Leslie K. Lambert
Chief Security and Strategy Officer, Gurucul
Oct 25, 2017
It’s now less than a year away, and from what we see, too many companies in the United States are simply not in sync with the EU GDPR (European Union General Data Protection Regulation) requirement yet. It is due to go into effect on May 25, 2018. Even in Europe, only 52% were reaching the state of ‘Dawning Realization’ (per IDC Research) in last summer. And pleading ignorance simply won’t wash with EU regulatory authorities. Any organization (this means in the United States too) that deals with EU citizen’s personal data must be in compliance. Failure to do so could mean hefty fines: up to 4% of an enterprise’s worldwide revenue. Critical highlights include a requirement to notify EU authorities within 72 hours of a breach and a mandate to be able to prove your security approach is state-of-the-art (SOTA). If you have to be able to report within 72 hours, you’d better have a solution that is SOTA!
Because all of the requirements have not been finalized and defined, some organizations have adopted a ‘wait and see’ approach. That’s a risky strategy. Others are only beginning to become aware of the serious nature of compliance requirement. But time waits for no one. So if you haven’t rolled up your sleeves yet on this, let’s get a little more familiar with what’s going on. Found within the Council of the EU’s 261 pages of articles on this wide-reaching mandate, are the GDPR principles, which boil down the essence of the legislation. It designates that controllers and processors of targeted EU citizen data must ensure:
- The pseudonymization and encryption of personal data
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
The second, and bolded, bullet is where advanced security analytics come into play, and where the word ‘advanced’ has an especially critical importance. This is where the key GDPR requirement that organizations working to ensure compliance must also be able to prove their security strategy is SOTA directly relates to this challenge. The idea of assuming that applying traditional IAM or SIEM solutions with their manually defined legacy static signatures and rules, all constricted in their separate siloes within an organization, is simply not state-of-the-art. It’s legacy technology and outdated thinking. Identity is the new threat plane that these legacy security solutions are ill-equipped to handle.
Drawing context from big data with mature machine learning models is SOTA. And only a select few companies can deliver these capabilities with established use cases in UEBA (user and entity behavior analytics), identity analytics (IdA), privileged access analytics (PAA) and cloud security analytics (CSA).
As budgets come under review, and the May 25, 2018 EU GDPR deadline looms, weighing these GDPR factors in favor of the next generation of advanced security analytics may help determine an organization’s success or failure in the future. Adopting a SOTA advanced security analytics solution not only aligns with EU GDPR requirements, which cannot be ignored, but also empowers an organization’s productivity and expands their security visibility across all of an organization’s siloed environments. Without it, the gray areas of unknown unknowns continue to grow, and the threat plane expands.
In my next blog on the looming EU GDPR deadline, the second in a series, I’ll go into more depth about what the financial penalty really means for multinational companies that are not compliant. It’s not for the faint of heart!
To learn more about the EU GDPR, check out our white paper on the topic: Advanced Security Analytics Applications in EU GDPR