This blog is in two parts; the first section outlines upcoming guidelines as per the GDPR which the UK government has confirmed they will be implementing.
Also, the Information Commissioner has given recommendations to a House of Commons Committee detailing why company directors should be held personally accountable for breach of data protection laws.
The second section outlines some typical security risks and breaches which are happening and we offer a list of things you can do to protect yourself.
So what should you do? well, here are some tips to help decide what’s right for you.
The first step in selecting any software solution is to carefully analyse the business needs and to prepare a detailed specification of what’s required.
This step is crucial even when buying off-the-shelf software solutions, but needs to be taken a step or two further for bespoke software development solutions. This helps determine if a customised or off-the shelf-solution is best.
Steps to take to protect yourself …
The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.
Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover.
The ICO recently imposed a fine of £400,000 on UK ISP Talk Talk.
What is a personal data breach?
According to https://ico.org.uk “a personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.”
An example would be a doctor’s surgery is responsible for a personal data breach if a patient’s health record is inappropriately accessed due to a lack of appropriate internal controls.
What preventative measures can you take to avoid these breaches? Firstly, this checklist highlights 10 steps you can take now to prepare for the General Data Protection Regulation (GDPR) which we expect to come into force in mid-2018.
Step 1 Awareness: Decision makers and key people in your organisation are aware that the law is changing to the GDPR.
Step 2 Information you hold: Document what personal data you hold, where it came from and who you share it with – do an information audit.
Step 3 Communicating privacy information: Review your privacy notices and strategy for 2018.
Step 4 Individuals’ rights: Procedures should include all the rights individuals have and how you will delete and share that data with them.
Step 5 Legal basis for processing personal data: Why are you processing data this way?
Step 6 Consent: Review how you are seeking, obtaining and recording consent.
Step 7 Children: Put systems in place to verify individuals’ ages and to gather parental or guardian consent.
Step 8 Data breaches: right procedures in place to detect, report and investigate a personal data breach.
Step 9 Familiarise Data Protection by Design and Data Protection Impact Assessments: By ICO.
Step 10 Data Protection Officers: Designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance. More details of all the above can be found on the ICO website.
Steps to take to avoid a data breach:
The threats to any IT infrastructure are significant and dynamic. Whilst the threats faced by cloud and on premise are the same, there are key differences.
Cloud employs additional safeguards to those employed on premise, typically not because they cannot be employed locally but rather that the costs involved are prohibitive when not shared.
Examples include cloud employing pro-active rather than reactive security and improved data replication which is often difficult and expensive to deploy locally.
Importantly, evidence suggests that security breaches often originate from within a business and therefore cloud mitigates this risk through reduced access to physical devices and stricter enforcement if access control on a basis on least privilege.
Here are some typical risks to your IT infrastructure. (The CRM Business, 2011), (Forty Cloud, 2015), (Cloud Computing News, 2015).
Securing and protecting property is not a new concept and has been used for hundreds of years before IT was invented. There are no systems which are beyond risk of potential security breaches, just as there are no physical locations which cannot be broken into.
The approach for securing IT systems is therefore the same as for securing physical locations; it is about applying good security principles, practices and solutions to an environment with an aim to mitigate risk. Here are my top tips to help you stay safe:
1 / Shared Security Responsibility Model
The Cloud provider accepts responsibility for things like the Infrastructure, hosting environment and even the Operating System and Applications stack layer within PaaS and SaaS offerings. While the end customer takes responsibility for the security provisioning with their end users and client machines.
2 / Customer’s Security Responsibilities
This is normally focused upon end users and the means by which data is accessed and controlled within your own environment.
It is therefore always recommended that security certifications and standards are adhered to and implemented by the customer with a view of implementing strict security standards which will protect data within the customer’s own environment.
This could mean you implement security standard such as ISO 27001 to help meet security responsibilities. (ISO/IEC, 2016).
3 / Vendor’s Security Responsibilities
The Vendor or Cloud Provider takes the major share of the responsibility for a company’s data, its integrity and its service availability.
The Vendor will provide clearly defined SLA’s which can be monitored against defined KPI’s, in line with ITILv3 good practice, to create a clearly defined framework of responsibility and expectations for service quality (AXELOS, 2016).
This will normally cover all physical security, infrastructure provisioning, resource allocation and with PaaS and SaaS service can also include virtual machine provisioning and Data Base and Applications maintains.
4 / Infrastructure Security
The physical environment that data is hosted within is one of the most important factors when considering security related issues and service provisioning.
It is this high-level security environment, which has been hardened against failure, which makes Cloud hosting such an attractive proposition to company’s’ of all shapes and sizes.
5 / Data Centre Redundancy Systems
Redundancy within a Data Centre environment is critical. Data Centres are ranked and rated, within the Data Centre tiering system, based upon their layers of redundancy across their who estate. These services should be viewed as mission critical within any modern business environment.
6 / Power
Power chain management is of critical importance within a Data Centre environment. Cloud hosting providers such as Microsoft and Amazon provide Switched and Managed Power Distribution Unit’s (PDU), with independent Power Supply Unit’s (PSU) being fed off independent power distribution boards which normally have separate direct mains suppliers to ensure excellent redundancy.
7 / Networking
Within large hosting environments, networking does not just cover how networks are provisioned or split out but how much bandwidth is provided on the supplying pipelines.
Without a doubt the hosting environments utilised by the top 5 Cloud providers deliver un-paralleled bandwidth provisioning such as 10Gbe/40Gb lines (Data Centre Knowledge, 2014).
Networks are often secured by virtual networking and switching to enable Cloud providers such as Microsoft Azure and Amazon AWS to provide Virtual Private networks within their IaaS solutions. This layer of network segregation often is applied with more resilience then most modern Co-Locational environments, which offer similar services.
8 / Data Replication
Ensuring your Data is secure should be of the highest priority for any customer. Within an On-Premise environment, provisioning data backup’s and replication, for all data across your environment, can prove a challenge and extremely expensive.
This area if often neglected by companies as they do not have the capital to justify implementing high level replication procedures for their data. With cloud based service data replication and redundancy is easy and hassle free.
Within a single Data Centre, data is replicated within RAID X environments providing protection against single hard drive failures, which data also being replicated across mirrored data centre estates across the world. This helps to prevent risk of such things like war’s, terrorist attacks or natural disasters. (Windows IT Pro, 2014).
9 / Building Management Systems
Data Centres often use Building Management System’s (BMS) to monitor the supporting infrastructure for their Data Centres. This may include monitoring systems such as fire suppression, lights, heating, cooling, power distribution, generators, UPS’s, etc.
These systems are often costly and hard to implement from scratch within a company’s own private Data Centre and require regular work and maintains. Cloud providers utilise BMS systems and Data centre infrastructure management (DCIM) systems as part of their standard offerings to help to support their environments. (Google, 2014).
10 / Access
Unlike On-Premise of Co-Locational Data Centres, Cloud provisioned services do not allow the public to access their Data Centre environments. This is an advantage over Co-Locational environments who restrict access to everyone but their customer base.
Cloud based Data Centres do not publicise their location and as all hardware provisioning is provided by the provider themselves there is no requirement or need for customers to ever access site. This limits the number of people with physical access to the hosting environment which greatly increases its security over a Co-Locational alternative. (Forbes, 2013).
11 / Software Security
Software security is a big consideration to make when considering moving towards a Cloud model. While it can be viewed as an argument against moving towards Cloud environments, the reality is that Cloud provisioned solutions are often more secure then On-Premise derivative.
It should be noted however that with Cloud IaaS offering’s, the responsibility for securing systems, at a software applications level, lies with the customer, as it would with an On-Premise offering.
12 / Secure Authentication
It is advisable to implement multi-factor authentication to build a modern secure environment. Microsoft Windows based solutions will be able to support this functionality for Cloud, Hybrid and On-Premise environments by using functionality built into Active Directory, Active Directory Federated Services or Azure AD.
13 / Data Transmission Protection
As with authentication the responsibility over all data transmission protection will remain with the customer for IaaS Cloud Approaches, as it does with Hybrid and On-Premise solutions.
It is only within PaaS and SaaS models that the Cloud Provider will take responsibility for certain areas of data transfer, such as via a web interface which in the case of Google, Microsoft and Amazon, they have all implemented SSL as a security layer to access their services.
14 / Corporate Segregation
Vendors such as Microsoft, Google and Amazon all offer virtual private Cloud networking offerings as a form of corporate segregation of a company’s network.
This is much the same model as if offered within a Co-Locational hosting environment and can perform effective segregation of networks. Customers are unable however to specify what resource pools server infrastructure is hosted on or ensure that their infrastructure is hosted together.
From a provisioning and security point of view this lack of functionality offers no drawbacks and customers are still given the choice to dictate their primary Data Centre location to ensure better latency rates for data transfer.
15 / Pro/Re-Active Security
Most corporate organisations operate within a reactive security model, being responsive to issues as they arrive but not having the resourcing or skill set to provide proactive support.
Google, Microsoft and Amazon all employ dedicated proactive security teams who not only work with a dedicated capacity to prevent security breaches before they happen but also actively run tests against hardware and software environments to ensure that their corporate response times are within acceptable tolerances and that their environments are in the most secure state that is possible. To achieve the same level of proactive security, with the same level of skill set, would be highly expensive for a corporation to implement on their own.
Hopefully the above content has given you enough information to start being proactive about your own security with particular focus on your customer’s data.
Get in touch with us at https://www.cloudthing.com if you are unsure about security or need some help with any software service.
Editor’s Note: This post was originally published in December 2016 and has been updated for comprehensiveness.
[UPDATED]: GDPR presentation provided by Scott Jenkins – GDPR Thought Leader.
Click .pdf icon below to view presentation.