The General Data Protection Regulation, or GDPR, is a major piece of legislation adopted in 2018. It is designed to address the protection and responsible use of every European Union citizen’s personal data. However, GDPR is not an EU-only regulation. It affects ANY business or individual handling the data of EU citizens, regardless of where that business or individual is based.
We were warned that the penalties for non-compliance could be stiff: Up to €20 million (about $24 Million USD) or 4 percent of annual global turnover, whichever is greater.
What Has GDPR Done Lately?
Over the last 3+ years, GDPR has received mixed reviews. It’s often a slow process to bring a complaint because the companies involved may operate in many countries, but have their corporate headquarters in countries where litigation is exponentially more complex. To add to the delays, in most instances there is an opportunity for all other EU countries to join a complaint, extending the process and adding to the complexity of evidence gathering. The European Data Protection Board (EDPB), was set up to promote cooperation between the EU’s data protection regulators and acknowledge that the system isn’t all it could be. In the April 8th, 2021 of WIRED Magazine an EDPB spokesperson was quoted, saying “Enforcing at a national level and at the same time resolving cross-border cases is time and resource intensive. Slowly, but steadily, we are seeing results”. This claim is punctuated by the fact that there have been 254 final decisions from filed complaints.
Make no mistake, GDPR has teeth. A recent judgment against Amazon resulted in a fine of $788 million. Ireland’s Data Protection Commission (DPC) just announced that WhatsApp, owned by Facebook, is facing fines up to $267M for violating articles 5(1)(a); 12, 13 and 14 of the GDPR. While all judgements are immediately contested (and in most cases reduced), the fines are still very substantial.
The GDPR resembles the PCI DSS in that it aims for a comprehensive approach to data protection that goes well beyond the technical aspects, though the individual GDPR requirements aren’t as technically detailed. GDPR’s security tenets and objectives are the same as PCI DSS: to protect, secure and track use of specific types of data. Compliance with its requirements requires both implementing security best practices and modifying processes and human behavior to comply with those best practices, including timely analysis of anomalies.
GDPR requirements differ in other ways from the PCI DSS requirements:
- They apply to many more types of personal data, including addresses, phone numbers, IP addresses and health-related data (and have different rules for handling certain data types).
- They are much more prescriptive with respect to governance.
- They place much more emphasis on allowable use of the data, including data subject consent and advance analysis of the potential privacy impact and available mitigations when introducing a new form of processing.
Like most regulations, GDPR has its own distinct terminology and set of definitions. In order to evaluate its impact on your organization, it is important that you understand key concepts such as “personal data”, “data controller” and “processor”. To help make sense of it, the definitions of interest include:
Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Filing system: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
See Article 4 of the GDPR for a complete set of definitions.
Meeting GDPR Compliance
Being a security technology company, we’d love to offer a cure-all solution that will effortlessly make an organization 100% secure and compliant. Each business, however, is unique. The best way to start is by identifying your assets and building a security strategy around those assets to mitigate risk. Proper identification of what needs to be protected is essential. Know what data you possess, where it resides, what you are protecting and why you are protecting it. GDPR compliance makes identifying your assets critically important. We discussed these processes in a previous article. Here are the brass tacks:
A Step-By-Step Guide to HPE NonStop Compliance.
Authentication and Access Control
Article 32 of the GDPR states “the data controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. Further, Article 32 requires “the data controller or data processor must take steps to ensure that any natural person with access to personal data does not process the data except on instruction of the controller, processor, European Union law, or member state law”.
This means ensuring that proper authentication, access control, and identity management are in place to ensure a level of security appropriate to the risk. These components are fundamental parts of a data security strategy and ensure that the appropriate protection layers are in place to mitigate the risk.
The authentication aspects of Article 32 can be addressed by deploying and appropriately configuring the following solution supplied with the HPE NonStop OS:
XYGATE User Authentication for extending Safeguard’s authentication controls and integrating NonStop security with RSA tokens for Multi-Factor Authentication.
The access control technical aspects of Article 32 can be addressed by deploying and appropriately configuring the following optional product solution supplied through HPE
XYGATE Access Control for Role Based Access Control and Keystroke Logging to capture command activity.
And the identity management technical aspects of Article 32 can be addressed by deploying and appropriately configuring third-party solutions available for HPE NonStop servers
“ Luckily, most of the solutions and tools required to address GDPR technical security requirements and demonstrate compliance are readily available.”
– Steve Tcherchian, CISSP, XYPRO Technology Corporation
Auditing and Alerting
Article 33 of the GDPR requires prompt breach notification: “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.”
In order to be able to detect personal data security breaches, records of all activity that touch that data need to be collected and organized in a way that makes it as easy as possible to detect and report on all unauthorized access. For NonStop systems, this essentially means auditing everything associated with GDPR-defined personal data – or as much as possible to address the risk. Having security data available and solutions in place to report on the data will allow quick alerting and access to data and evidence to comply with this Article. Of course, you should act up front to minimize the potential for breaches as reflected in Article 32, and auditing other aspects of your security environment such as subsystem configuration changes is necessary for early detection of changes that might reduce the effectiveness of your security risk mitigation.
Auditing all NonStop security-related activity and events may seem easier said than done, especially when you have hundreds of thousands (maybe millions) of events occurring daily throughout your environment. What you need is a really powerful software solution that allows you to track, filter, manage and report on all relevant NonStop security-related activity.
XYGATE Merged Audit merges multiple sources of NonStop audit data (for example, Safeguard, XYGATE, EMS, Measure, ACI BASE24®, IHSS Telco solution, SECOM, and SQLXPress) into a single NonStop repository. This merged and normalized data can be used to forward to security analysis platforms specifically for HPE NonStop data, alerting, reporting and integrating with enterprise Security Information and Event Management (SIEM) solutions.
Auditing and Alerting technical aspects of Article 33 can be addressed by deploying and appropriately configuring the following solutions:
XYGATE Merged Audit for gathering, normalizing and centralizing security data.
Further Auditing and Alerting technical aspects of Article 33 can be addressed by deploying and appropriately configuring the following optional solution available for HPE NonStop servers:
XYGATE Compliance PRO for measuring compliance status against specific GDPR requirements.
To best address all Auditing and Alerting technical aspects of Article 33, a real-time security monitoring, alerting, data analysis and security intelligence solution is required and there are plenty available on the market.
Article 32 of the GDPR also references Security of processing: “The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including… the pseudonymization and encryption of personal data;”
This part of the article essentially boils down to encryption and masking of personal data. Encryption is supported on the HPE NonStop at most layers – from network to data. Article 32 requires processors working with EU citizens’ personal data to use it.
Pseudonymization is essentially tokenization or data masking. Tokenization does not transform data, but instead randomly maps a live data field to a functionally equivalent surrogate value (i.e., a “token”) which replaces the real data. Since tokens do not represent actual data, they can be shared and stored without risk of data loss. To convert a token back to real data, a system (or application) needs to use the tokenization server which hosts the random mapping table to return the token to its original value. Format Preserving Encryption (FPE) can also be used here.
Compliance and Monitoring
Ensuring compliance is a critical aspect of any security program, and compliance monitoring solutions provide the means to systematically measure, manage and report on a complex and dynamic HPE NonStop security environment.
Let’s assume that you’ve implemented your security strategy based on the recommendations in this article and other security frameworks. You have established strong security procedures for your HPE NonStop system. The next step is to measure compliance against GDPR’s requirements. XYGATE SecurityOne and Compliance PRO contain GDPR policies, allowing security professionals to measure and monitor their GDPR compliance. XYPRO has broken down the individual GDPR data security Articles and mapped them to NonStop technical controls to validate your security configuration and simplify your GDPR compliance activity.
Given the high-value business applications and processes that run on NonStop systems and the sensitive data that they store and process, you can see why many NonStop environments will be subjected to GDPR and how HPE’s offerings, as well as other third party security analytics solutions, can help build a zero-trust security strategy for proper data protection and monitoring of compliance.
May 2018 is more than 2 and a half years behind us and there is still a lot to do to bring both organizations and their systems into compliance. Luckily, most of the solutions and tools required to address GDPR technical security requirements and demonstrate compliance are readily available.
Hopefully, this article has given you the groundwork to rededicate your resources and what you need to focus on when it comes to GDPR and your HPE NonStop environment. The fines are significant enough to make every organization pay attention. If you need assistance with compliance readiness activity, please reach out to your account executive at HPE and they will be more than happy to help you.