In the past few weeks both BA and Marriott made the business headlines for the wrong reasons –breaching General Data Protection Regulation (GDPR). Both fines related to breaches of credit card details.
The answer lies in end-to-end data encryption.
GDPR regulations, specifically Article 34, guides businesses on how to prepare for the day after the breach, stating: “The communication to the data subject … shall not be required if any of the following conditions are met …the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.”
Hackers are very intelligent. They don’t extract entire datastores, but instead look for patterns that suggests value. In the UK, as an example, credit card numbers commonly start with 4929 with 12 further numbers. So, the search is on for data showing 16-digit numbers – starting with 4929. If encryption has incurred at the start of the data storage process, it will be impossible to identify any such patterns in the data. To be truly effective, encryption must be applied further up the stack to protect information in all layers – including in transit over the network.
A barrier to making such data storage changes however is often the perceived cost associated with it. Additional hardware and/or software licences may be required, and existing, predefined, policies determining what data is stored where, will need adjustments which are both complex and time consuming. Data placed on the wrong storage format will burden the IT budget or affect business operations overall as a result of reduced performance. Yet, application level encryption – the holy grail of end to end encryption – offers the best protection and can be easy to implement when adopting enterprise encryption capabilities that make it near-transparent.
Surely this leads us to the natural conclusion that end-to-end data encryption is really more of a business necessity today. Not just a business utopia.
Written by Eran Brown, CTO EMEA, INFINIDAT
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/