge for IT leaders.
So what steps should IT leaders take to ensure that they don't put their company at risk for large GDPR violation fines?
Transparency with end users on how you will be storing and using their personal data is one of the core principles set forth by GDPR. This means that you are collecting and using their data for legitimate reasons, and you also provide simple mechanisms for users to update their personal information.
What happens to data that is stored is that it stays where it is stored -- that means you can't collect someone's personal data and then use it for reasons other than those disclosed to them. There must also be a mechanism in place to allow users to opt-out of the storing of their data and to not be profiled by marketing campaigns. Finally, a couple of additional disclosures address the duration that the data will be stored for, and details around how the data is securely handled and processed. In the past, security was typically "control-based" and with GDPR, that control shifts to the data owner, and security needs to transition to "context-based", where, once again, companies are transparent with their users regarding their personal data.
Transparency is often increased by collaboration, which is where the DevOps methodology can help. First, security context must be designed, ideally from the onset, and everyone should be aware of the scope of the data being collected and stored by the application. Also, by automating as many of the services that access and store data as possible, you are able to create an audit report that provides assurance to both the end users and the regulators. Data security needs to be an integral part of the storage solution, and all data should be encrypted both in transit and at rest.
For IT leaders, outside of GDPR, these are all good requirements for any solution that accepts and stores sensitive data.
Organizational structure and responsibilities
The GDPR outlines the key titles and responsibilities for the data, which are:
● Data Protection Officer – subject matter expert in data protection laws
● Data Controller – Any entity that collects data from EU residents
● Data Processor – Service provider that processes data on behalf of data controller
These three roles along with their respective teams need to work with development and security to lay out the strategy for data acquisition, processing, and storage, and then put repeatable processes in place to ensure proper compliance. This is another area where DevOps methodology can be leveraged, specifically in the automation of processes and controls, as well as measurement of their effectiveness. Collaboration, another core tenet of DevOps, is also needed between these three roles and any other relevant teams that are involved with data acquisition and processing.
If you haven't started putting together your data protection strategy plan, it's time to start. An overall approach that provides continuous visibility, security and audit metrics is what I believe will be both the most efficient and ultimately successful, which is why applying DevOps methodologies is the logical move.
Mike D. Kail is Chief Technology Officer at CYBRIC, where he is responsible for the strategic vision and technical direction of the platform. Prior to founding CYBRIC, Mike was Yahoo’s CIO and SVP of Infrastructure, where he led the IT and data center functions for the company. He has more than 25 years of IT operations experience with a focus on highly-scalable architectures.