“Data! Data! Data!” he cried impatiently.
That isn’t just Sherlock Holmes bemoaning his lack of data in The Adventure of the Copper Beeches; it’s also a timely reminder that in today’s data-driven world, data is at the heart of everything we do. Did Holmes then foresee the coming of the GDPR?
In just under a month, on 25th May, the GDPR will come into law for all EU member states and arguably, the world. It will fundamentally change the way the world does business.
In a webinar I co-presented in November, Larry Dietz from TAL stated:
- GDPR will change the way the world does business – GDPR compliance will be required to do business with your global customers.
- Investors and other stakeholders will view GDPR compliance as evidence of good management.
- Non-EU based organizations will find they are facing contractual terms and conditions based on the GDPR.
- The GDPR is more than a regulation, it is a philosophy designed to protect personal data; monitoring compliance and personal data usage will be an ongoing responsibility.
As businesses set off or continue with their digital transformations, a key component to this transformation is data! Data is the new oil. The more you have, the richer you are! However, this now poses a very big problem under the GDPR. With Articles 5 and 25 talking about data minimisation, the more you have means the more you need to secure. We are already starting to see businesses delete customer data ahead of the GDPR go-live date.
When it comes to securing data, this isn’t as easy as it once was. Back in the good ol’ days you could centralise ALL of your data in your datacentre, secure your offices and fleet of desktop PCs against being stolen knowing that everyone in your organisation has to come into the office and use a corporate desktop to access that data via a myriad of hardware based security devices. Elementary!
But this isn’t the 90’s. Consumerisation won and that end-user device is no longer a behemoth PC on a desk, but a laptop, smartphone, tablet, IoT Device, or even a wearable. Trying to support and secure such a diverse device population isn’t the only challenge here. With the proliferation of cloud and the rise of commodity cloud sharing and storage services, data is now everywhere! Shadow IT has crept in where businesses failed to give their employees the right tools and now we have lost control of our data. On a recent GDPR webinar, I presented with The Institute of Chartered Accountants in England and Wales, 67% of attendees said that they used customer cloud storage and sharing tools in order to do their job. We must look for a new way to give businesses the control and visibility they need to meet their obligations yet take into account the diverse data and device types and at the same time not hinder employee productive. This sounds like a tough challenge!
Every one of your employees is a data breach in progress! A powerful statement I decided upon in recent presentations. Surely, that cannot be true, can it? Do not be so sure. With the heady mixture of device proliferation and data sprawl through not just cloud, but the applications and data stored locally on these devices, can we really say we know where our data is and be accountable for it? One of these updated accountability principles under the GDPR is the mandatory breach notification (Article 33).
A data breach under the GDPR is more than just “being hacked” and winding up on the front of the newspapers. It’s leaving your laptop (which, by the way, has sensitive data on it) on the train or not putting in the appropriate measures in place and having people view data they should not have access to. Then there is my personal favourite; emailing data to the wrong recipient. Over the past 12 months of reported data, 404 incidents of data being sent to the wrong recipient were reported to the UK ICO, which makes up 14% of all overall data breaches reported. Every one of your employees is a data breach in progress!
And if that isn’t enough, what about one of my predictions for this year? The risk of Leakware! “I’ll tell you, Watson. He is the king of all the blackmailers.” If Ransomware is extortion, then think of Leakware as blackmail.
As the GDPR is a new approach to data protection, we need a new approach to data security.
How can regain control of our data in the world we now live in? Is there a better way than the failing “castle and moat” approach when it comes to this device and data explosion? At Citrix, we think there is and we call it the Secure Digital Workspace.
We know that most customers have a complex mix of end-user devices, data storage locations, applications, and networks. Through the Secure Digital Workspace and Secure Digital Perimeter, we can unify the security and management of disparate entities, which from a GDPR standpoint helps you to meet obligations under Articles 25; Data Protection by Design and Default and Article 32: Security of Processing.
By deploying a Secure Digital Perimeter (SDP), you will be able to provide contextual access to your data. Who am I? What device am I using? Where am I? Depending on these factors, employees can be granted full or partial access to data. To help increase security, they could be asked for a further form of authentication such as a One Time Password (OTP). On untrusted devices, data can be supplied via a virtual application housed in the customers’ data centre or cloud meaning that no data is present on that untrusted device which will reduce the risk of a data breach.
Access to data can be audited so that you have the ability to see who is accessing what data from where. This type of information can be critical during a data breach investigation.
And, all of this is underpinned by Citrix Analytics. Citrix Analytics will give you deep insight into your Secure Digital Workspace and allows you to help secure your data further through User Behaviour Analytics. Using Machine Learning and Artificial Intelligence, employee behaviour outside of normal recorded patterns can be flagged and where appropriate, remediated automatically. Imagine having the ability to detect a potential data breach and stop it before it happens!
“What one man can invent another can discover” Sherlock Holmes commented in The Adventure of The Dancing Men when faced with a cryptographic puzzle to solve. He may well have been talking of the persistent threat of ransomware/leakware and the challenges of detecting and mitigating this risk. As part of the Secure Digital Workspace, many different layers can be used to increase your security posture and help mitigate risks that will be headaches under the GDPR.
- The Secure Browser Service allows you to sandbox your web browsing by moving this to a non-persistent browser in the cloud, taking one of the main ways for Leakware to get a foothold away from your critical infrastructure.
- A combination of XenMobile and ShareFile allows encryption of data at rest when data needs to be mobilised on the end-user device. The same tools can also apply compliance checking to make sure the device is trusted and has not been compromised.
- Citrix Networking makes sure that data gets encrypted during transport and underpins the elements of the Secure Digital Perimeter.
- Citrix Analytics to provide a deeper level of understanding of what is happening in your network, not just in a north south direction of travel, but also east west.
GDPR will soon be here so prepare yourself for a new approach to data protection with a new approach to data security — the Secure Digital Workspace!
“When you have eliminated the impossible, whatever remains, however improbable, must be the truth.”
This is a famous saying by Holmes and more than relevant here. The truth is that the methods we use today are no longer fit for purpose in today’s cloud-based data driven age. You need to meet your obligations under the GDPR as well as provide secure and productive ways for your employees to access their data, from any device on any network. The Secure Digital Workspace is a great way to achieve this.
To find out more, please join me and Florin Lazurca for our webinar on May 3: “GDPR: How Europe’s new privacy law is reshaping data security.”