Cloud storage and sharing services have been widely adopted in recent years, addressing a valid user need for easier access to relevant files and documents across multiple computing devices. Many of these services offer extremely large personal storage footprints, and support the synchronization of files to one or more computing devices. This user bonanza, however, could cause a data protection nightmare under GDPR through the inadvertent sharing of personal data by employees collaborating with others inside and external to the organization, not to mention the prospect of malicious disclosure by disgruntled employees or external actors.
Organizations need to ensure they have selected and deployed appropriate cloud storage and sharing services in the first place, and are actively blocking or discouraging the use of non-authorized services. Proactive monitoring of sharing actions should also be in place to minimize the likelihood of data breaches. A key decision criterion in selecting a cloud storage service is the relentless use of encryption to protect data stored in the cloud service (encrypting data in transit, in use and at rest), either provided directly by the vendor itself or enabled through a third-party service provider to give the right level of risk mitigation.
While a successful malware infiltration can render computers unusable – a costly annoyance and interruption that most organizations will want to avoid – of more serious concern under GDPR is the potential for malware to harvest credentials for user and administrator accounts. Harvested credentials can then be used to access data sources across the organization (both on-premises and in cloud services), including those containing personal and sensitive personal data. Preventing a malware infection in the first place requires a multi-faceted technological response, including anti-malware software and services and advanced threat protection.
Advanced threat protection services need to become commonplace, in order to deliver capabilities that pre-analyze every click on a URL to ensure it does not contain a malware payload, and likewise protect against email attachments being used as an attack vector.
Blocking malware through technological means is essential for any organization wanting to become GDPR-compliant (specifically to reduce the likelihood of data breaches, among other implications), and highlighting dangerous or compromised URLs or attachments helps educate the user population about the security risks facing the modern organization. Moreover, organizations must show that encrypting and tokenizing with format-preserving technologies that also preserve context, logic, relationships and meaning will allow data to be portable and neutralize the effects of the malware that typically goes after data in the clear. Finally, while malware can create havoc as above, organizations will also need to protect against malware-less attacks that use trickery to impersonate a trusted or senior-level executive in order to gain access to sensitive information.
The GDPR requires that organizations embrace data protection “by design and by default,” which means data protection considerations should be an always-on approach, not an afterthought at the tail end of a development job or selection process. Approaches that we have explored above – such as data encryption, classification and pseudonymization – should therefore become initial discussion and design points. Likewise, technologies that proactively test for security vulnerabilities during development and deployment should be evaluated as a way of operationalizing a data protection by design mindset and approach.
Organizations should look for cloud providers that offer specific assurances on the requirements of GDPR. For example, cloud services should be designed to address the access, rectification, and erasure rights of data subjects. Equally, there should be jurisdictional assurance that all EU data is kept solely within the EU, using multiple data centers within the EU for redundancy and consistent data protection. Multinational organizations with significant operations outside of the EU will require an appropriate cloud architecture to meet differential data protection requirements in its various markets. Cloud providers that meet GDPR certification standards give good assurance to customers that the technical side of the law is addressed appropriately, although this technical readiness must be met with appropriate organizational measures too.