Security provider CipherCloud has claimed to be the first company to ship a General Data Protection Regulation (GDPR) cloud security solution. The announcement was made at the InfoSecurity Europe 2016 trade show in London. The GDPR protection is being delivered as an update to CipherCloud’s Cloud Security Broker (CSB) platform.
In the press release Willy Leichter, vice president of cloud security for CipherCloud commented: “The benefits of cloud computing for businesses can be substantial, but companies will always be held responsible for protecting private and sensitive customer information, regardless of where it resides. Our solutions enable organizations to adopt the cloud, while maintaining visibility and control over sensitive data—key requirements for complying with the new GDPR regulations.”
What new features does this add?
CipherCloud already provides customers the ability to create their own policies to control the distribution of data. These include the ability to control where data is stored both by content type and destination. There is also the ability to remediate any breaches of policy by blocking access and quarantining the content.
With the GDPR upgrade there are a number of new additions to the type of content built into the application. These are designed to deal with Personally Identifiable Information (PII) which is the primary focus on GDPR. The press release identifies four sets of data CipherCloud are now reporting on:
- National identity numbers for more than 20 European countries
- Names, addresses, phone numbers, and email addresses
- Banking account and routing information including IBAN, SWIFT and ABA codes
- Private healthcare and insurance information
Not just about GDPR
One of the benefits that companies are likely to see as they become GDPR compliant is a greater awareness of potential data breaches. For example control of destination for data is not something confined to GDPR. The introduction of data sovereignty requirements by various countries means that data stored in the cloud has to be in a geo-locked location.
Alongside this the ruling by the European Court of Justice that Safe Harbor is no longer valid. The replacement for Safe Harbor, The EU-US Privacy Shield has also been ruled wholly inadequate. Both of these are putting pressure on multi-nationals as well as cloud vendors when it comes to where data is being stored. Even the validity of model clauses to protect data that they have used as a fall-back position are being challenged. This means that cloud vendors and storage companies are having to open in-region data centres and their customers need to put in place better data tracking processes.
This delivers an interesting security benefit. As data is tracked more closely, the exfiltration of data to locations out of region should become more readily detected. Some of this will be false positives due to corporate applications that have yet to be adapted to deal with data sovereignty. Other false positives will show where end-users and business units are moving data without understanding the compliance impact. The rest will be of interest to security teams as it could well indicate a breach in progress.
Cybercriminals will of course adapt and are already staging the exfiltration of data stolen in Europe. While this might limit the security benefit it won’t completely eliminate it. Anything that can help security teams detect potential breaches has to be welcomed.
Another benefit here is that CipherCloud looks for data that has not been encrypted. This will also help companies identify locations where data is a risk. With the explosion of cloud services, there is a lot of data being stored by users who have no idea of whether it is being properly encrypted and protected. Enterprises can now track data and ensure that the first line of protection is encryption.
Conclusion
What CipherCloud is offering here will help companies meet some of their GDPR requirements. It is not yet a complete GDPR protection solution but the earlier that companies begin to put in place processes and systems that mitigate elements of GDPR the less panic there will be as organisations begin to assess their GDPR readiness.
This is a good first step that also provides a range of other benefits to corporate data protection. It will be interesting to see how much new business CipherCloud can win related just the GDPR protection alone.
