Since the European Union’s General Data Protection Regulation (GDPR) went into effect, there have been more than 60 jurisdictions around the world that have enacted or proposed postmodern privacy and data protection laws.[i]Most recently in the U.S., the California Consumer Privacy Act (CCPA) went into effect on the first of this year and in Brazil, its General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”) kicked off this month. According to Gartner, “By 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today.”i
And these data protection and privacy regulations are not merely guidelines, they actually have “teeth” with high penalties for non-compliance. Since going into effect in May 2018, GDPR has led to over 160,000 data breach notifications across Europe and is estimated to have generated $126 million (114 million euros) in fines.[ii]
Distributed Security Playbook
Get the playbook that outlines how industry leaders are distributing security to solve scale and integration challenges. See how using interconnection and colocation enables industry leaders to deliver new command and control capabilities as part of their digital edge strategy.Read More
GDPR has led to over 160,000 data breach notifications across Europe and is estimated to have generated $126 million in fines.
Data regulations influence on enterprise IT strategies
In the Top 5 Technology Trends to Impact the Digital Infrastructure Landscape in 2020, we predicted that further complexity in protecting personal data as global trends toward stricter or new data privacy regulations continue to gain momentum, it will be more difficult for global companies distributed across multiple markets to navigate. Given this, we see businesses’ IT strategies focusing on data privacy, with continued application of the secure discovery, classification and encryption of personally identifiable information (PII) using greater automation and technologies such as artificial intelligence.
6 best practices for data protection and privacy
Today personal data is distributed by nature. It’s in our smartphones, home personal assistants and scattered across private and public databases in data centers or in the cloud. Given this fact, a company’s security strategy for protecting data in transit and at rest also needs to be distributed. A distributed security strategy that also takes the cloud into account can get your company closer toward protecting your company and customers’ data and out of trouble with regulators.
Here are six best practices to use as part of your overall security strategy for hybrid IT infrastructures
Do you know where your company’s security border ends and your cloud service provider’s begins?
- Know your security boundaries: Do you know where your company’s security border ends and your cloud service provider’s begins? The first step to a end-to-end distributed security strategy is understanding your company’s data security policies and obligations and those of your cloud provider. Creating a complete, end-to-end mapping of your company’s and your cloud provider’s security landscape can help you close any gaps that could lead to potential threats.
- Deploy data tiering: Since not all data is secured equally, use a tiered data architecture. This allows you to place specific levels of controls on different types of information based on your company’s security policies. Automated data tiering enables the movement of data between different storage tiers to ensure that the appropriate data resides on the right storage technology based on those policies. For example, you can store PII data on-premises or in a private cloud where you have more control, access and visibility. You should also “mask” or filter PII data whenever moving it to an environment where you have less control.
- Centralize user access controls: Secure identity and access management to data and applications using centralized OAuth tokens for authorization. Unified central identity and access control systems can enforce different access permissions across on-premises systems and in the cloud. API gateways can also streamline the management of user access tokens for consumer and business mobile applications.
- Adopt consistent security controls end-to-end: Implement consistent security policies for all the applications and their data across multiple data tiers, from mobile devices to edge servers to cloud. For example, if you encrypt your data at the edge, maintain the same encryption methods all the way to the backup servers. With consistent security controls, you can enforce your security policies efficiently. When enforcement becomes easier, you reduce the risk of employees circumventing security policies. Having consistent controls also enables you to monitor apps and user activities across all platforms to immediately mitigate any breaches.
- Use proper data protection for business continuity: For backup and restore, high availability and disaster recovery (DR) solutions, take proper snapshots of your computers and data. Store them inside safe vaults in your data center or cloud). For proper protection from ransomware attacks:
- Test point-in-time restores using proven tools and algorithms
- Ensure keys and encrypted backup data are not saved in the same environment.
- Develop a contingency plan for when to take apps offline, restore or failover to DR environment.
- Practice proper security for log management: Security logs often contain sensitive information , which is why you have to protect them properly. Make sure logs are encrypted and have a timeframe where you would delete logs that expire. Enforce “time-to-live” so that they are expunged after a proper period of time.
Platform Equinix® provides interconnection and edge services that can help you deploy these security best practices on-premises and in the cloud. For example, Equinix SmartKey™ is a SaaS-based, secure cryptography and key management service (KMS) that protects data on-premises and in hybrid multicloud environments across a global interconnected platform. With SmartKey, you are still in control of who accesses the data and the keys because they are stored separately from each other. For example, if you are a cloud provider faced with responding to a government subpoena for encrypted data, you can control who gets access to what data, without providing them the keys.
Also, Equinix Cloud Exchange Fabric™ (ECX Fabric™) enables you to develop direct and secure, private interconnection to on-premises data and data within the cloud. You can set up secure tiered data environments efficiently and cost-effectively securely and within compliance regulations.
Learn more about deploying distributed security by reading the Distributed Security Playbook.
You may also want to read the 451 Research report on Key Management as a Service.
[i] Smarter With Gartner, Gartner Predicts for the Future of Privacy 2020, Contributor: Susan Moore, January 20, 2020, https://www.gartner.com/smarterwithgartner/gartner-predicts-for-the-future-of-privacy-2020/.