How Next-Generation Hardware Security Modules Can Help You Prepare for GDPR
HSMs hold promise for helping enterprises comply with GDPR.
- By Ambuj Kumar
- May 8, 2018
The General Data Protection Regulation (GDPR) is a legal framework that will help enforce data protection and privacy laws for European citizens. Effective May 25, GDPR may set a new standard for protecting customer privacy and possibly start a trend in data laws globally.
Although GDPR is a European regulation, any company involved with processing data for European customers will have to adhere to the compliance requirements. In the past, violations of many regulations have resulted in only slaps on the wrist, but GDPR is unique in levying fines based on global revenue.
Data protection is nothing new between countries. The U.S. and European Union (EU) had the "Safe Harbor Principles" in effect until Edward Snowden revealed the U.S. government was accessing personal data of the general population. Since then, and with Safe Harbor no longer valid, the EU-U.S. Privacy Shield was created as another framework to facilitate secure data transfer. Another measure, the Data Protection Directive, was developed but has changed so much that a new framework of protection was needed, and thus we have GDPR.
GDPR acknowledges the global impact of e-commerce and the complexity of companies operating across multiple jurisdictions. Hundreds of pages long, GDPR includes basic, common-sense methods to empower customers to control their privacy and their sensitive data. Proposed by several EU organizations, GDPR is a single, unified regulation that protects the data of all individuals living within the EU regardless of where the data is collected, stored, or processed.
GDPR is a binding legislative act where companies can be fined for not being compliant. This includes organizations on a global level that collect data and distribute it across multiple data centers and nations.
Being GDPR compliant involves much more than technology. Companies also need to create a culture of privacy and adopt initiatives for business process change. Enterprises need to understand their exposure and commit to continuous compliance. Business-unit leaders, legal teams, and IT teams must come together to help ensure this commitment. In addition, they need to be open to embracing methods that will ensure privacy protection.
Any data that can be used to identify a person directly or indirectly -- such as financial data, photos, home addresses, medical information, social media, and IP addresses -- is protected under GDPR.
This sensitive data can be collected from customers only for legitimate business needs, and only those who have business needs can process or access the data. At the highest level, GDPR requires corporations to implement new access control for data based on business reasons and respect for robust customer privacy.
Most corporations already have access control policies for customer data. However, historically these policies have been based on convenience and lack certain requirements necessitated by the regulation. For example, there might not be an easy way to revoke someone's data access once the business need has been fulfilled, but GDPR requires corporations to revoke all access to a customer's data when the customer so demands.
Encryption and HSMs
One of the simplest and most effective approaches for companies to meet these new requirements with minimal disruption to their existing environments is to use encryption. Encryption works by obfuscating sensitive documents, thereby making them effectively unreadable. Only people with access to the right encryption keys will be able to read the contents. A benefit of this method is that although documents can be bulky and are often spread across multiple databases, locations, and data centers, encryption keys are very small (just hundreds of bytes). The small size of keys makes them ideal to be centralized.
Because anyone with the key can access the encrypted, sensitive data, organizations need a way to ensure that no unauthorized users can access keys. Traditionally, organizations have used hardware security modules (HSMs) to store these keys. HSMs are purpose-built machines to keep keys secure. They can resist physical tampering, keeping keys secure when an attacker has physical access to them. HSMs keep keys secure even when hackers are able to break into the corporate network.
When legitimate users need the keys to access encrypted databases, documents, and other personally identifiable information (PII), they verify their identities by providing the required credentials. As a result, HSMs are almost always used by organizations where a breach will cause material business damage.
However, traditional HSMs lack sufficient capabilities to address GDPR compliance. First, traditional HSMs are isolated to one data center, but most companies with significant GDPR exposure are multinationals and operate across multiple data centers. It's not helpful if one data center is GDPR compliant but another is left exposed. Unfortunately, traditional HSMs were designed in an era when cloud computing was poorly understood, and they lack any centralized management or synchronization of keys and log across multiple HSMs.
Second, many encryption technologies, and HSMs in particular, still require specialized knowledge and experts to operate. Traditional HSMs lack user-friendly interfaces, and they aren't integrated with mobile phones or new organization tools such as SIEM.
To use encryption for GDPR compliance, HSMs need to adopt cloud-native infrastructure and accommodate mobile-native users. Cloud-native infrastructure scales without any disruption, is built to operate remotely, and comes enriched with flexible consumption models such as on-premises or SaaS. Mobile-native users are demanding smartphone-like simplicity and an intuitive user interface that does not require them to read manuals before operating.
Next-generation HSMs are a class of newer solutions that meet these criteria. They synchronize keys, logs, user identities, and access policies across all the data centers and public clouds across the globe. They offer security with software flexibility and enable encryption keys to be securely generated, stored, distributed, revoked, imported, exported, and managed.
Once implemented, next-generation HSMs can serve as a control layer between the data controller and the data processor to help meet GDPR requirements around data audit, control, and erasure. The data processor is an entity that processes the personal data according to rules set by the data controller.
Next-generation HSMs are available not only as appliances but also as SaaS, so organizations looking to secure their data can get started quickly. The next-generation HSM vendors provide libraries -- both for existing applications and for RESTful applications -- that can be integrated in minutes with their applications. SaaS-based integration can start in less than an hour because organizations don't have to deal with procuring and setting up appliances. On the other hand, organizations needing appliance-based delivery can purchase and rack-and-stack the appliances before following the same easy steps to integrate them with the applications.
Prepare for Compliance
GDPR is a bold regulation that's taking the world by storm, and it has resulted in increased awareness of data breaches and the need for private data, especially as computing becomes more pervasive. The same macrotrends that necessitated GDPR have also helped next-generation HSMs gather the attributes suitable to meet GDPR compliance. As is often the case, both the problem and the solution have grown together.
Encryption is a powerful tool. Delivering it easily across distributed infrastructure with focus on GDPR compliance can be very effective. GDPR compliance will have to involve a number of technologies, processes, internal culture shifts, and more, all coming together. There is no single magic bullet to meet 100 percent GDPR compliance, but there are certainly some solid options for helping companies become more protected and combat today's evolving regulatory and threat landscape.