The recently enacted European General Data Protection Regulation is focused on the individual, wanting to ensure their personal information is protected at the highest levels. What it actually translates into is yet another cluster of regulations to force companies to pay more attention to their cybersecurity.
What mainly sets GDPR apart from other standard regulations are the costs. The most severe penalties for the loss of personal information can be as high as 4% of worldwide turnover or 20 million Euros, whichever is higher. For any company, that will have an enormous impact on the bottom line.
GDPR spreads the burden across more organizations in the data security chain. Not only is the company “owning” the data liable in case of a breach, but the data processors, such as cloud providers, can also be held liable in a data breach. The addition of processor liability may have a significant impact on pricing as well as what is and what is not included in the shared responsibility model of the cloud providers.
So, how does this affect your databases? Those who want to downplay it say it depends on what line of business you’re in. However, that is not the case. Your employees’ personal information also must be protected at the highest levels.
The definition of personal data in GDPR is quite broad – an online identifier such as an IP address can be considered personal data. Even key-coded pseudonymized data can be considered personal if it can be traced back to the individual within your system.
As with any security implementation, organizations need to be able to find/identify the personal information, classify it, understand where it commonly resides as well as its value, and most importantly – who has access.
On a practical level, GDPR affects your database security in several ways.
Standard database security: You need to ensure that your database is protected against threats, such as old fashioned SQL injections, which are still the top way to breach database security.
Sensitive data discovery: You cannot protect what you cannot find.
Data masking: Your data needs to be able to be selectively protected. For example, customer service personnel need to see columns that developers shouldn’t, while billing and accounts receivable need to see a third and fourth variation on the same database.
Database activity monitoring: You need to ensure that only authorized individuals are accessing the database. Separation of duties is critical here, too, as administrators need to be able to manage the databases without being able to see inside.
Having HexaTier’s Reverse Proxy technology on every single database on the cloud and off is one quick way to accelerate your compliance with GDPR.