You’ve been hearing about it everywhere, and now the deadline is looming: on May 25, 2018, the General Data Protection Regulation (GDPR) will come into effect. This regulation will give EU citizens greater control over their personal data and apply a standard set of rules across all member states of the EU, and in so doing, enable EU citizens and businesses to realize greater benefits from the ever-advancing digital economy. Organizations operating in the EU, as well as organizations offering goods or services to EU citizens or businesses, are required to comply. A major goal of the GDPR is protection of personal data—and encryption key management plays a crucial role in achieving this goal.
The GDPR’s broad definition of personal data
At the crux of the GDPR is more secure, responsible management of the personal data of EU citizens. While we may typically think of personal data as vital information such as an individual’s name, address, phone number, credit card transactions, financial information and medical records, rapid changes in technology and means of acquiring data have expanded the domain of personal data. The GDPR is designed to accommodate these changes.
As defined in Article 4 of the GDPR, personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The broad definition of personal data (and the detailed requirements defining legal acquisition and processing mentioned in Article 5) place considerable responsibility on any organization operating within the EU. Appropriate methods of data protection—paying particular attention to encryption key management—are needed to demonstrate compliance for this expanded definition of personal data.
Encryption—a strong defense against data breaches
The GDPR requires organizations to incorporate a high level of data protection into their processes. In Article 25, it defines this concept with the phrase “data protection by design and by default.” Encryption is mentioned as a key means to achieve the appropriate level of data protection. The regulation takes the added step of requiring encryption keys be kept separate from the encrypted data, thereby providing a greater level of protection against a data breach. With many organizations adopting cloud environments, and in many cases, employing multicloud environments for their operations that transformation presents the question of how encryption keys are best managed in those environments.
Managing encryption keys in multicloud environments
Encryption keys have historically been managed by hardware security modules (HSMs) located in the organization’s data centers. However, with more organizations, particularly those with international operations or those moving to distributed cloud environments, on-premise HSM management is no longer a desired, practical option because of the cost and logistical complexity of provisioning them in widely distributed cloud environments. Organizations with an EU presence are likely to already be employing some form of cloud—private, public or hybrid—with many using multiple cloud providers to support their business operations across EU member states.
Organizations employing multi-cloud environments will need to develop an encryption key strategy that can be consistently implemented and managed across hybrid environments. To help organizations achieve the level of personal data protection required by the GDPR and to do so in a manner that simplifies the entire lifecycle of encryption key management—generation, usage, rotation and retirement—without sacrificing security, consider these characteristics and capabilities when evaluating an encryption key solution:
- Is the solution easily implemented?
- Is the solution geographically available to support cloud environments and data sovereignty in the EU member states where you operate?
- Does the solution provide the equivalent level of encryption and data security available via on-premise HSM?
- Is the solution cloud-neutral? Can it manage encryption keys across multiple cloud environments?
- Can you centrally control all of the encryption keys regardless of the location of encryption keys and data?
- Does the solution deploy “at the edge,” allowing encryption keys to be separate from, but proximate to encrypted data?
HSM as a Service
The best approach to delivering each of the aforementioned capabilities is an HSM as a Service (HSMaaS) solution. It leverages the established strengths of the cloud—wide availability, service on demand and scalability—to make encryption keys easy to implement and manage.
In contrast to the cost and overhead of provisioning HSMs in widely distributed locations, HSMaaS is easily implemented, allowing you to manage and create encryption keys within minutes, while the in-country availability of HSMaaS supports the GDPR personal data requirement. Being cloud-neutral, HSMaaS supports leading cloud environments like AWS, Azure, Google, Oracle and IBM. Through simplified key management with a single control point, multicloud environments can be managed centrally and securely. By keeping encryption keys near, but not with the encrypted data, HSMaaS reduces latency while providing added defense against data breach.
HSM-as-a-Service can be ideal for any organization seeking an easily-implemented solution to securely manage encryption keys in a multicloud environment. HSM as a service can make your challenge of GDPR compliance significantly more attainable and manageable.
Take the first step
The GDPR initiative is a tremendous undertaking, involving painstaking preparation, significant investment and coordination of geographically-distributed resources to achieve compliance. As May 25 approaches, if you have outstanding concerns regarding data security and encryption key management in the context of cloud environments, we invite you to learn how Equinix SmartKey, using the Equinix platform, can help you address those concerns. Equinix’s global presence, unsurpassed connectivity and integration capabilities can play a critical role in helping you meet the GDPR requirements.