What is the GDPR?
The General Data Protection Regulation, or GDPR, is a major new piece of legislation designed to address the protection and responsible use of each and every European Union citizen’s personal data. GDPR is not an EU only regulation; it affects any business or individual handling the data of EU citizens, regardless of where that business or individual is based. The penalties for non-compliance are stiff: Up to €20 million (about $24 Million USD) or 4 percent of annual global turnover, whichever is greater. GDPR comes into effect in May 2018.
According to Bart Willemsen, research director at Gartner – “The GDPR will affect not only EU-based organizations but many data controllers and processors (entities that decide what processing is to be performed and/or carry out that processing) outside the EU as well. Threats of hefty fines, as well as the increasingly empowered position of individual data subjects in controlling the use of their personal data, tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.”
The GDPR is similar in some ways to PCI DSS in that it aims for a comprehensive approach to data protection that goes well beyond the technical aspects. Even though the individual GDPR requirements aren’t as technically detailed, its security tenets and its objectives are the same as PCI DSS: to protect, secure and track use of specific types of data. Compliance with its requirements requires both implementing security best practices and modifying processes and human behavior to comply with those best practices, including timely analysis of anomalies.
The GDPR requirements do differ in other ways from the PCI DSS requirements:
- They apply to many more types of personal data, including addresses, phone numbers, IP addresses and health-related data (and have different rules for handling certain data types).
- They are much more prescriptive with respect to governance.
- They place much more emphasis on allowable use of the data, including data subject consent and advance analysis of the potential privacy impact and available mitigations when introducing a new form of processing.
Like most regulations, the GDPR has its own distinct terminology and set of definitions. In order to evaluate its impact on your organization, it is important that you understand key concepts such as “personal data”, “data controller” and “processor”. Definitions of interest include:
Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Filing system: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
See Article 4 of the GDPR for a complete set of definitions.
No one should suffer from the illusion that there’s a silver bullet that will effortlessly make an organization 100% secure and compliant with every security-related framework. Identifying your assets and building your security strategy around those assets is the only true way to mitigate risk. Identification is key. If you don’t know what data you possess, where it resides, what you are protecting and why you are protecting it, it becomes difficult to deploy an effective strategy and measure compliance to it. GDPR makes identifying your assets critically important.
So how can you make your HPE NonStop environment compliant with the GDPR’s technical security regulations and demonstrate its ongoing compliance with them? Let’s break it down:
Authentication and Access Control
Article 32 of the GDPR states “the data controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. Further, Article 32 requires “the data controller or data processor must take steps to ensure that any natural person with access to personal data does not process the data except on instruction of the controller, processor, European Union law, or member state law”.
This means ensuring that proper authentication, access control, and identity management are in place to ensure a level of security appropriate to the risk. These components are fundamental parts of a data security strategy and ensure that the appropriate protection layers are in place to mitigate the risk.
The authentication aspects of Article 32 can be addressed by deploying and appropriately configuring the following solution supplied with the HPE NonStop OS:
- XYGATE User Authentication for extending Safeguard’s authentication controls and integrating NonStop security with RSA tokens for Multi-Factor Authentication.
The access control technical aspects of Article 32 can be addressed by deploying and appropriately configuring the following optional product solution supplied through HPE
- XYGATE Access Control for Role Based Access Control and Keystroke Logging to capture command activity.
And the identity management technical aspects of Article 32 can be addressed by deploying and appropriately configuring third-party solutions available for HPE NonStop servers
Auditing and Alerting
Article 33 of the GDPR requires prompt breach notification: “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.”
In order to be able to detect personal data security breaches, records of all activity that touch that data need to be collected and organized in a way that makes it as easy as possible to detect and report on all unauthorized access. For NonStop systems, this essentially means auditing everything associated with GDPR-defined personal data – or as much possible to address the risk. Having security data available and solutions in place to report on the data will allow quick alerting and access to data and evidence to comply with this Article. Of course, you should act up front to minimize the potential for breaches as reflected in Article 32, and auditing other aspects of your security environment such as subsystem configuration changes is necessary for early detection of changes that might reduce the effectiveness of your security risk mitigation.
Auditing all NonStop security-related activity and events may seem easier said than done especially when you have hundreds of thousands (maybe millions) of events occurring daily throughout your environment. What you need is a really powerful software solution that allows you to track, filter, manage and report on all relevant NonStop security-related activity.
XYGATE Merged Audit merges multiple sources of NonStop audit data (for example, Safeguard, XYGATE, EMS, Measure, ACI BASE24®, IHSS Telco solution, SECOM, and SQLXPress) into a single NonStop repository. This merged and normalized data can be used to forward to security analysis platforms specifically for HPE NonStop data, alerting, reporting and integrating with enterprise Security Information and Event Management (SIEM) solutions.
Some Auditing and Alerting technical aspects of Article 33 can be addressed by deploying and appropriately configuring the following solution supplied with the HPE NonStop OS:
- XYGATE Merged Audit for gathering, normalizing and centralizing security data.
Further Auditing and Alerting technical aspects of Article 33 can be addressed by deploying and appropriately configuring the following optional solution available for HPE NonStop servers:
- XYGATE Compliance PRO for measuring compliance status against specific GDPR requirements.
To best address all Auditing and Alerting technical aspects of Article 33, a real-time security monitoring, alerting, data analysis and security intelligence solution is required and there are plenty available on the market.
Article 32 of the GDPR also references Security of processing: “The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including… the pseudonymization and encryption of personal data;”
This part of the article essentially boils down to encryption and masking of personal data. Encryption is supported on the HPE NonStop at most layers – from network to data. Article 32 requires processors working with EU citizens’ personal data to use it.
Pseudonymization is essentially tokenization or data masking. On the NonStop, this can be accomplished using the recent HPE Data Security spin/merge solution from Micro Focus; SecureData. Tokenization does not transform data, but instead randomly maps a live data field to a functionally equivalent surrogate value (i.e., a “token”) which replaces the real data. Since tokens do not represent actual data, they can be shared and stored without risk of data loss. To convert a token back to real data, a system (or application) needs to use the tokenization server which hosts the random mapping table to return the token to its original value. Format Preserving Encryption (FPE) can also be used here.
This section of Article 33 can be addressed by deploying and appropriately configuring the following NonStop solutions:
SecureData will properly secure your data and other solutions can help protect the processes, applications, and objects that operate on that data. This combination encryption or tokenization and dynamically securing objects and processes will ensure you have taken the necessary measures to address pseudonymization.
Compliance and Monitoring
Ensuring compliance is a critical aspect of any security program, and compliance monitoring solutions provide the means to systematically measure, manage and report on a complex and dynamic HPE NonStop security environment.
Let’s assume that you’ve implemented your security strategy based on the recommendations in this article and other security frameworks. You have established strong security procedures for your HPE NonStop system. The next step is to measure compliance against GDPR’s requirements. The latest version of HPE’s XYGATE Compliance PRO (v3.18) introduces GDPR policies, allowing NonStop security professionals to measure and monitor their GDPR compliance. XYGATE Compliance PRO has broken down the individual GDPR data security Articles and mapped them to NonStop technical controls to validate your security configuration and simplify your GDPR compliance activity. Compliance PRO’s easy to use and intuitive interface will clearly highlight the sections of your NonStop environment that comply with GDPR controls and show you the gaps where mitigation activity is required.
Given the high-value business applications and processes that are often run on NonStop servers and the sensitive data that they store and process, you can see why many NonStop environments will be subjected to GDPR and how HPE’s solution offerings as well as other third party security analytics solutions can help build a layered security strategy for proper data protection and monitoring of compliance.
May 2018 is just a few months away and there is a lot to do to bring both organizations and their systems into compliance. Luckily, most of the solutions and tools required to address GDPR technical security requirements and demonstrate compliance already exist. Hopefully, this article has given you the solid groundwork to understand what you need to start thinking about when it comes to GDPR and the NonStop. The fines are significant enough to make every organization pay attention. If you need assistance with compliance readiness activity, please reach out to your account executive at HPE and they will be more than happy to help you.
Steve Tcherchian, CISSP
CISO and Director of Product