Tuesday 28 February 2017

GPDR and Cloud Services – Prepare for Stormy Weather

Will Lambert, Cyber Security Sales Support, ZeroDayLab

25th May 2018 is a date that many businesses are almost relishing, they see it as a fresh challenge:a new way to do business, an exciting opportunity to use BREXIT to enhance and develop their existing security controls.  These companies get it.  They understand the cyber threat landscape, the dangers of the web, have carried out the crucial Business Impact Assessments (BIA) and have, or are in the process of getting, their house in order; not unlike some American states battening down the hatches in preparation for an earth-shattering tornado.  However, there are businesses that are unwilling to admit, or are still unaware of the storm of implications a post-BREXIT Britain and the legalities, more specifically, the penalties the EU will deliver to British business. 

I should make it clear at this point, I am no lawyer.  For many of you who know me personally, you are probably thinking, 'thank goodness'! After recently attending The European Information Security Summit (TEISS) held in London in February of this year, I picked up points that I, myself, was unaware of and if I can share this information freely to strengthen Britain's business; then that can be only a good thing - agreed?

Take a mixing bowl, add 200g of privacy as a declared human right and gently fold in 400g of technological culture, a culture that values the need for WIFI and enhanced battery life as more important than basis physiological needs (water, food, shelter...AIR! Maslow's hierarchy).  Add into the mix the known cyber skills shortage felt globally, add just a pinch of the fact that cloud services are not regulated; do I dare say it's a recipe for disaster?  Too obvious?  Maybe, but it is fair to proclaim we are facing quite a challenge to adequately protect Personally Identifiable Information (PII) data from pernicious attack.

In today's digital age, we expect our tech to always be on, available anywhere, dynamic and agile.  These expectations are being significantly boosted by the Internet of Things, which of course, are all Secured by Design because of the basic human right of privacy.  It's expected, right?  We place our trust in regulatory bodies to ensure that the products we buy are harmless.  We don't expect our water to be poisoned, or our vehicles to be released with faults; why would our smart tech be any different?  That being said, we don't have to look far to see examples of everyday devices (thermostats, smart watches, fridges - and in the future ...toasters!) being hacked to prove that maybe, we trust these devices a little too much. 

This issue extends to cloud-based tech also. Who regulates the Cloud? The worrying answer is, unfortunately at this moment in time... no one.   No regulatory body has stood up and taken responsibility for cloud-based tech.  The issue becomes even more disturbing considering cloud services have been running since 2006 (Amazon released Elastic Compute Cloud) but some rumour a date of 1996! Cloud Service Providers (CSP) have been operating using best practice for 10+ years and we have several examples of best practice such as, ISC2 STARWatch program and the Cloud Computing Security Professional training that they offer.  Now, I'm not saying that CSP are inherently a bunch of cowboys doing what they want, the message that I am trying to get across is simply this; if your organisation processes or stores PII in a cloud environment, you are ultimately responsible for data on someone else's machine. 

As I understand it, (remember, I'm not a lawyer!) Article 32 examines due care and due diligence responsibilities.  Have you done your research?  Are the protective controls of your customer's data as best as they can be? Can you prove that through thorough Cost Benefit Analysis (CBA) of business actions/risks of your own environment?  If yes, great! Now, do you or your suppliers use a CSP to process PII data? If yes, more good news.  Apply the same works to these environments, including the physical verification of where the CSP hosts their services. Just because they say to you 'we host in the UK, so GDPR doesn't apply', diligently check and provide evidence of this check.  The fine will be yours if they are found to be being 'creative' with the truth.  The process is a long and costly one, but remember, breaches will happen.  That is a disappointing fact of modern life. 

I know what you are thinking, breaches are mainly caused by the carbon-based interface, i.e. the users.  I completely agree, the EU agrees, but it's only the eye of the storm.  A cool, calm area, all parties agree, it's almost harmonious.  Moving on! In case of a breach through a user, can you, as an organisation, provide evidence that you have delivered effective threat awareness and education?  How often?  When was this training delivered, how was it delivered? You will need to provide evidence of training, if not, you will be without a stitch.  We must also work to provide an effective layered defence approach to protect our business assets.  We must be able to demonstrate that we have 'done our homework', that we can show due care and due diligence to protect our customers PII through effective BIA.  All of these elements combined will provide an umbrella from the storm of penalties the European Court of Justice has at its disposal.  Don't be left naked in the wind and rain and feel the full force of a penalty of up to 4% global turnover or €20 million.  I'm not saying you won't get wet but there's a marked financial difference between slightly soggy and saturated. 

EU GDPR will not be dissimilar to, and as common to society as, lawyers.  I'm not going into lawyer bashing mode here; that's too easy (I'm only jealous). Everyone thinks that they are just after picking money out of deep pockets and to a certain extent, it is my personal belief that harvesting the money will indeed please them.  I know it would me but I also believe, more importantly, they want to improve our digital age.  The Regulations have been brought about to improve our digital landscape so we are all safe to operate and trade in a secure environment via the implementation of an innocuous networking culture where our business PII and indeed our own personal data can be exchanged with minimal fear of compromise. 

"We will pay for security, one way or another."