GDPR Presents New Challenges in Backup & Disaster Recovery Management

  /     /     /  
Publicated : 23/11/2024   Category : security


GDPR Presents New Challenges in Backup & Disaster Recovery Management


GDPR applies not only to primary systems, but also to backup and recovery systems. Cloud storage, combined with a modicum of common sense, may prove essential to helping with GDPR compliance for these systems.



It hardly takes a William Blackstone to figure out that the European Unions General Data Protection Regulation (GDPR) applies not only to primary work systems, but also to backup and recovery systems.
While very openly worded, including lots of uses of the term appropriate, Article 32(1) of GDPR specifically identifies Business continuity and disaster recovery (BC/DR) concerns -- including potential mandates for the abilities to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services and to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
Moreover, to the extent that Article 32(1)(a) and other relevant portions of GDPR require encryption and data masking, a fairly obvious yet often overlooked consequence is that enterprises should similarly encrypt or mask data in their backup systems.
The same could also be said for best practices in data stewardship -- and enterprises are still confused on these finer points.
(Source:
Pixabay
)
Perhaps the seminal case study on how not to do BC/DR is represented by Adobes 2013 data breach -- which saw some 150 million accounts compromised when an intruder accessed
a backup authentication system marked for decommissioning
. Making matters worse, apparently figuring that the system was just a backup, Adobe failed to properly encrypt the account data on this system -- declining to use salting and hashing on what data were encrypted, while leaving password hints in plaintext.
Where GDPR is concerned, this sort of behavior falls under the category that EU Data Protection Authorities are perhaps most on the lookout for -- to wit: utter data malfeasance. When it comes to more nuanced applications of GDPR to BC/DR management, IT administrators and security pros should again look to GDPRs use of the word appropriate. (See
My Cybersecurity Predictions for 2018, Part 2: GDPR Hype Is Hype
.)
And yet, many enterprises may be bringing more GDPR pain upon their data-storage practices than needed.
Appropriate & inappropriate sensitivities
To a certain extent, although many compliance-sensitive organizations may fail to realize it, object storage -- whether on-premises or in the cloud -- may address some of these GDPR compliance needs for BC/DR by virtue of its very nature. Linda Zhou, director of research and life sciences solutions at Western Digital, relayed that organizations that use object storage for sensitive yet large and unstructured datasets, like medical images, have an inherent protection against physical access.
If you go to the data center and you pull out one of the drives, Zhou told Security Now at the 2018 Bio-IT World Conference & Expo, you wont get anything.
Nonetheless, continued Zhou, she is seeing and hearing from enterprises that are so hypersensitive about BC/DR compliance with GDPR that their concerns do not align with reality -- to the point that enterprise organizations are insisting that their backups of EU-specific data are not just in the EU, but reside in the self-same EU member-state as where their primary systems and data stores are located.
To be fair, some of this may be less about GDPR and more about compliance with EU member-state implementations of the EUs Directive on Security of Network and Information Systems (NIS Directive). After all, healthcare organizations, such as those Zhou may deal with, are categorized as potential operator[s] of essential services that are subject to elevated reporting and data-management requirements under the NIS Directive. (See
EUs NIS Directive Compounding GDPR Burdens & Confusion
.)
On the other hand (and particularly considering how much less attention the NIS Directive has received compared to GDPR), for European enterprises and organizations that service and partner with European enterprises, such worries about backup storage are just as much about conservative European sensibilities as they are about European legal frameworks. Consider that in its 2016 Cloud Services Trends survey of IT professionals -- conducted a few months before the EU even adopted GDPR in April 2016 -- Spiceworks reported that nearly 40% of European respondents indicated that their organizations policies dictated that all of their respective data must be located not just within the EU but in a specific EU country. (See
My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption
.)
I think its in part cultural, Steve Yemm, vice president of sales at laboratory-software firm BioData, told Security Now at Bio-IT World. Its not concern about GDPR thats stopping biotechs from putting data in the cloud; its an attitude of Well, we just have never done this before.
Accentuating access over possession
Regardless of where it is stored, however, organizations must practice discretion when it comes to what they back up. In addition to other-than-intelligent, yet nonetheless prolific data-protection practices such as in the Adobe example, part of the whole reason we have GDPR is the everyday business practice of data over-retention. This presents a direct security risk in and of itself, privacy concerns and
European rights
to be forgotten aside -- after all, attackers cant compromise data you dont have. (See
Four Enterprise Security Lessons From
Maury
.)
There is also a secondary, indirect security risk to data over-retention: a poorly conceived, poorly maintained
secure development lifecycle
(SDLC). As various business units have grown data-gluttonous, enterprises have grown lazy in maintaining SDLCs -- leading to a broader attack surface for production data (as seen in Adobes case).
Funnily enough, addressing the problem of data hoarding is where the Internet of Things (IoT) -- long criticized for security and privacy failings -- can come in handy. We have long since transitioned from the Information Age to what has been called the Systems Age. (See
IoT Regulation Could Save the Internet
.)
This means that -- because of how commoditized data has become, and how easy and ubiquitous data access has similarly become because of the proliferation of IoT and cloud computing alike -- business success is no longer about who has the most data. Instead, the spoils of agility go to those enterprises that (1) have the best access to data and (2) stay lean by disposing of and declining to retain data, instead relying on that ready data accessibility whenever it is needed.
GDPR itself emphasizes the management of data
access
over data ownership. After all, the underlying philosophy driving GDPR is that human data subjects -- and not enterprises -- are the rightful owners of personal data.
Related posts:
Apples Tim Cook: Privacy Is a Fundamental Human Right
Enterprises Face a Large, & Growing, Cybersecurity Skills Gap
European Union Braces for Liability Shift for Data Breaches
— Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer and speaker. Follow him on Twitter at @JoeStanganelli.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
GDPR Presents New Challenges in Backup & Disaster Recovery Management