Nigel ThorpeTechnical Director
The Risks of Checkbox Compliance
01 Sep, 2020
A key principle of the GDPR is that personal data must be processed securely, using ‘appropriate technical and organisational measures’ – the ‘security principle’. To meet this principle, organisations implement a variety of IT security technologies, all aimed at protecting information where it is stored and processed.
By deploying technologies like these, organisations can ‘check all the boxes’ and demonstrate that personal information is secured in all states – while stored, in transit and in use.
For example, access controls are used to protect information within applications and data stores; Transparent Data Encryption (TDE) is used to secure data in databases; and application security ensures that only the information required to fulfil business processes is exposed to legitimate users. To secure other reports, spreadsheets and documents exported from these security silos, full disk encryption is commonly implemented.
A security silo is a location that provides protection for data stored within it. TDE fits the definition because data stored in the database is encrypted. Full disk encryption is another example, automatically encrypting data stored on the disk.
The problem with security silos is that when data is extracted from them it has no inherent protection. Data thieves look for ways to exfiltrate data from silos because they know it will not be protected once outside.
For example, if you’re working at home, perhaps on reports or spreadsheets containing sensitive information, but your Wi-Fi network is compromised, the information on your laptop can easily be stolen.
And what about the legitimate, but disgruntled employee? They’ve got access to data because it’s part of their job. They can export and copy information elsewhere, where it is no longer protected by its security silo. Once data is outside its silo, and the corporate network, it can be exploited at will.
Focus on the data
Rather than focusing on protecting information where it is held – on disks, in databases and in applications – wouldn’t it be more effective to build security right into the data itself? GDPR recognises that encryption is an effective information security technology but, as it is seen as difficult to use in real life, it is deployed sparingly and just used to protect data in silos.
Transparent, 100% encryption
We’ve got all the right technologies. The problem is in the trade-off where security is diminished in favour of ease of use. For example, full disk encryption is easy to deploy, but security is compromised because a running system seamlessly decrypts any data for any process – legitimate or not.
What is needed is better technology that balances effective security with ease of use. Such technology needs to be transparent to users while removing them from security decisions. Full disk encryption establishes the principle that everything – 100% – should be encrypted. But this principle must be implemented better, so that when a file on a running system is copied from one location to another, it remains encrypted. Furthermore, authentication should be built into the encrypted file so that only authorised individuals – not the bad guys – can decrypt the data.
With this transparent, 100% file encryption, all data will be protected no matter where it gets copied because security is part of the file rather than a feature of its storage location. And by continuing the 100% encrypted principle, IT security experts no longer need to spend hours tweaking data classification rules so that ‘important’ data gets more strongly protected.
Compliance, not just checkbox compliance
Organisations continue to perform risk analyses and implement security silos, so that they can show they are ‘checkbox compliant’ with GDPR. This approach is a major contributor to the numerous successful data exposures we are still seeing.
To become truly compliant, with security that persists even if data is stolen, organisations’ information security focus must change from protecting storage locations to securing the data itself. There’s no ransom leverage in empty threats.