Why You Need a CASB for GDPR Compliance
Published 04/04/2017
By Rich Campagna, Senior Vice President/Products & Marketing, Bitglass
With enforcement of the EU's General Data Protection Regulation (GDPR) is just over a year away in May, 2018, your planning efforts should already be well underway. Adoption of cloud applications across the EU continues at a rapid clip, and the global nature of leading cloud applications means that protecting personal data and achieving data residency can be difficult to achieve.
With mandatory breach notifications and very steep fines (4% of annual revenues), the cost of non-compliance is high. On the other hand, it's nearly impossible to stop the move to cloud in most organizations, so that's not an option either. Fortunately, you still have time to arm your organization with the key to combining cloud adoption and GDPR compliance: cloud access security broker (CASB). Let's take a look at some of the areas where a CASB can help:
- Identifying personal data - the EU GDPR is primarily concerned with the protection of any data that can be used to identify a person (name, address, email, driver's license number, and much, much more). The first thing that you need to do in order to protect that data is to identify where it is. CASBs can scan across both data-in-transit and data-at-rest for a wide range of cloud-delivered apps (SaaS, IaaS, and custom applications). Any CASB you choose should have a library of pre-built identifiers that can be used to scan for names, phone numbers, addresses, national identity and driver's license numbers, health record information, bank account numbers, and more.
- Controlling the flow of personal data - Once you've identified where sensitive data resides, you want to control where it can go. CASBs include a range of policy options that allow you to do things like geofence personal information, control access from unmanaged/unprotected devices, control external sharing, and encrypt data upon download. All of these options can help mitigate the risk of non-compliance.
- Maintaining data residency and sovereignty - Major cloud applications often have global architectures which makes it difficult, it not impossible, to keep data within a given country or region. Fortunately, the GDPR allows for the use of encryption to meet GDPR requirements, if the cloud provider transfers data outside of the EU. Seek out a CASB that offers the killer app for GDPR - full-strength cloud encryption - across both unstructured (file) and structured (field) data.
- Word of caution: some cloud application vendors offer their own "built-in" or "platform" encryption. With these schemes, the cloud provider has access to the keys and, therefore, the data as well. This is a GDPR gray area and may leave you, the data controller, on the hook for those hefty fines and mandatory notifications.
- Monitor Risky Activity - A CASB can give you visibility into everything that's happening with your users and your data across protected cloud applications. User Behavior Analytics and alerting capabilities let you know when risky activity is happening. This might mean reporting on indicators of breach, credential compromise, personal data access from outside the EU, or more. This critical visibility will allow you to identify and stop activities that might otherwise leave you staring down a fine of 4% of revenues (and a corresponding loss of your job).
- Identify Shadow IT - simply put, GDPR and Shadow IT are a volatile and risky mix. There's simply no feasible way to get the controls and visibility needed over applications that your organization has no ability to control. A CASB can give you much needed visibility into Shadow IT applications, and their corresponding risk, but your only option when faced with GDPR is get out of the shadows - either sanction and protect shadow IT through a CASB, or block unsanctioned apps altogether.
These CASB controls can really jumpstart a successful GDPR program across your organization, leaving you free to consider some of the many other GDPR-related controls and policies you'll need to put in place over the next 12 months, including appointing a Data Protection Officer, figuring out how to implement "right to be forgotten," and reevaluating licensing terms and data ownership across your many cloud application vendors.