Ensuring cloud environments are protected by the upcoming EU General Data Protection Regulation (GDPR) is essential, as personal data is more than likely to be stored, processed and shared.

Firms must safeguard EU customer data held in public clouds by the 25 May 2018 by having complete visibility into their public clouds, as well as good security in environments such as the DevSecOps pipeline protection, web app scanning, vulnerability management and a good configuration of controls.

Compliance issues

In the cloud, it can be tricky to adapt processes and security controls because firms don’t have a lot of control, or the know-how through tools and processes, to securing public clouds.

The Cloud Security Alliance (CSA) identified the following areas to be the most significant area for compliance issues when moving to the cloud:

• Data breaches
• Weak identity, credential and access management
• Insecure APIs
• System and application vulnerabilities
• Account hijacking
• Malicious insiders
• Advanced persistent threats (APTs)
• Data loss
• Insufficient due diligence
• Abuse and nefarious use of cloud services
• Denial of service
• Shared technology vulnerabilities

Staying compliant

To stay compliant, the Cloud Industry Forum recommends the following:

1. Know the location where cloud apps are processing or storing data: You can accomplish this by discovering all of the cloud apps in use in your organisation and querying to understand where they are hosting your data. The app vendor’s headquarters are seldom where your data are being housed. Also, your data can be moved around between an app’s data centres.
2. Take adequate security measures: You need to know which apps meet your security standards, and either block or institute compensating controls for ones that don’t. Netskope has automated the discovery process by measuring cloud apps against 45+ parameters with our Cloud Confidence Index, so you can easily see where apps are lacking and quickly compare among similar apps.
3. Close a data processing agreement with cloud apps: Once you discover the apps in use in your organisation and consolidate those with overlapping functionality, sanction a handful and execute a data processing agreement with them to ensure that they are adhering to the data privacy protection requirements set forth in the GDPR.
4. Collect only necessary data: Specify in your data processing agreement (and verify in your DLP policies) that only the personal data needed to perform the app’s function are collected by the app from your users or organisation and nothing more, and that there are limits on the collection of “special” data, which are defined as those revealing things like race, ethnicity, political conviction, religion, and more.
5. Don’t allow cloud apps to use personal data: Ensure through your data processing agreement, as well as verify in your app due diligence, that apps state clearly in their terms that the customer owns the data and that they do not share the data with third parties.
6. Ensure you can erase data: Make sure that the app’s terms clearly state that you can download your own data immediately and that the app will erase your data once you’ve terminated service. If available, find out how long it takes for them to do this. The more immediate (in less than a week), the better, as lingering data carry a higher risk of exposure.

Written by Leah Alger

The post Staying GDPR compliant in the cloud appeared first on DevOps Online North America.

Here is a list of the firm’s exclusive GDPR facts:

1. Businesses have until 25 May 2018 to prepare.
2. Personal data as a definition has become wider – so any information that can directly or indirectly identify a person is now considered as personal data.
3. These principles must apply if you are handing person data – processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purpose; adequate, relevant and limited to what is necessary; accurate and kept up-to-date; kept for no longer than is necessary in relation to the purposes for which it was collected; processed in a manner that ensures appropriate security.
4. Consent is not the ONLY way to process data lawfully, you can rely on legitimate interests and meeting a contractual marketing, or to pass their details on. Organisations will need to be able to demonstrate that consent was knowingly and freely given, clear and specific, and should keep clear records of consent.
5. Pre-ticked boxes are a big no-no and prospects must actively opt-in ANY future marketing.
6. Individuals now have more rights – the right the be informed; right of access; right of rectification; right to erasure; right to restrict processing; right to data portability; right to object; rights with respect to automated decision-making and profiling.
7. All emails containing personal data must be encrypted plus other data protection measures.
8. If you are transferring personal data to a country outside the EEA they must also comply.
9. All personal data breaches must be reported within 72 hours to the ICO.
10. The fines are HUGE for non-compliance: EU€10million or 2% of your annual turnover, whichever is higher – for not keeping proper records, violating data breach requirements and more; EU€20million or 4% of your annual turnover, whichever is higher – for violating basic processing, ignoring individual’s rights, incorrectly transferring personal data and more.

The post 10 tips to ensure you’re GDPR ready appeared first on DevOps Online North America.

Joel Benavides, senior director at Box, a cloud content management company, announced the policy has “spurred” an array of technology companies to create regional data solos.

Benavides said to Tech Republic: “When it comes to making sure your company’s cloud data is secure and in compliance, there isn’t a one size fits all protocol.

“Each company is different by looking at the service provider, and not just taking control or certification that has been granted by a third party.

“Regulations such as the GDPR are necessary, but that regulations must have practical application.

“The way to achieve that is by having dialogue with the parties that are both going to be affected, the ones who are in charge with protecting or operationalising that regulations, and the regulators themselves who are going to be enforcing it.”

Written by Leah Alger

The post GDPR to shape how and where data is stored appeared first on DevOps Online North America.

The multi-cloud data management company’s report, The Veritas 2017 GDPR, found that 31% of survey respondents believe that their enterprise conforms to the legislation’s key requirements, although when questioned about GDPR provisions, the majority said they are unlikely to be in compliance; with 2% revealing a distinct misunderstanding over regulation readiness.

The findings showed that 61% of respondents think it’s difficult for their organisation to identify and report a personal data breach within 72 hours of awareness, and 48% said they are compliant without full visibility over data loss incidents; although organisations that don’t report the theft or loss of personal data is breaking key requirements.

‘Avoiding reputational damage and financial loss’

Jason Tooley, Vice President at Veritas, said: “Organisations who actively focus on development of a culture of data confidence will have a clear business advantage. Customer and supplier confidence in the use of data is critical to improved customer engagement, greater personalisation and ultimately service quality. This allows organisations to turn GDPR from being a regulatory challenge to being a business differentiator.”

Organisations struggle to control former employee data access and to ensure that reputational damage and financial loss is avoided, therefore former employees corporate data should be deleted to help stem malicious activity, although the report highlights that 50% of former employees are still able to access internal data.

‘Ensuring data compliance in the cloud’

“The complexity created through the management of data across multiple cloud and on-premise environments is accentuating the challenge and will inhibit an organisation’s ability to remain compliant in the face of the GDPR articles. For every organisation that’s currently struggling to make sense of the GDPR’s provisions, it should immediately seek an advisory service to audit its levels of preparedness and create a smooth and accelerated path towards total compliance,” added Tooley.

13% of survey respondents concluded that they do not have the capability to analyse and search personal data to uncover explicit and implicit references to an individual; with 49% believing that companies that comply with GDPR consider it the sole responsibility of the cloud service provider, ensuring data compliance in the cloud.

900 businesses across the US, the UK, France, Germany, Australia, Singapore, Japan and the Republic of Korea were interviewed for the report in February and March 2017.

Written by Leah Alger

The post Veritas study: Organisations believe they are GDPR compliant appeared first on DevOps Online North America.

The report results say that cybersecurity companies will expand by over 15% in the next 12 months, with two in five government and companies broadening, leading a shortfall of 350,000 cyber workers by 2022.

The report also states that organisations are struggling to retain their staff with 21% of the workforce having left their jobs in the past year, so 39% UK cyber workers have commanded annual salaries of £87,000.

‘Structural concerns hamper development’

“There are real structural concerns hampering the development of the job market today that must be addressed. It is particularly concerning that employers appear reluctant to invest in their workforce and are unwilling to hire less experienced candidates. If we cannot be prepared to develop new talent, we will lose our ability to protect the economy and society,” said Adrian Davis, Managing Director at ISC².

“The impact of this rising price for cyber expertise is that smaller and public sector organisations may find themselves priced out of employing top talent,” added Chief Scientist at McAfee, Raj Samani.

ISC² noted that new, younger and more diverse talent would need to be bought into the workforce, although a fifth of the current workforce in Europe don’t have computing backgrounds.

Written from source by Leah Alger

Source: The Register

The post Cyber expertise is much in demand appeared first on DevOps Online North America.

Gartner’s key points show that the overall security market will face a period of disruption:

• The EU General Data Protection Regulation will cause uproar by 25 May 2018, if      organisations face expensive fines for mishandling private data.
• Advanced security analytics will help guide users to optimal resources, and will be embedded in at least 75% of security products by 2020, driven by heuristics, artificial intelligence learning and other techniques.
• SaaS security and risk management is becoming crucial for digital business practices, however providers aren’t taking into consideration the maintenance financial implications while investing in an AAS products.
• Vendors are pursuing innovative approaches to security problems, acquisition, integration and consolidation; affecting strategies to increase market share and enter completely new markets.

“Cloud based digital business and technology models are changing how risk and security functions deliver value in an organisation,” said Deborah Kish, principal research analyst at Gartner.

“At the same time, the threatening landscape and rise in the number of high-impact security incidents are also creating demand for security technologies and innovations that deliver greater effectiveness,” she added.

Gartner also noted that in a bid to increase market share and enter completely new markets, vendors should engage in innovative approaches to security problems, acquisition, integration and consolidation.

Written from press release by Leah Alger

The post Enterprises rethink risk management software appeared first on DevOps Online North America.