BREACH ALERT! Cloud Security Compliance and GDPR Have a New Enemy
A recent report at the Palo Alto Networks Unit 42 website has brought attention to a new kind of malware attack that evades detection of cloud security products. The new code used can uninstall five different cloud security protections and monitoring products.
In Unit 42’s examination, these attacks did not compromise the security products initially: instead; the attacks gained full administrative control over the hosts first. Then exploited full executive power to uninstall the security products in the same way a legitimate administrator would.
The last thing a CIO needs to discover about a GDPR security compliance standard is learning their cloud storage provider has vulnerabilities this new and advanced malware attack will exploit, making compliance null and void. Should that be true, the fines levied against your company would be stiff, (up to 4% of annual global turnover). Think of the impact that could have on your firm.
What Steps Must Every CIO Review with regard to GDPR Cloud Security Compliance?
The General Data Protection Regulation states clearly that businesses, organizations, and government agencies around the globe must handle personal data lawfully, transparently, and securely throughout the entire data processing lifecycle.
There are several steps a CIO must review in advance of a possible policy review that will determine whether your cloud security is GDPR compliant or not.
Step #1. Is your company affected by GDPR?
With the regulation covering a vast global territory some companies outside the European Union (as part of their business model) will process and collect personal data from individuals who reside within the EU’s borders. If your organization has entities that do either of these then the regulation and its compliances will apply to your firm.
Step #2. Clarification of the term "Data Protection" under GDPR
In every industry, field, and sector there are general terms used that get thrown around, and over time, get diluted from their original meaning. That leads to false interpretations; for instance; the term Data Protection.
Under the GDPR mandate ‘Data Protection’ is not a security term as some assume it to be, but instead, it’s a term meaning: “protecting the rights of individuals regarding the use of their personal data.”
Step #3. Who is the Data Controller and Data Processor?
The Data Controller and Data Processor are two entities, both liable under the General Data Protection Regulation. The data controller entity controls the conditions, means, and the purposes of the processing of all personal data. The data processor entity on the other hand, processes all personal data on behalf of the data controller.
So at your firm are you the data controller or data processor? If you’re not sure here’s the quickest way to know. If you keep or control information about living people, then you are a controller. If you process personal data but do not control it, you are a processor.
Step #4. What Are The GDPR Compliance Requirements For Cloud Storage Services?
At this point, you’ve concluded whether your company is affected by GDPR, what Data Protection means, and who are the data controller and data processor attached to your firm. So, let’s briefly look at the five compliance requirements listed, for cloud storage services, and the five questions tied to each; that you must get answered.
- Encryption – What technical safeguards like, pseudonymization or encryption technologies does the provider deploy?
- Data Security and Control – Does the cloud storage provider offer control features and security guarantees?
- Transparency – How transparent, (about data protection and data residency), is the cloud storage provider?
- Legal Guarantees for Data Protection – Does the provider submit, in writing, their commitment to data protection?
- Overall Guarantees – What provision of proof, does the cloud storage provider show, that their practices are enforced?
When a CIO properly addresses these four steps they are not caught off-guard about new threats, the company’s Cloud Storage Security remains intact, the firm’s processes and protocols get examined and updated in accordance with the mandate, and their GDPR obligation remains up-to-date and compliant.