| Protected and managed | |
| “A key challenge is to find the data, then index it. Subsequently it is important to find out if the data should be kept, if not delete it! The next thing is to manage who should and who should not access it” |  Renaissance Michael Conway, director |
| Data security and compliance have become key elements of running any organisation and, as such, it must be protected and managed. As we get further into 2018, the challenge doesn’t get easier, but the message gets clearer. There are also obligations to data which extend beyond the normal protection of the asset, but these obligations include the provisions of GDPR. The new regulation is seen by some as being onerous, but in reality, because many organisations didn’t take enough care, these regulations are being put in place. If appropriate care and attention has been paid to the management and security of data, then they are not that onerous.The challenge is perimeters are not clear and access to data is required by all, in order to ensure that an organisation is run effectively.
A key challenge is to find the data, then index it. Subsequently it is important to find out if the data should be kept, if not delete it! The next thing is to manage who should and who should not access it. To do this effectively, the appropriate tools need to be implemented to find the data, index it, protect access, and then ultimately manage and protect its integrity, confidentiality and availability. This is a wake-up call but should not be treated as a crisis rather than an opportunity to do things properly and correctly. Like eating an elephant, it won’t always be easy, but you have to start somewhere and ignoring the issue will only make it worse. Advice is to start and implement the solutions that will help you. Renaissance distributes a full range of enabling technologies. The important thing is to take the proper advice and implement the practices, and policies that are appropriate and don’t be the ostrich! |
|
| Timely restoration | |
| “GDPR explicitly requests the adoption of a solution to guarantee the protection of personal data against both physical and technical incidents, for example ransomware attacks” | 
Trilogy Technologies John Casey, group sales director |
| The GDPR, with its high-level data security suggestions, leave room for interpretation when it comes to implementing security controls to fulfil requirements. But in article 32 of the GDPR, it is quite explicit in that it recommends all organisations adopt data protection controls and the ability for data to be restored “in a timely manner”.Whilst the regulation doesn’t specifically name the solutions, it does explicitly request the adoption of a solution to guarantee the protection of personal data against both physical and technical incidents (for example ransomware attacks). It’s also clear that both data and back-up should be encrypted, the restore and recovery processes regularly tested, and the solutions should provide clear terms with regards to Recovery Point Objective (RPO) and Recover Time Objective (RTO).
The obvious interpretation of this in terms of actual named solutions is back-up and disaster recovery services. Trilogy provides both of these in an “as a Service” format. This means that they are designed, tested and managed by Trilogy. In terms of back-up, you decide how many you copies are needed and their location (there should always be one offline copy). In terms of disaster recovery, you decide how long your business can function without key data and applications and we create a customised solution based on that time. Trilogy uses the cloud or a second physical location to act as the target site for replication and recovery of your company’s critical data and applications based on a real-time recovery point. An infrastructure security audit can also help you with GDPR compliance, as it evaluates the security of a company’s information system by measuring how well it conforms to a set of established criteria. Basically, it helps determine where any security gaps might be before they become an issue. Prevention is always better than cure! Using these services from Trilogy protects your data with a fast, flexible and resilient, cloud-based data backup and disaster recovery services and has you covered for GDPR’s article 32. |
|
| Common sense ideas | |
| “GDPR is an opportunity to ensure that you have the fundamental security and protection mechanisms in place around your data” |  Asystec Kevin Stanford, solutions architect |
| The deadline for GDPR is fast approaching and while some Companies are completely prepared for this new regulation, there are others still in the very early stages.It’s a very complex set of regulations, but it is not something that organisations need fear, it is more about applying common sense data security ideas. Things like privacy by design is now not only a good practice as it will now become the law. Our advice would be to approach GDPR as an opportunity to ensure that you have the fundamental security and protection mechanisms in place around your data.Consider this GDPR fact, only 4% of GDPR rules relate to IT scope, meaning most of the regulation refers to data management, people and processes. In saying that, we can make use of software to help in this regard.Implementing data lifecycle policies so that you only retain the exact data you need and for the required duration helps with the daily management of your data and can provide an economic win as you tier your datasets accordingly. Dell EMC has a full portfolio of storage platforms for each tier and data encryption at rest can be enabled across all platforms including back-up targets.The Dell EMC Data Protection Suite Family provides comprehensive, industry-leading data protection to enterprise organisations of any size. Protecting data using technology from replication to snapshot to backup and archive. However, it’s not just about protection it’s also about being able to find data and the inbuilt DPS Search includes search capabilities so you can find data quickly and efficiently.Solutions such as Dell EMC Isolated Recovery can help you isolate in the event of a security breech because as we are all aware it is about containment rather than elimination when it comes to security. The comprehensive and flexible search options provided by the Varonis Suite allow you to find and lock down access to personal information with considerable precision. The GDPR answer is not about throwing software tools at the problem, but by unifying your practices, policies and technologies so you have interconnected visibility and better able to manage risk. Asystec can help you on your GDPR journey. |
|
| Revalidate and enhance | |
| “Unstructured data, in its many forms such as mail, documents, records, images, metadata, presents a different challenge in discovering, monitoring, and protecting PII” | 
Triangle Colm Humphreys, IBM Software business leader, |
| It has been well publicised that many of the GDPR requirements will already be in hand in organisations which adopt best practice policies in data management and protection. All organisations seeking to ensure GDPR compliance will revalidate and enhance their existing policies and processes. The primary data discovery and mapping task of establishing the existence and location of Personally Identifiable Information (PII) within an organisation is a prerequisite to other exercises which ensure that the data is being managed, used and protected in compliance with GDPR.Structured and unstructured data present different challenges. Structured data is mainly stored in databases and file systems. Typically, organisations will have a higher level of control of structured data. IBM InfoSphere Information Analyser delivers automated capabilities that offer greater accuracy and reliability than manual analysis. It enables organisations to identify all instances of confidential data across their structured environment, whether clearly visible or obscured from view. It works by examining data across multiple sources to determine the complex rules and transformations that may hide PII content. It can locate confidential data items that are contained within larger fields or that are separated across multiple fields.
Unstructured data, in its many forms such as mail, documents, records, images, metadata, presents a different challenge in discovering, monitoring, and protecting PII. The IBM StoredIQ Suite is designed to help organisations discover, analyse and act on relevant unstructured data. It offers a holistic solution for addressing data management challenges relating to records management, e-discovery, compliance and storage optimisation. StoredIQ Suite has GDPR specific data discovery capability (Cartridges) that provides a powerful data assessment solution for recognising potential PII in unstructured content. In addition, IBM includes the GDPR Template with all of the above products. This collection of GDRP-related Intellectual Property and quick start GDPR modules for the software mentioned above provides customers with a great head-start in addressing GDPR; including pre-built dashboards, best practice documentation and business process flows. The IBM software offerings referenced above enable the data discovery and mapping phase of GDPR. There are a number of other IBM Software offerings such as Information Governance Catalogue, Optim, Case Manager and Guardium which address other aspects of GDPR compliance. |
|
| Powerful devices | |
| “Modern MFPs have evolved into powerful tools which, just like PCs and servers have operating systems, huge hard disk drives, and connect to the network and internet services. They are shared by users to process vast numbers of business-critical documents daily” | 
Canon Europe Quentyn Taylor, director of information security |
| Today’s businesses greatly rely on information, creating complex networks of connected technology, processes, and organisations across national boundaries – which is why the upcoming GDPR legislation, and other cybersecurity legislation such as the NIS directive, is so important.Securing data in this intricate and complex world is increasingly challenging, and most businesses now invest in technologies such as firewalls, anti-virus protection and other security software. These are all important and useful tools for supporting compliance; however, companies can fail to recognise the need to extend that protection to their office printers, leaving themselves more vulnerable than they realise.
Modern multifunctional printers (MFPs) have evolved into powerful tools which, just like PCs and servers have operating systems, huge hard disk drives, and connect to the network and internet services. They are shared by users to process vast numbers of business-critical documents daily. Some readily available tools/processes to ensure data compliance include:
For many companies, information security starts and ends with structured data; the type that resides on systems of record like ERP and financial systems. In the office, there are many more back-door areas to consider, such as unencrypted print data. Data from a printer hard-drive could potentially contain years of passport, ID scans or payslip print data for employees as well as discarded sensitive documents found in print output trays or waste paper bins. Ensuring you have tools equipped to protect print data and a partner that understands your risk is essential and strongly supports a successful compliance programme.
|
|
| Assessment tools | |
| “We also offer easy-to-use templates and checklists to help with their initial planning — once you know all the variables required to complete a project successfully, it does make that first step a little bit easier” |  Dataconversion Anna Browne, commercial director |
| Irrespective of GDPR, data protection tools and processes (such as regular back-ups, secure encryption, secure transfer, up-to-date antivirus software and regular destruction of obsolete data) have always been a must for Dataconversion, and for any other reputable company handling data.With regards to GDPR, while these types of data protection tools are a pre-requisite, on their own they won’t ensure a company’s compliance. That’s why we we’ve developed the relevant tools that allow our clients identify and map the various data sources within their companies. This enables them to have one view of what types of data they’re holding, why they’re holding them, how long they need to hold them for and that they’re held securely.
In addition to this, we challenge our clients to work towards a culture of data protection within their companies. This has always been a core value for Dataconversion and by instilling the importance of the same with our colleagues, it helps us mitigate some of the risk associated with data protection breaches. I think the current issue for a lot of companies though, is to overcome the daunting feeling of the enormity of the compliance challenge ahead. The first step is sometimes the hardest, but there are plenty of tools and products to help with the initial planning stages. This month alone, we’ve seen companies like Microsoft, as well as Dataconversion, releasing free-to-use assessment tools so that companies can gauge what stage they’ve reached on the compliance journey. We also offer our clients easy-to-use templates and checklists to help with their initial planning — once you know all the variables required to complete a project successfully, it does make that first step a little bit easier. At the end of the day, if you’ve got robust data protection tools in place, that’s a lot of compliance boxes ticked. There will still be a lot of ground to cover in order to be compliant by 25th May, but it’s not insurmountable and we’re here to help. |
|
| Different era | |
| “To get your back-up and archiving systems GDPR compliant, make sure you have clearly written procedures for each part of your back-up and archive process” | 
Savenet Solutions Lorcan Cunningham, CTO Savenet Solutions |
| In our areas of expertise, back-up, DR, archiving and file sharing/collaboration solutions, many of the products currently in use, are not able to deliver the control features that GDPR requires. They were designed in a different era with a purely technical function in mind. GDPR means you have to re-look at what technology and processes you have in place. In some cases, the products you’re using are fine, once they have new processes integrated into them.The fact is however, that most companies are facing the need to change their back-up and archiving systems to meet GDPR requirements. For back-up and archiving, the main points to consider are:
To get your back-up and archiving systems GDPR compliant, make sure you have clearly written procedures for each part of your back-up and archive process. You also need to have the capability of retrieving and presenting in a usable format all the data you are backing up, or archiving. You must be able to run detailed searches of your backup or archives, for specific people or topics. You must have the capability of deleting data no longer necessary to back up or archive – and the ability to prove you have deleted it. Finally, you need to be able to demonstrate to an auditor that you have taken all reasonable steps to archive only the data you needed to archive. If you’re not able to do any of these, then you need to buy new data protection products!
|
|
| No silver bullet | |
| “First and foremost, a GDPR assessment is vital. This involves a privacy risk assessment whereby we assess a company’s readiness for adhering to the legislation and determine how shortcomings can be addressed” | 
Logicalis Tadhg Cashman, services director |
| GDPR is very much a business level challenge more than an IT challenge. It’s about ensuring that the right people, policies, processes and technology solutions are combining seamlessly together to guarantee there is proper data protection built into the procedures and systems through which organisations manage the data sets they retain to run their businesses.From a Logicalis perspective, there is no one silver bullet to protect the personal data that an organisation holds. However, we are working with customers in terms of building Privacy by Design into their business processes, applications and infrastructure. This is to enable them to analyse, protect, manage, encrypt and access their datasets, both structured and unstructured.
First and foremost, a GDPR assessment is vital. This involves a privacy risk assessment whereby we assess a company’s readiness for adhering to the legislation and determine how shortcomings can be addressed. We also provide a range of security infrastructure solutions which increase our customers’ security posture. This includes the latest data storage platforms, next generation firewalls, access management systems and security software solutions. Furthermore, our managed security solutions incorporate everything from threat and vulnerability assessment, to security incident and event management. Our suite of data protection services, including Backup-As-A-Service and Disaster Recovery-As-A-Service solutions, also helps to address the ability of customers to meet legislative guidelines. As well as the encryption of back-ups and datasets, which is one of the key mechanisms to help protect content containing personal data, we support the capability to more easily meet the requirements of subject access and right to erasure requests. Our Backup-As-A-Service solution provides both data encryption in transit and at rest for our customers’ back-ups. |
|
| Collection precedence | |
| “A common way to ensure that hardware is decommissioned properly is through the process of degaussing. Destroying a hard drive can be done drilling holes in the disk or hitting it with a hammer, but these techniques are dangerous and don’t actually erase the data” | 
Datarch Brian Montgomery, technical director |
| A major problem is that companies are not prepared to dispose of data in the same careful manner that they carefully harvested it. An excellent example of this is a predicted mad scramble by companies to comply with the European Union’s General Data Protection Regulation (GDPR) before it takes effect on 25 May, 2018.A common way to ensure that hardware is decommissioned properly is through the process of degaussing. Destroying a hard drive can be done drilling holes in the disk or hitting it with a hammer, but these techniques are dangerous and don’t actually erase the data. Instead, they leave an enticing trail of breadcrumbs for people that can retrieve data when they (almost inevitably) end up in a landfill or are “recycled” by specialist third-party data disposal experts.
A hard drive degausser, on the other hand, uses magnetic force to erase the data held on that drive. This process ensures that not only is the data Forensically unrecoverable by third parties but the hard drive itself will not boot up. In addition, companies that need to follow certain security standards can be confident that the process of degaussing will be compliant with data protection rules set by, for example the NSA. As a leading manufacturer of hard drive degaussers, Proton Data Security has NSA-listed models that can help companies with data sanitisation, without the need to outsource the process. As an added precaution, Datarch recommend that degaussing is followed by actual hard drive or disk destruction. This can be achieved by introducing a Proton hard drive destroyer or shredder into the mix. Not only do these machines provide an extra layer of data security, they are powerful enough to reduce a hard drive to tiny pieces of electronic waste that can be disposed of at a later date. |
|
| Data platform approach | |
| “Processes such as back-up, that touch all of your data, need to cope with more than just the availability element of GDPR” | 
Commvault Aaron Kinsella, country manager Ireland |
| GDPR is an all-encompassing topic in IT, because personal data, the type pertinent to GDPR, can crop-up almost anywhere. So processes such as back-up, that touch ALL of your data, need to cope with more than just the availability element of GDPR.Commvault has long-pioneered a data platform approach, by re-using backups for many other use-cases and by combining it with other important data management functions. This increases both the value of back-up and recovery systems to the business, and provides a high degree of economic benefit through consolidation.
The very same servers and storage Commvault utilises for back-up, can also provide archive facilities, as well as compliance functionality when combined with the Commvault content index features. A content index and the ability to profile data is particularly useful for GDPR. Firstly, you can automate policies based on content, reducing the management burden, and you can also understand if data is redundant (and delete it) or in need of better security. The search and profiling tools cut down on the burden of finding data for ‘forget me’ or data transfer requests, and assist with data breaches (both for prevention and after the fact). Having a secure, role-based back-up system, with audit and end-to-end encryption is table-stakes for GDPR. If multiple backup systems are deployed across on-premises, cloud, and endpoints (with potential further division on legacy systems versus modern), it becomes almost impossible to set common policies in these areas. It becomes difficult to provide the ongoing dashboards and reporting needed to demonstrate compliance, which is simple to do if a platform approach is taken. Finally, back-up systems with role-based access and controls can prove useful to boost the security of dev and test processes, both on-premise and by making cloud dev and test just as easy and secure. |
|
Subscribers 0
Fans 0
Followers 0
Followers