Just before Christmas, one of the most important pieces of legislation to affect IT had its draft finalised. The update to the European Union’s General Data Protection Regulation (GDPR) is due to be published in early 2016 and come into general effect in 2018. This gives businesses of all sizes just two years to become compliant around how they store and manage customer data, or face massive fines. For large enterprises and small businesses alike, how they manage and secure their customers’ data will be essential. How can adopting cloud computing help these organisations in their approach?
What is the problem with data that GDPR aims to solve?
While it might seem like a sizeable timeframe, two years is not long in the world of enterprise IT. While it should make the job of managing and securing data easier for companies across their European operations, the EU GDPR deadline will pose a big challenge for many enterprises, not least because the current security landscape is complex and involves so many variables. This is made worse by the fact that most organisations lack the skilled security personnel needed to combat increasingly sophisticated cyber threats. At the same time, legacy IT tools are not designed to meet the needs of these new business environments.
However, GDPR is necessary; the amount of data companies hold is attracting more criminal activities, leading to a stark rise in the number of attacks that are taking place. This year has seen a growing number of famous brands breached including TalkTalk, Ashley Madison, Hilton Hotels and Carphone Warehouse. If these attacks have taught us anything, it’s that no one wants to be part of this growing list.
The big fines proposed by the EU put even more emphasis on security – at up to four percent of a company’s revenues the financial penalties of failure can be significant. This punitive approach should help CIOs make compliance and security investment integral to their companies’ future planning and ensure they are compliant before the 2018 deadline.
Planning for the future
However, not every company is starting from the same starting point. As William Gibson once said, “The future is already here — it's just not very evenly distributed.”
Out of necessity, the entire approach to security has changed over recent years. Previously, firms simply secured the perimeter by adding firewalls and protecting internal servers. Now, anyone can access company information from anywhere, on devices the company doesn’t control. Applications and data have moved out to third party services that are in the cloud. The perimeter has disappeared.
This shift to new ways of running IT has meant that companies have less visibility into what they have and the systems that are in place. Line of Business teams can invest in their own applications and services that are required to meet their objectives without involving IT in the decision-making process. As a result, many firms do not have the required visibility of their IT environments and global assets.
This is a major issue for planning future compliance efforts: if you don’t know what you have, how can you secure it? This calls for a comprehensive rethink around security and applications. It’s time to go back to the basics around knowing what data companies hold and where, even if those devices and applications aren’t within the company any longer.
At the same time, adequately protecting customer data is not about throwing money at the problem or hurriedly implementing new solutions. More funds will be allocated to securing infrastructure and meeting compliance requirements, but companies should also think about how to use both existing and new technology more wisely in future.
Cloud security and the benefits for businesses
The cloud itself is a big part of this trend – it is both one of the causes for the new regulations, and it can also help companies to respond. It is possible that the EU GDPR will accelerate the move to using cloud services to protect company data, as companies move away from capital expenditure and instead invest using operational budget. The cloud model has always been suggested as meeting the needs of smaller firms because it shifts the responsibility of securing infrastructure and applications to the chosen vendor, as well as reducing impact on cashflow through capital expense.
Larger cloud providers have the advantage of being more organised and structured than many smaller firms. Cloud firms tend to have very big data centres and they pay significant attention to security, which makes it easier for them to comply. Their entire business model is based on meeting compliance requirements for both individual customers and for themselves within the wider industry. Cloud vendors should have security built into their infrastructure from the start to cover multiple customer instances, so shifting that burden to them makes sense.
Cloud should therefore be an easy choice for both small businesses and mid-sized enterprises. All enterprise apps can be migrated over and a single sign-on solution can manage the passwords to ensure usability. There is no need to focus on the internal network and perimeter security over and above what is already in place. Instead, SMEs just need to ensure laptops and other endpoints are secure, as this is where the data will be both created and consumed.
For larger companies, the move to the cloud can be more complex; however, this shift offers far greater value back to the business compared to sticking with the old way of approaching security. The best place to start is by consolidating data centres and virtualising as much as possible. This needs to be done by the organisation, rather than a third party, as the company’s understanding of its own IT infrastructure and business requirements is incredibly valuable when it comes to compliance. For those that have already gone through virtualisation roll-outs, this can be taken further by looking at how to further streamline and automate the process for managing IT assets.
These larger firms can take advantage of the benefits provided by cloud by introducing asset management tools that take this cloud-based approach into account as well. As cloud assets can be changed and updated over time, the asset data should be continuously updated so that the company can keep control over its cloud infrastructure and ensure compliance. After all, how can you protect an asset if you don’t know it exists?
The burden of proof – avoiding excessive costs for compliance.
At the same time, it’s important that companies don’t get too bogged down by the specifics of the legislation when trying to be compliant. The ‘burden of proof’ element requires firms to show they have taken the proper measures to stay secure. This can be a burden because it stimulates firms to do the right thing, yet it could also become merely a ‘tick-box’ exercise with the focus on meeting the rules as they stand rather than thinking about the best options for the company as a whole. Without the proper consideration of security, the result can be an implementation that meets the spirit of the law rather than its true aim. It’s therefore important to get the balance right and spend time wisely.
Despite the various challenges that will come up for enterprises in the next two years, the GDPR will have a positive impact on the wider market. At a time when breaches are becoming more likely as IT infrastructures get more complex, GDPR will force firms to review outdated security polices and controls.
Both the regulators and the enterprises covered are aware that two years is a very short deadline for large corporations. After all, networks need to be re-architected and this takes time; for large enterprises with multiple subsidiaries and entrenched IT installs to consider, these two years will be a short timeframe to get all the changes planned, tested and completed. It is therefore important to note that this update to data protection regulation puts the emphasis on customer data being safe. The onus is on companies of all sizes to change the way they look at security. The first step to prepare for this huge project is to ensure the visibility of all assets across the business. After this, it will be possible to start protecting what you see.
About the author
Philippe Courtot is the chairman and CEO of cloud security business Qualys. He is a serial entrepreneur and business executive and has a long history of success. In 1988, Courtot started his own company and produced an email product called cc:Mail, in 1990 Microsoft offered to buy cc:Mail but instead he sold to Lotus (now IBM). He took his next company Verity to its initial public offering in 1995, before stepping down in 1997. He then re-positioned electronic payment company Signio in to the e-commerce industry and oversaw their purchase to VeriSign. He began investing in Qualys in 1999.