A new European directive on data protection will come into force soon to better regulate privacy and data leakage in Europe. The aim of the new directive is to harmonize legislation in the 28 EU member countries and to strengthen the powers of national authorities for data protection so that they can better implement European regulations. Back on issues with Gemalto and ENISA.

As one of the official advisers of the European Commission, ENISA has recently published a report offering input and recommendations concerning the measures to apply to render data unintelligible to unauthorised users. The report is the first indication of the list of technological measures that the commission may publish, and, as such, will significantly influence the security solutions service providers choose to implement to comply with EU laws.

With these recommendations in mind, an organisation should consider three factors when building a comprehensive data protection strategy. Firstly, where is data being stored – is it in a database, file servers, virtual environments or the cloud? Secondly, how and where are encryption keys being secured? Finally, who’s accessing the data and more importantly, how is this access being controlled?

New approach for better protection

Once these three factors have been understood, this can then be converted into a three-step approach to data protection:

Encrypt all sensitive data
In the ENISA report, encryption is cited as an essential, effective foundation for achieving legal standards for security and governance in rendering data unintelligible. This means securing data at the application layer (such as point-of-sale terminals), while it is in transit or motion, and when it is stored. This should also extend beyond financial data to all data that’s valuable to the organisation, customers and users.

Store and manage encryption keys
Encrypted data is only as secure and available as the keys used to encrypt it. One of the most common mistakes that organisations make is storing the where their data resides, which can expose sensitive information to significant risk. A crypto management platform factors in key management including rotating creating and deleting keys. It also provides additional trust anchors for encryption keys using hardware security modules.

Control access
Establish an authentication strategy to protect user identities to ensure only authorised users have access to the systems, data and apps. This means going through a process of risk analysis in order to align access controls with specific data processing scenarios. Effective access control systems will use multi-factor authentication which requires an additional level of user authentication, such as passcode sent to a mobile phone.

Shift from “breach prevention” to “breach acceptance”

In today’s environment, the core of any security strategy needs to shift from “breach prevention” to “breach acceptance.” And, when one approaches security from a breach-acceptance viewpoint, the world becomes a relatively simple place: securing data, not the perimeter, is the top priority. Securing the data is a challenging proposition in a world where cloud, virtualization and mobile devices are causing an exponential increase in the attack surface. Many organizations might be inclined to address this problem with a ‘containment’ strategy – limiting the places where data can go, and only allowing a limited number of people to access it. However, this strategy of “no” – where security is based on restricting data access and movement – runs counter to everything technology enables today. The mandate today is to achieve a strategy of “yes,” which is built around the understanding that the movement and sharing of data is fundamental to business success.

Less than one per cent were secure breaches

The need for greater regulation has never been clearer. According to SafeNet’s Breach Level Index, in the first half of 2014 alone, more than 375 million customer records were stolen or lost as a result of 559 breaches worldwide. The sheer volume of data breaches alone should have alarm bells ringing for IT managers, but perhaps what’s more worrying is the fact that less than one per cent were secure breaches – where data stolen had appropriate controls and protection around it. This is the primary reason that the EU data protection regulation is being introduced; to ensure that if a breach occurs, customers’ data remains protected.

With Dirk Geeraerts, Regional Sales Director, Gemalto

Read the report “from breach prevention to breach acceptance”