According to the Breach Level Index, five billion data records have been stolen since 2013, averaging an astonishing 3.5 million per day. According to a Quorcirca report, 68% of the organizations surveyed fell victim to a cyberattack, 36% of which suffered a data loss as a result. In order to prevent massive leaks, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which originally dates back to 1995, was recently updated. It is now known as the General Data Protection Regulation (GDPR), which was published on May 4, 2016 and will apply from May 25, 2018. It is intended to ensure the broadly desired harmonization of data protection within the EU. The GDPR is also designed with a view to enforcing cyber security more vigorously – non-compliance could result in severe penalties of up to EUR 20 million or 4% of (total global) annual turnover.
At a time when data protection is more important than ever, the question arises: how does the GDPR cover the ubiquitous nature of data created, managed and sent via web apps?
What is the GDPR?
Cross-border business is the norm for many organizations today. The GDPR was drafted to ensure a consistent approach to the protection of personal data and privacy across the EU. In other words, the same data protection rules apply in all EU member states. Even the United Kingdom, which opted for “Brexit” in June this year, will still have to comply with the GDPR, just like any other country that wants to do business with Europe for goods or services.
The GDPR rules are broad and far-reaching. They cover everything that falls under Personally Identifying Information (PII), including email addresses, date of birth, name, etc. This applies to both B2C and B2B organizations and affects both data controllers and data processors. It is expected that data protection officers will become the norm for the implementation of the regulation in organizations trading within or with Europe.
Compared to the original directive (95/46/EC), the GDPR goes much further in terms of data protection expectations and guidelines. It also covers aspects such as:
- Pseudonymization of data
- Encryption of personal data
- Integrity, confidentiality and availability of personal data
- Making personal data accessible to the holder with the possibility of updating the information if necessary
- Ongoing maintenance and resilience testing measures for systems
Data processors are now also obliged to report data breaches. Fines and penalties are provided for non-compliance and failure to report. Understandably, the GDPR is causing concern across all industries.
According to a recent study, half of IT decision-makers in companies believe that they do not meet the GDPR compliance requirements. Among information security officers, three quarters believe that the GDPR will have a massive impact on IT procurement and the provision of security services. Without a doubt, the GDPR is one of the most far-reaching and impactful security and data protection regulations ever tackled worldwide.
How does GDPR affect web apps?
A recently published study for the Shadow IT and Cloud Web Services sector found that 98% of cloud apps are not ready for GDPR, based on 15 regulation guidelines. The regulation is based on the solid principle of Privacy by Design (PbD) or Data Protection by Design (DPbD) or, in other words, “data protection by design”. Accordingly, the design, development and implementation of web apps and their associated components will need to take these principles into account in order to comply with the GDPR.
But what do PbD or DPbD mean in concrete terms? Two GDPR guidelines address this:
Recital 39: Any processing of personal data should be lawful and fair. … Personal data should be processed in such a way that its security and confidentiality is sufficiently guaranteed, including that unauthorized persons do not have access to the data and cannot use the data or the devices with which it is processed.
Recital 49The processing of personal data by public authorities, Computer Emergency Response Teams (CERT) or Computer Security Incident Response Teams (CSIRT), operators of electronic communications networks and services and providers of security technologies and services constitutes a legitimate interest of the respective controller to the extent that it is strictly necessary and proportionate to ensure network and information security, i.e. to the extent that it ensures the ability of a network or information system to prevent, with a given level of reliability, disruptions or unlawful or malicious intrusions affecting the availability, authenticity, completeness and confidentiality of the data.i.e. to the extent that it ensures the ability of a network or information system to prevent, with a specified degree of reliability, disruptions or unlawful or malicious interference that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data and the security of related services offered or accessible via these networks or information systems.
Such a legitimate interest could, for example, be to prevent unauthorized access to electronic communications networks and the distribution of malicious program codes, as well as to prevent attacks in the form of targeted overloading of servers (“denial of service” attacks) and damage to computer and electronic communications systems.
These principles cover a very broad spectrum, to say the least, but are expected to “encourage companies to become more innovative and develop new ideas, processes and technologies to protect personal data.”
There are two basic areas in which United Security Providers offers support in ensuring GDPR compliance.
Protection against web-based attacks: Creating “application layer security”, including protection of webfacing systems from cyber attacks. More traditional tools such as network firewalls or intrusion prevention (IP) do not protect the system from modern web-based attacks of the type noted by the OWASP Top Ten Web Vulnerability Project. Web Application Firewalls (WAF) are the next generation tools designed to deal with web-based attacks. WAFs are widely deployed in PCI environments and provide appropriate protection for the OWASP Top Ten vulnerabilities. Several aspects included in the “OWASP Top Three” can be covered by a WAF. These include injection attacks against web-based databases, cross-site scripting (XSS) and cross-site request forgery (CSFR).
Protection thanks to robust authentication: The third most important topic within the OWASP Top Ten revolves around “broken authentication” (faulty or malicious authentication) measures. Risk-based and multi-factor authentication are both effective measures against cyber attacks. On the other hand, single-factor authentication involves many risks, ranging from the use of weak passwords or multiple reuse of the same password across different systems to simply writing it down. What is needed is a secure barrier between the Internet and an organization’s user directories. Adaptive authentication allows organizations to adjust or increase the level of authentication depending on the potential risk. This can include a variety of factors, e.g. the current location of the user, the type of access device, the time of access or other policies that use user group profiles such as the sensitivity of an application or the data accessed at the time. Furthermore, Single Sign-On (SSO) enables the use of strong user credentials across all internal, hosted or external SaaS (federated identity) environments, helping to provide seamless access and an improved user experience.
Becoming “GDPR-ready” in one step
IT security providers are responding to the growing need for scalable basic protection for web applications that complies with GDPR principles. United Security Providers is a company that has made it its mission to meet the security needs of today and tomorrow. USP is one of the European security leaders and has been protecting global financial services, web applications and data since 1997. The USP Secure Entry Server® offers both web application protection and robust user authentication in one complete solution. The USP Secure Entry Server ® is installed upstream of the application servers and manages communication with the clients on their behalf. This means that applications are never accessed directly. The USP Secure Entry Server® not only simplifies the access infrastructure, but also helps to fulfill security policies and compliance requirements. It also strengthens traceability and increases traceability.
Europe-wide harmonization
One very positive effect of the GDPR is the harmonization of security across all EU countries. Standards often prove helpful when it comes to creating an ethos of predictability and control. From this perspective, the GDPR is a welcome update. It is hoped that uniform rules at EU level will both enhance the reputation of European data protection and boost confidence in the online environment, making Europe a more attractive trading partner.
Of course, compliance with the far-reaching and precise GDPR expectations remains a considerable challenge. May 2018 may still seem a long way off, but it is fast approaching. Now is the time to choose the right tools. They will help prepare your company for the constantly changing technologies with all their challenges and overcome the hurdles to GDPR compliance. The associated comprehensive data protection and risk minimization will bring substantial benefits to your organization and customers.