So, in light of the growing frequency of massive breaches—at the time of this writing, Capital One’s 100M-record breach was the most recent—you’ve decided to take responsibility for the relationships you hold with customers—to protect the trust they have placed in you. To do so, you have decided to become GDPR-compliant—but you find it’s more than just auto-posting a bulletin for each new user regarding your cookie handling policy. Going deeper into the regulations and reading the requirements is time-consuming and convoluted. Obtaining a privacy seal is expensive in more ways than one—enough to make even large companies think twice about following through. Until now, the negatives of reporting a breach have been mostly the de facto market pressures—which for plenty of businesses was enough to avoid or delay reporting breaches—but like you, companies must adopt a new strategy when it comes to preventing breaches and protecting their relationships. To make the situation more urgent, in 2018 the average cost of cybercrime per organization was up more than 60% since 2013.
Traditionally, IT security has focused on building a shell around the goodies; preventing cracks in the shell, plugging them when they are found, and correcting what cannot be prevented. This is based on designs from 40 years ago, and works as expected for a 40-years-obsolete solution. The perimeter is problematic because it is, in most environments, porous; even when it isn’t, the penchant for placing LED indicators on hardware has made even air-gapped systems vulnerable. Countless methods of penetrating that membrane have been tried, tested, and corrected over the decades—but the nature and flow of information—data—has changed while the shell model has not. Instead of guarding the border, we should really focus on what’s important: the data.
Build instead from the core outward: start with the hardware housing the data; do your homework on safe configurations, and look up breaches and issues with the equipment in question; then design your products and services up front with prevention in mind. Create solid process and policy documentation that incorporates cyber security best practices. And, finally, make certain anyone coming close to the data knows safe protocols, since human error (or in some cases, willful commission of malicious acts, but still humans) accounts for a high percentage of vulnerabilities. Indeed, Capital One's breach was the result of a misconfiguring an AWS account--something that is far from an isolated occurrence. If these had occurred in the post-GDPR timeline, the companies using AWS would be held responsible; in the GDPR purview, outsourcing doesn’t shift culpability, but just involves more actors.
More Than a Few Pounds (or Euro, etc.) of Cure
Whether you are an existing organization or a new one, purchasing the infrastructure to become a responsible curator of consumer data is an important consideration: Can your existing hardware support the volume of cryptographic processing your business will demand? Do you need to buy dedicated hardware, and if so, in what multiples? Hardware you dedicated to PCI compliance may be able to be shared for other regulatory measures, or vice versa. Payment Card Industry (PCI) Qualified Security Assessors (QSAs) tend to want processing of Cardholder Data (CHD) to be separated from the processing of other data, but not doing so doesn’t preclude one from being compliant; in fact, if you are just PCI compliant, the building blocks are likely in place to become GDPR compliant with minimal effort. Depending on your business, you may or may not need cryptographic processors (“cryptoprocessors”) in place to achieve GDPR compliance.
If you’ve bought servers recently, there is a good chance that an on-board cryptoprocessor may already be included, or that one could be installed. Before you jump up to re-purpose your old hardware, make sure it has the power needed to perform cryptographic transactions at the anticipated volume. One might be able to just enhance the hardware in a smaller business, but for volume-intensive needs, newer hardware is probably best. That said, the two primary cryptoprocessor form factors are the Hardware Security Module (HSM) and the Trusted Platform Module (TPM). Both are, more or less, secure and include internal measures to prevent theft or tampering, or at the very least, rendering the cryptographic information useless if they are tampered with.
TPMs are designed to verify hardware sets, but can be used as a cryptoprocessor. TPMs store one key from which all other cryptographic information derives. They are often discussed as if they cannot be added to or removed from a server, and while there are many models with soldered TPM chips, increasingly servers are being made to accept a TPM addition. Most removable models are designed to clear themselves if they are removed. And you can’t beat the price—around $20, maybe even less, for a new TPM—if you have existing hardware that will accept one.
HSMs are typically installable as internal cards and perform at a much higher rate than TPMs. Some HSMs are networked and handle throughput from multiple servers at once. HSMs are generally coupled with high-speed enhancements and can generate cryptographic data at an incredible rate, allowing for their volume, if not their speed, to outshine TPMs. To cover the portability and greater volume of transactions, HSMs are generally one or two orders of magnitude more expensive than TPMs. These little workhorses power many large transaction-based sites, pushing cryptographic data to aid in securing banks transfers, ticket sales, hotel reservations, and so on.
Assuming you have your cryptoprocessors architected to your satisfaction, you now have to contemplate the flow of consumer data in your applications. Where is it physically housed? Does it move to other locations based on redundancy or processing? Is personal data logged? Is indirect data logged that could be used to extrapolate an identity? The accurate and readily available documenting of the processes affected by GDPR is pervasive. Documents must be in plain language and simply explained, not hidden in fine print, laden with jargon, or buried beneath multiple levels of links.
One of the main tenets of the GDPR is the right to be forgotten. Logs containing PI must be removable historically by either the person claiming the information or by an internal process; regardless of the method, that removal must also be verifiable later. Most users can intuit the idea and practice of deleting their own account information, but making it hard to do is a great way to draw the attention of the Information Commission Office (ICO) or similar data protection enforcement authorities. Though being able to delete one’s own information seems to be the prettiest girl at the dance, most GDPR articles include a clause indicating the user must know how to handle one’s own information, what will happen to it while it is in the care of others, how to restrict access to part or all of it, and how to correct it (and remove it).
De facto, this means whatever service, process, or product you create should ideally be designed to make these actions intuitive while still adhering to the original purpose and function. Assuming all of the above are true, the policies surrounding the internal IT process—as well as the use of products and delivery of services—must be well-documented and available to the appropriate personnel.
Technical writers out there should probably thank the GDPR folks for a hefty job security boost.
Making It Official
If Payment Card Industry (PCI) Data Security Standard (DSS) certification is any indication, the cost of the European Privacy Seal will scale with the complexity of your offerings. A 10-person company could cost up to $13,000 to certify, and the price goes up from there to around $70,000 at worst for a larger company. GDPR, however, is much broader than just payment transaction data, and could easily cost proportionally more.
Even if you don’t go through full certification, you can still perform your due diligence with the criteria list and get your environment and documentation in shape. The National Cyber Security Alliance finds that 60% of small-to-medium-sized businesses (SMBs) fail within 6 months of a cyberattack. Larger businesses can better take the hit, but when they’re served with 9-figure fines, their hindsight tells them that several thousand dollars seems like a phenomenally good price. The costs of making your business safe for others doesn’t have to include a seal right from the start; a fancy badge may make you more attractive to consumers, but what it represents is the important part, and comes at a much lower cost than you might think. The up-front costs of preventative design and deployment are repaid time and again, and come with the added bonus of peace of mind.