With just 13 months until the EU’s General Data Protection Regulation (GDPR) comes into force, businesses that rely on the cloud, as well as cloud service providers themselves, need to prepare for the biggest shake-up to data privacy in a generation.
From 25th May 2018, any organisation that controls or processes personally identifiable information about EU citizens must have stringent organisational and technical measures in place (i.e. ‘privacy by design’) to comply with the GDPR.
Crucially, the GDPR shifts the burden of proof from individuals to organisations. Where once citizens needed to show they were the victims of data misuse or security breaches, organisations must now demonstrate they’ve taken the right, pre-emptive actions to protect personal data appropriately.
Failing to meet these obligations brings draconian penalties. Alongside fines of up to 4% of a company’s global turnover, the GDPR also mandates the public disclosure of serious data breaches, which may erode customer trust, brand reputation and share value. Consequently, compliance failures could soon be measured in billions of euros for the largest global companies – for instance, consider the impact of the recent Yahoo hack on Verizon’s planned acquisition.
Unclouding the issue
There’s still considerable uncertainty and doubt surrounding the GDPR, with only 6% of cloud services currently prepared for the new data protection legislation. Thus, it’s essential that organisations across the cloud value chain start evaluating their systems and processes now to ensure they can protect personal data adequately.
With the GDPR’s considerable fines ratcheting up the stakes, enterprises must carefully vet their own infrastructure, and that of their cloud service providers, to ensure adequate security is in place. Meanwhile, cloud service providers must remain acutely aware that they can be held responsible for any data breaches that take place under their watch.
The GDPR distinguishes between data controllers, such as the enterprises deciding what to do with the personal data they collect, and data processors, which includes those cloud service providers handling data on an enterprise’s behalf. Ultimately, it’s the data controller’s responsibility to ensure best practice security and compliance throughout their value chain. However, in the event of a breach and a subsequent investigation, data processors could also find themselves liable if the leak originated in their systems.
Securing the value chain
Facing the GDPR’s requirements, both enterprises and cloud service providers need to demonstrate complete control over their security. Best practice data protection is essential all the way down the value chain, up to and including the infrastructure layer and the physical security inside data centres.
A crucial piece of this puzzle is end-to-end encryption for any personally identifiable information. Article 32 of the GDPR cites this specifically, calling for “appropriate… measures” to ensure information security, including “the pseudonymisation and encryption of personal data”.
To keep pace with the growing trend to encrypt everything in the cloud, on devices and in the corporate network, organisations are faced with the need to manage hardware security modules (HSMs) - appliances that guarantee the most secure storage, generate digital authentication keys and provide crypto-processing. Additionally, Cloud Access Security Brokers (CASBs) are proving essential to monitor and encrypt sensitive data travelling to or from any cloud service in real-time.
Colocation can help
While the largest enterprises will no doubt manage their own HSMs and CASB gateways, colocation offers considerable efficiency gains in the race to become GDPR-ready.
With the Cloud Security Alliance and other industry bodies now recommending that encryption keys are held outside of the cloud, hybrid architectures are becoming the norm. Colocation ensures a well-run, resilient and secure infrastructure environment - backed up by strict SLAs for performance and availability, proven compliance with industry standards and state-of-the-art systems to monitor and manage operations around the clock.
Enterprises should also strive to identify colocation providers whose facilities offer the shortest round-trip time to the major cloud platforms. This will prevent any potential degradation in application performance due to storing data encryption keys in hardware outside the cloud, as opposed to a cache within it.
Alongside demonstrable security, colocation also offers easier access to a broad community of cloud services and skills, which are only a cross-connect away. Enterprises can quickly find managed service providers to eliminate complex and time-consuming HSM management, while ensuring optimal performance. Equally, placing a CASB inside a colocation facility also ensures high-performance, secure connectivity to multiple clouds that’s both rapid and cost-effective.
A silver lining
While the penalties may be severe, it pays to look at compliance with the GDPR as more than a mandatory investment. In fact, enterprises and cloud service providers that approach data privacy proactively can drive competitive advantage.
By fully-encrypting information in the cloud, ensuring robust infrastructure security and having easy access to a wide variety of expert, value-added services, organisations can ensure they are fully trusted and ready to do business in the post-GDPR world.
To learn more about how Interxion can help address the GDPR’s challenges, contact us to set up a meeting with one of our compliance specialists.