Data security and the GDPR
The European Union (EU) General Data Protection Regulation (GDPR) is the most significant development in data privacy in decades. Its aim is to protect EU citizens from privacy and data breaches. The regulation comes into effect on 25 May 2018 and imposes heavy fines—up to 4% of annual revenue—on organizations for noncompliance.
While the GDPR mandates a number of measures to protect EU citizen data, achieving compliance in large measure comes down to good data security. The GDPR recommends pseudonymization and encryption as two mechanisms that can be used to protect personally identifiable information (PII).
Our new technical white paper titled “Example Architectures for Data Security and the GDPR” presents use cases for application of pseudonymization and encryption to protect data. The paper also provides an overview of the HPE SecureData core technologies and platform, and then describes architectures and strategies adopted by two of HPE’s customers to secure PII data.
Pseudonymization and encryption: What’s the difference?
The GDPR specifically calls out the use of pseudonymization and encryption mechanisms as acceptable means for protecting data, but what do these two terms mean? The white paper explains that pseudonymization is often used as a general term that can apply to various techniques for data de-identification when the pseudonym or surrogate data can be used in business processes. Field-level encryption and tokenization are both examples of pseudonymization.
The GDPR is careful not to prescribe specific forms of encryption or pseudonymization. Legacy encryption methods can render data unrecognizable and break business processes. However, GDPR calls out two important encryption features: the ability to decrypt the data when necessary and the ability to continue to run business processes on the encrypted data. HPE Format-Preserving Encryption (HPE FPE) exceeds these guidelines at enterprise scale.
What are the Use cases for pseudonymization and encryption?
The white paper outlines four use cases. The first is “Secure analytics.” Secure analytics can be used for data warehouses, Big Data and Hadoop: Organizations are constantly collecting and storing sensitive data, such as name, address, phone number and account numbers. Obtaining a return on investment requires opening up the data to data scientists for analysis. However, expanding access to sensitive data exposes the organization to the risk of data breaches through insider theft, data mishandling, or the security of a third-party. Using HPE FPE protected data in these platforms enables organizations to perform analytics on de-identified data and thus provide access to the data in its protected form for analytics and insights. This approach helps to reduce the risk of data breaches and can keep the enterprise in compliance with regulations such as GDPR, and help achieve great ROI on the Hadoop investment.
Migration to the cloud is the second use case: For sensitive corporate and customer data such as medical or financial data, adopting new cloud capabilities imposes unique challenges, business risks, and compliance complications due to the nature of cloud architecture. Replacing identifiable data with an encrypted value narrows possible exposure of sensitive data and can greatly reduce audit scope and compliance costs.
The third use case is protecting data in live production systems: Field-level data protection technologies ensure that attackers do not have access to real PII when these security controls are inevitably breached. Only selected applications and users that have been authenticated and authorized have access to decrypt data for use, in real time. Other applications operate with HPE FPE encrypted data to decrease the attack surface for retrieving sensitive PII data within an enterprise’s infrastructure, lowering the organization’s risk.
The fourth use case the paper describes is development and test systems: When data is copied from production databases and used directly, large volumes of private data accumulate on unprotected servers and workstations, exposing the enterprise to needless risk. An alarming number of data breaches, along with regulatory compliance requirements such as GDPR, highlight the need to de-identify sensitive data when moving from production to test, development, and training environments. Passing encrypted data into these systems helps to protect sensitive data against loss and theft while providing businesses with the agility required in their application development process.
The paper also discusses two technology considerations for encryption and pseudonymization, HPE Format-Preserving Encryption and HPE Stateless Key Management. HPE FPE encrypts virtually unlimited data types, preserving format, relationships, context, meaning and fits to legacy systems while minimizing the need to decrypt, thus increasing security while ensuring data utility.
As organizations protect multiple applications and sensitive PII data types with encryption, they face increasing challenges with scaling their key management systems. Unlike legacy key management solutions that require complex replication and scaling architectures, HPE Stateless Key Management enables on-demand key generation and re-generation without an ever-growing key store. The result is a system that is extremely well suited to Hadoop and Big Data use cases as it can be infinitely scaled across distributed physical and logical locations with no additional overhead.
The white paper concludes with by presenting two real world examples. The first is a large European telco company that collects massive data sets from its mobile subscribers in a number of European countries. The telco expects to process over 11 billion records daily.
Their business need was to protect massive data sets which included PII data, comply with local data residency laws from multiple countries and GDPR, and apply encryption while retaining the ability to analyze the data to detect access fraud, gain user pattern insights, and debug network fault scenarios.
The second example is of Global card brand. Research suggested they could realize a huge cost savings by moving data to the cloud. However, moving data in the clear to the cloud would introduce a number of risks including the possibility of a data breach, data jurisdiction challenges, and potential breach of compliance with regulations including GDPR.
Their business need was support for a large-scale hybrid infrastructure with a mix of legacy, enterprise, and cloud platforms and to protect data immediately from specific applications as they are moved to the cloud. The solution would also need to scale to protect billions of instances of PII data across hundreds of applications collecting, storing, and processing PII data.
The paper describes the unique solution and benefits maintained by these two real-world customers. To read more, download the full white paper, “Example Architectures for Data Security and the GDPR.”