IBM Z Addresses GDPR Compliance With Pervasive Encryption
Personal data should be treated as important, guarded information. The European Union (EU) has underscored this fact by establishing the General Data Protection Regulation (GDPR), which goes into effect May 25.
Cindy Compert, IBM cybersecurity leader, U.S. Public Sector Market, and CTO, data security and privacy, IBM Security, prefers to more informally call the GDPR “the Global Data Protection Regulation,” because that’s essentially what it is. “It’s going to fundamentally change the way organizations must manage their data, their people, their policies, their processes and technology,” she notes.
Overcoming Overhead
GDPR regulations affect every business that deals with EU data subjects, regardless of whether that business has a physical presence on EU soil. If they’re actively marketing to, profiling or collecting information about individuals in the EU, they have to safeguard that data or face potentially stiff fines of up to 4 percent of their annual turnover or 20 million Euro (about $23 million), whichever is greater. Additionally, as Compert notes, “individuals can now take legal action.”
GDPR doesn’t tell companies what to do to protect data, but it does indicate that they need to take a risk-based approach to security and privacy, and additionally implement privacy and security by design. As a result, companies should establish baseline controls of what’s needed to protect information based on the risk to the individual.
That said, the only technical controls explicitly cited in Article 32 of the GDPR are pseudonymization and encryption. The former is a method by which key identifying fields within a data record are replaced by one or more data elements, but it could also allow re-identification for authorized users.
And that’s why encryption is key to complying with the regulation. Since 2013, around 9 billion records have been exposed and some 96 percent of those records weren’t encrypted, according to the Breach Level Index (breachlevelindex.com). “I find that shocking,” Compert says.
Every company in every industry should be similarly astonished. If they don’t encrypt sensitive data, they risk exposing it on a massive scale—impacting customers for perhaps their lifetimes—potentially facing fines and tarnishing their brands.
Under GDPR, however, organizations might be able to avoid some breach-notification requirements if they employ encryption. For example, if data is stolen or compromised in some way but was encrypted and the keys hadn’t been stolen, the organization might not have to divulge the breach to impacted individuals.
They will have to disclose it to data-protection regulatory authorities, but their public reputation can be spared because the data was encrypted at the time of the breach1. These types of legal safe harbors apply to many industries, as is the case where U.S. HIPAA compliance is required.
Some organizations have declined to use encryption because of CPU overhead and having to rewrite applications. In some cases, encrypting data resulted in 100 percent CPU utilization, which sometimes rendered systems unresponsive. Although that number has dropped in many cases, 25 to 30 percent utilization can still dramatically impact other processing.
Because of this, many organizations are cautious about what to encrypt and where. Some cover the obvious (e.g., credit card and healthcare data) but leave other information (e.g., names and addresses) in the clear and easily accessible to internal and external actors. Similarly, if they decide what to encrypt, they might not know where to encrypt it. And this doesn’t take into account if they’re using third-party cloud services.
No Guesswork
The IBM z14 platform addresses this issue by employing pervasive encryption using on-chip cryptographic acceleration with a 4x increase in silicon dedicated to cryptographic algorithms, and, according to Compert, a net result that’s 4x to 7x faster than the previous generation with minimal overhead. And if you compare the IBM z14 to x86, we’re talking 18x faster at 5 percent of the cost2.
“That’s groundbreaking, having the ability to encrypt data in flight and at rest, reduce the cost of doing so and making it much easier to use,” Compert says. “Having transparent end-to-end encryption at rest and in-flight to the coupling facility and even a Secure Service Container is also a game changer. Making it simple to turn on and implement is even better.”
Pervasive encryption also complements additional security controls, whether that’s activity monitoring or access control, to further lock down systems so users are not only encrypting their data, but also controlling who has access to it, including from internal credential abuse and external, pilfered credential use.
Although it might not be lack of interest in encryption—but rather the costs associated with it—causing some organizations to forego or limit its use, the GDPR is encouraging a second look at it. Just as fines, potential lawsuits and damaged brands are reason enough to deploy encryption, so is the goodwill that comes with it, as customers place increased accountability in organizations that are diligently protecting their data.
Rather than parsing EU data members from non-EU data members, it’s easier to treat all data in the same manner, with the safeguards offered by pervasive encryption being used across the board.
Of the firms that fall under GDPR, eight in 10 expect they’ll have to adapt their existing products and service offerings to comply with the regulation, anticipating that they’ll have to spend upward of $5 million for product adaptation and other related expenses3. For some, that money might be better spent on a z14 and its pervasive encryption technology, which removes the guesswork from deciding what to encrypt and where to encrypt it, including in the cloud.
Encryption as a Utility
Although companies must address other factors when it comes to GDPR, as evidenced by the IBM Security GDPR Framework, encryption—particularly z14 pervasive encryption—is perhaps one of the most fundamental aspects to consider. And this applies to not only meeting immediate GDPR and compliance expectations, but also those that may come up in the future.
“Anything you design should take encryption into account. It’s like when I want a drink of water. I just go over to the faucet and I turn it on. It’s a utility,” Compert says. “I think encryption should be looked at in the same way. It’s just there. It’s transparent. Why wouldn’t you want to implement it as a general, every-bit-of-data default? In fact, we need to change the discussion from why you should use encryption to why wouldn’t you use encryption.”
Footnotes
1. GDPR Article 34.3(a) ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
2. Solitaire Interglobal Ltd. “Pervasive Encryption, A New Paradigm for Protection” ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=ZSL03452USEN&
3. The International Association of Privacy Professionals (IAPP) “IAPP-EY Annual Privacy Governance Report 2017” iapp.org/media/pdf/resource_center/IAPP-EY-Governance-Report-2017.pdf