Dev and Security Adjustments to Prepare for GDPR - InformationWeek
IoT
IoT
DevOps
Commentary
1/25/2018
02:00 PM
Mike D. Kail, Chief Technology Officer, CYBRIC
Mike D. Kail, Chief Technology Officer, CYBRIC
Commentary
50%
50%

Dev and Security Adjustments to Prepare for GDPR

Adoption of DevOps can help organizations comply with GDPR and other privacy standards by building security into software from the start.

The increase in breach frequency is driving tremendous awareness (and pressure) in Washington, which likely means new, more strict regulations on data privacy. One such regulation companies are already prepping for is General Data Protection Regulation (GDPR), is the legal framework that sets guidelines for collecting, processing, and storing the personal information of individuals within the European Union.

This will include the Privacy by Design obligation requiring businesses to factor in data privacy at the initial design stages of a project, as well as throughout its entire lifecycle. The regulation goes into effect on May 25, which doesn't allow organizations a great deal of time to prepare, especially when added to the myriad of other activities occurring in day-to-day business operations.

So what does this mean for DevOps? With the speed at which applications must be brought to market and facing looming regulations like GDPR, organizations must integrate security into the development process to ensure that vulnerabilities are fixed ahead of production. Cutting corners with security or adding it in after-the-fact is no longer an option. Rather than make adjustments every time there's a new regulation or compliance mandate, organizations need to start improving security processes now to prepare and get ahead of any future regulations.  

Increasing severity and cost of breaches

According to the Breach Level Index, more than five million records are stolen each day, and the associated cost of a breach is forecast to be $150m by 2020. On top of this, end users are becoming increasingly more concerned about the safety of their personal data, and massive breaches like the recent Equifax and Uber disclosures only add fuel to the fire of those fears. Under GDPR, there are some serious sanctions and penalties for not being in compliance. For example, regular data protection audits will be mandated after the first, non-intentional compliance infraction, which will also be accompanied by a notice in writing. Subsequent or intentional infractions will result in a penalty of €10-20 million or 2-to-4% of global annual turnover from the prior year, whichever is greater. To put that into perspective, Hilton was fined $700k for a data breach, but under GDPR that could have been a staggering $420 million.

It is apparent that the current disparate security initiatives leveraging manual processes and tools aren’t working, and arguably are falling further and further behind the techniques of sophisticated attacks. Automation and orchestration are two approaches that, along with the collaborative culture of DevSecOps, can help level the playing field and start increasing the cyber resiliency of organizations.

Transparency, full disclosure, and collaboration

The scope of what personal data is covered under GDPR includes the following:

● Name

● E-mail Address(es)

● Address

● Identification Number

● Social Media Posts

● Bank Details

● Online Identities

● Medical Details

● IP Address/ISP

● Cookies

Essentially anything that can be used to determine one's identity is covered under GDPR, which, given the plethora of Internet sites and apps that can potentially collect and store this information, creates a substantial challenge for IT leaders.

So what steps should IT leaders take to ensure that they don't put their company at risk for large GDPR violation fines?

Transparency with end users on how you will be storing and using their personal data is one of the core principles set forth by GDPR. This means that you are collecting and using their data for legitimate reasons, and you also provide simple mechanisms for users to update their personal information.

What happens to data that is stored is that it stays where it is stored -- that means you can't collect someone's personal data and then use it for reasons other than those disclosed to them. There must also be a mechanism in place to allow users to opt-out of the storing of their data and to not be profiled by marketing campaigns. Finally, a couple of additional disclosures address the duration that the data will be stored for, and details around how the data is securely handled and processed. In the past, security was typically "control-based" and with GDPR, that control shifts to the data owner, and security needs to transition to "context-based", where, once again, companies are transparent with their users regarding their personal data.

Transparency is often increased by collaboration, which is where the DevOps methodology can help. First, security context must be designed, ideally from the onset, and everyone should be aware of the scope of the data being collected and stored by the application. Also, by automating as many of the services that access and store data as possible, you are able to create an audit report that provides assurance to both the end users and the regulators. Data security needs to be an integral part of the storage solution, and all data should be encrypted both in transit and at rest.

For IT leaders, outside of GDPR, these are all good requirements for any solution that accepts and stores sensitive data.

Organizational structure and responsibilities

The GDPR outlines the key titles and responsibilities for the data, which are:

●    Data Protection Officer – subject matter expert in data protection laws

●    Data Controller – Any entity that collects data from EU residents

●    Data Processor – Service provider that processes data on behalf of data controller

These three roles along with their respective teams need to work with development and security to lay out the strategy for data acquisition, processing, and storage, and then put repeatable processes in place to ensure proper compliance. This is another area where DevOps methodology can be leveraged, specifically in the automation of processes and controls, as well as measurement of their effectiveness. Collaboration, another core tenet of DevOps, is also needed between these three roles and any other relevant teams that are involved with data acquisition and processing.

If you haven't started putting together your data protection strategy plan, it's time to start. An overall approach that provides continuous visibility, security and audit metrics is what I believe will be both the most efficient and ultimately successful, which is why applying DevOps methodologies is the logical move.

Mike D. Kail is Chief Technology Officer at CYBRIC, where he is responsible for the strategic vision and technical direction of the platform. Prior to founding CYBRIC, Mike was Yahoo’s CIO and SVP of Infrastructure, where he led the IT and data center functions for the company. He has more than 25 years of IT operations experience with a focus on highly-scalable architectures.

Jim Connolly is a versatile and experienced technology journalist who has reported on IT trends for more than two decades. As Executive Managing Editor of InformationWeek, he oversees the day-to-day planning and editing on the site. Most recently he has been editor of UBM's ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
2017 State of IT Report
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends for 2018
As we enter a new year of technology planning, find out about the hot technologies organizations are using to advance their businesses and where the experts say IT is heading.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll