GDPR Forces Security Professionals to Stop Putting Data in the Cloud

cloud-team-590x384

eperi has disclosed the results of a survey of 250 IT security professionals that gives insight into what the new General Data Protection Regulation (GDPR) will mean for their organisations’ cloud practices. The study indicates uncertainty when it comes to cloud security as 53 % of respondents said that GDPR data security requirements would keep them from putting sensitive data in the cloud. For the majority (85%) this was due to their lack of confidence in the protection of sensitive data.
In addition, 72 % noted that they would have to re-evaluate their data security requirements in the cloud because of the regulation that comes into force May 2018.

“GDPR has meant that the age-old debate about the adequacy of security in the cloud has reared its head again,” said Ravi Pather, senior vice president of eperi. “Fines under the regulation seem to be the main driver for meeting compliance, as it’s likely to be an organisation killer for the worst offences. But with all of this hype, organisations must not forget that if they first and foremost secure the data that goes into the cloud through encryption or tokenisation and remain in control of the encryption keys, the scope of GDPR can be significantly reduced.”

Encrypting or tokenising data means that it is scrambled by an algorithm to such an extent that it is rendered unusable to any unauthorised party attempting to access it. The only way to decrypt the data is to use a key, which ideally should be under the control of the organisation who owns the data.

Currently, Pather points out, this is where many companies fall down in relation to GDPR, as 54% admitted that they rely on their cloud or Software as a Service (SaaS) provider to encrypt data and just over half 51 % think that it is acceptable for the solution provider to control all or part of the encryption keys.

“Where 54 % rely on the SaaS vendor for encryption, this is usually for ‘data at rest’, which under GDPR is only a subset of the ‘comprehensive security’ guidelines and recommendations which specifies the protection of PII and sensitive PII ‘data in motion’, ‘at rest’ and ‘in use’,” Pather explained.
“In the event of data compromise or loss, if the organisation is in full control of its own encryption keys, it can avoid the notification step altogether if the data is unreadable to the world outside the organisation,” he continued. “In contrast, if the cloud or SaaS provider controls the keys and they are breached, then there is no way to be certain the organisation’s data is safe and notifications and fines ensue.”