New: Free In-Depth Webinar
Learn how to get GDPR ready in one single step implementing risk based authentication and web-based protection from cyber-attacks.
Personally Identifying Information (PII) has become an increasingly important topic in cyber security as the focus of cybercriminals has moved from the theft of financial data to this information. According to the Breach Level Index, almost 5 billion data records have been stolen since 2013 – an astonishing 3.5 million per day on average. In a Quorcirca report on European cyber threats, 68% of respondent organizations had been a victim of a successful cyber attack, with 36% suffering a data loss as a result.
To try to prevent this mass leakage, the original 1995 EU Data Protection Directive (95/46/EC) has recently been updated. Now known as the General Data Protection Regulation (GDPR), and published in May 2016, due to come into full force on May 25th, 2018, it is expected to bring a degree of harmony across the EU states with respect to data protection. It is also meant to enforce cyber security more rigorously – with the threat fines of up to 4% of a company’s global turnover.
In an age where data protection has never been more important, the question is how does the GDPR cover the ubiquitous nature of data that is created, managed and transferred through web apps?
What is the GDPR?
Cross border business is now a normal mode of operation for many organizations. The GDPR has been designed to ensure that data privacy and protection is homologous across all EU nations. In other words, the same data protection regulations apply to every EU country in a uniform manner. Even the UK, who choose to ‘Brexit’ in June this year, will still need to abide by the requirements of GDPR, as will any country that wants to trade products or services with Europe, including those that are free.
The GDPR rules are broad and far reaching. They cover any and all PII, including email address, date of birth, name, and so on, for both B2C and B2B organisations and covers applies to ‘controllers’ and ‘processors’. It is expected that specific data protection officers will become the norm in organizations in and / or trading with Europe, responsible for implementing the directive.
Unlike the original EU directive, the GDPR has gone much further in expectations and guidelines of how to protect data covering issues including:
- Pseudonymisation of data
- Personal data encryption
- Personal data integrity, confidentiality, and availability
- The allowing of access to personal data by the owner and the ability to update as required
- On-going maintenance and testing of the resilience of the systems
Data processors are now also obligated to report a data breach, and fines and penalties will be implemented as punishment for non-compliance and alert avoidance. Understandably, the GDPR is causing concern across all industries. According to research, over half of enterprise IT decision makers don’t feel they meet the compliance requirement of GDPR. Three quarters of Information Security Officers believe that the expectations of GDPR will greatly impact IT purchases and security provisioning. GDPR is arguably one of the most far reaching and impactful security and privacy regulations to have ever been attempted, anywhere in the world.
How Does it Impact Web Apps?
A recent study into Shadow IT and Cloud Web Services, looking at 15 of the directive guidelines, has found that 98% of Cloud apps are not GDPR ready. The directive is based on the solid principle of Privacy by Design (PbD) and Data Protection by Design (DPbD) and so all the design, development and implementation of web apps and associated components, will need to be built using these principles to ensure compliance with the GDPR.
But what does PbD or DPbD mean in real terms? Two of the GDPR regulations explain this:
Recital 39: Any processing of personal data should be lawful and fair. … Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
Recital 49: The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
These principles cover a very wide scope and are challenging, to say the least, but it is believed that they ‘will incentivise businesses to innovate and develop new ideas, methods, and technologies for security and protection of personal data.’
How to Comply with GDPR When Utilizing Web Apps
There are two fundamental areas where United Security Providers can help ensure GDPR compliance.
Learn more in our free in-depth webinar
Learn how to implement a GDPR compliance and protection of web applications like SAP, portals or web services processing personally identifiable information (PII).
Protection against web-based attacks: The enablement of application layer security, including protecting web facing systems from cyber-attacks. More traditional tools such as network firewalls and intrusion prevention will not protect systems from modern web-based attacks, such as those identified by the the OWASP top ten web vulnerabilities project. Web Application Firewalls (WAF) are the next generation tools built to handle web-based attacks and are widely adopted within PCI environments to offer protection against the OWASP top ten vulnerabilities. The OWASP top three, includes several issues which can be mitigated using a WAF, including, Injection attacks against web based databases, Cross Site Scripting (XSS) and Cross-Site Request Forgery (CSRF).
Protection using robust authentication: The third most important OWASP top ten issue is around broken authentication measures. Multiple factor and risk based authentication are both highly effective measures against cyber-attacks. Password, as a single authentication measure, is full of risk; from the use of weak or repetitive passwords across multiple systems to the act of writing passwords down. Creating a secure barrier between the internet and an organization’s user directories. Adaptive authentication enables organizations to increase appropriate levels of authentication based on multiple potential risks and adjust accordingly. Factors may include user’s current location, access device type, time of access or other policies that utilize user group profiles such as sensitivity of an application or data being accessed at that time can be used. In addition, Single Sign-On (SSO) enables the use of strong user credentials across all internal, hosted and external SaaS (Federated identity) environments, enabling seamless access and enhanced user experience.
How to get web apps GDPR ready in one step
IT security vendors are responding to the growing demand for scalable, baseline protection of web applications, that meet the GDPR principles. A company who specialises in meeting this demand is United Security Providers. USP are a european leader in security and have been protecting global financial services, web applications and data, since 1997. The USP Secure Entry Server offers both, web application protection and robust user authentication in an all-in-one solution: USP Secure Entry Server® is located in front of application servers and handles communication with the clients on behalf of those servers. In this way, applications are never addressed directly. USP Secure Entry Server® simplifies the access infrastructure, helps with the fulfilment of security policies and compliance requirements, enhances traceability, and improves auditability.
Harmony Across Europe
One very positive aspect of the GDPR is the harmonization of security across EU countries. Standards are often very helpful in creating an ethos of predictability and control – in this respect, the GDPR is a welcome update. It is hoped that a single set of rules at EU level will both strengthen the reputation of European data protection, build trust in the online environment, and make it a more attractive market to trade with.
However, compliance with the far-reaching and precise nature of the GDPR expectations is a challenge. It may seem far off, but May 2018 is fast approaching. Choosing the right tools to prepare your business and adapt to ever changing technologies and their resulting challenges will help you overcome the hurdles of GDPR compliance and benefit both your organization and customers as cyber-risks are mitigated and data protected.
Discuss further directly with us
We are looking forward to discussing the topic further with you in terms of your individual needs. Please request a call back to get in touch with us.