It hardly takes a William Blackstone to figure out that the European Union's General Data Protection Regulation (GDPR) applies not only to primary work systems, but also to backup and recovery systems.
While very openly worded, including lots of uses of the term "appropriate," Article 32(1) of GDPR specifically identifies Business continuity and disaster recovery (BC/DR) concerns -- including potential mandates for the abilities "to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services" and "to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident."
Moreover, to the extent that Article 32(1)(a) and other relevant portions of GDPR require encryption and data masking, a fairly obvious yet often overlooked consequence is that enterprises should similarly encrypt or mask data in their backup systems.
The same could also be said for best practices in data stewardship -- and enterprises are still confused on these finer points.
Perhaps the seminal case study on how not to do BC/DR is represented by Adobe's 2013 data breach -- which saw some 150 million accounts compromised when an intruder accessed a backup authentication system marked for decommissioning. Making matters worse, apparently figuring that the system was "just a backup," Adobe failed to properly encrypt the account data on this system -- declining to use salting and hashing on what data were encrypted, while leaving password hints in plaintext.
Where GDPR is concerned, this sort of behavior falls under the category that EU Data Protection Authorities are perhaps most on the lookout for -- to wit: utter data malfeasance. When it comes to more nuanced applications of GDPR to BC/DR management, IT administrators and security pros should again look to GDPR's use of the word "appropriate." (See My Cybersecurity Predictions for 2018, Part 2: GDPR Hype Is Hype.)
And yet, many enterprises may be bringing more GDPR pain upon their data-storage practices than needed.
Appropriate & inappropriate sensitivities
To a certain extent, although many compliance-sensitive organizations may fail to realize it, object storage -- whether on-premises or in the cloud -- may address some of these GDPR compliance needs for BC/DR by virtue of its very nature. Linda Zhou, director of research and life sciences solutions at Western Digital, relayed that organizations that use object storage for sensitive yet large and unstructured datasets, like medical images, have an inherent protection against physical access.
"If you go to the data center and you pull out one of the drives," Zhou told Security Now at the 2018 Bio-IT World Conference & Expo, "you won't get anything."
Nonetheless, continued Zhou, she is seeing and hearing from enterprises that are so hypersensitive about BC/DR compliance with GDPR that their concerns do not align with reality -- to the point that enterprise organizations are insisting that their backups of EU-specific data are not just in the EU, but reside in the self-same EU member-state as where their primary systems and data stores are located.
To be fair, some of this may be less about GDPR and more about compliance with EU member-state implementations of the EU's Directive on Security of Network and Information Systems ("NIS Directive"). After all, healthcare organizations, such as those Zhou may deal with, are categorized as potential "operator[s] of essential services" that are subject to elevated reporting and data-management requirements under the NIS Directive. (See EU's NIS Directive Compounding GDPR Burdens & Confusion.)
On the other hand (and particularly considering how much less attention the NIS Directive has received compared to GDPR), for European enterprises and organizations that service and partner with European enterprises, such worries about backup storage are just as much about conservative European sensibilities as they are about European legal frameworks. Consider that in its 2016 Cloud Services Trends survey of IT professionals -- conducted a few months before the EU even adopted GDPR in April 2016 -- Spiceworks reported that nearly 40% of European respondents indicated that their organization's policies dictated that all of their respective data must be located not just within the EU but in a specific EU country. (See My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption.)
"I think it's in part cultural," Steve Yemm, vice president of sales at laboratory-software firm BioData, told Security Now at Bio-IT World. "It's not concern about GDPR that's stopping biotechs from putting data in the cloud; it's an attitude of 'Well, we just have never done this before.'"
Accentuating access over possession
Regardless of where it is stored, however, organizations must practice discretion when it comes to what they back up. In addition to other-than-intelligent, yet nonetheless prolific data-protection practices such as in the Adobe example, part of the whole reason we have GDPR is the everyday business practice of data over-retention. This presents a direct security risk in and of itself, privacy concerns and European rights
to be forgotten aside -- after all, attackers can't compromise data you don't have. (See Four Enterprise Security Lessons From Maury
There is also a secondary, indirect security risk to data over-retention: a poorly conceived, poorly maintained secure development lifecycle (SDLC). As various business units have grown data-gluttonous, enterprises have grown lazy in maintaining SDLCs -- leading to a broader attack surface for production data (as seen in Adobe's case).
Funnily enough, addressing the problem of data hoarding is where the Internet of Things (IoT) -- long criticized for security and privacy failings -- can come in handy. We have long since transitioned from the Information Age to what has been called "the Systems Age." (See IoT Regulation Could Save the Internet.)
This means that -- because of how commoditized data has become, and how easy and ubiquitous data access has similarly become because of the proliferation of IoT and cloud computing alike -- business success is no longer about who has the most data. Instead, the spoils of agility go to those enterprises that (1) have the best access to data and (2) stay lean by disposing of and declining to retain data, instead relying on that ready data accessibility whenever it is needed.
GDPR itself emphasizes the management of data access over data ownership. After all, the underlying philosophy driving GDPR is that human data subjects -- and not enterprises -- are the rightful owners of personal data.
— Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer and speaker. Follow him on Twitter at @JoeStanganelli.