Refining Your GDPR Strategy – Addressing User Data

The European Union’s General Data Protection Regulation (GDPR) deadline for implementation has come and gone. Many organizations have achieved a basic level of compliance, so now is the time to dig deeper, tie up loose ends and try to simplify the process. It is also a time for organizations not directly impacted by GDPR to tighten up their data security and protection practices. Organizations around the world need to realize that GDPR was just the initial warning shot and concepts like data privacy are more critical than ever.

**This is a reprint of a blog published by Storage Switzerland on July 24, 2018. Join us for our upcoming live webinar “How to Design a Compliant and GDPR Ready Collaboration System” on July 26th at 11:30 am ET / 8:30 am PT.**

An area to pay attention to is user data. These are files that users within an organization create and share with both internal employees and external business partners. The protection, management, and compliance with user data is one of the more overlooked topics in the organization, but it is also one of the data sets most susceptible to a breach.

A major weakness is how users share their data with external sources. IT, today, has very little control over how users share data and even less oversight as to when they share data. When sharing data, most users today still use consumer-grade cloud-based file sync and share services. These services provide IT with almost no control over with whom and for how long that data is shared.

Enterprise File Sync and Share May Not Be Enough

The immediate answer to a file sharing problem is to move the organization to enterprise sync and share (EFSS). These solutions do provide IT with oversight and control over how and who shares files. The problem is that most providers of these solutions did not design them with compliance in mind. They may encrypt data at rest and in-flight, but compliance with GDPR and the more stringent regulations to come requires more than encryption.

First, a compliant EFSS solution requires identity management. It should integrate with Active Directory, LDP, and SAML for single secure sign-on. Second, the EFSS solution needs to cover more than just one data store. It needs to provide time expiration of shares, password protection, and download restrictions across all corporate data storage. It also needs to provide GEO location restrictions.

Third, the EFSS solution shouldn’t burden IT. For example, IT can’t be expected to predict every possible reason for sharing or not sharing a file. Instead, the solution should provide sharing policies where users are required to outline why they created a shared link. IT then reviews the sharing justification. Additionally, the solution needs to provide full file event auditing to track file access by date and time as well as by whom and why. File auditing also allows an organization to prove file deletion in response to a right to be forgotten request.

Finally, the EFSS solution needs to provide complete discovery of personal data. Personal data as defined by GDPR is any data that relates to an identified or identifiable natural person. Finding personal data within and across the organization is a big challenge. The EFSS solution needs to index content under its management so authorized users can search it.

StorageSwiss Take

User data is the most exposed data set in an organization, and it is also the most likely to violate regulations and corporate governance policies. Enterprise file sync and share needs to evolve beyond just simple file sharing with encryption to meet the challenge of GDPR and other upcoming data privacy laws. The answer is to manage file data as a unique data set and provide advanced capabilities like auditing and content search.

To learn more about modernizing EFSS as well as how to build a backend storage architecture to support it join us for our upcoming live webinar “How to Design a Compliant and GDPR Ready Collaboration System” on July 26th at 11:30 am ET / 8:30 am PT.

How to Implement File Sharing for GDPR Compliance

Employees are going to share files. It’s an essential part of collaboration. For any project involving more than a few people, this is likely to involve a cloud-based file sharing solution. In environments requiring GDPR compliance, that can be a problem. Especially when regulations state how data can be used and where it is stored, and require that you be able to find and delete information when asked.

In EMEA, GDPR is now in effect. And in the US, one of the country’s toughest privacy regulations, the California Consumer Privacy Act of 2018, was voted into law on June 29.

New storage solutions can help you remain in compliance, but first let’s consider the problem.

GDPR Compliance Places New Demands on File Sharing

Users appreciate the simplicity of cloud-based file sharing, but this may come at the cost of IT control. In the cloud, do you know what data is being stored, how it is protected and who has access?

 

GDPR compliance places new requirements on file sharing

 

Loosely managed assets can run afoul of regulations that impose requirements to:

  • Maintain data within specific physical boundaries
  • Control use of personal data
  • Delete instances of personal data if requested (aka, “the right to be forgotten”)

When data is shared among users and further replicated across the cloud, control is lost and the potential penalties mount. From IT’s perspective, what’s just as troubling is that your ability to respond to regulatory demands may be lost. When you receive a data subject access request (DSAR), can you quickly find all instances of the information?

The right to be be forgotten requires tight control. You cannot be sure of “forgetting” someone if you cannot locate every instance of their data. A single GDPR compliance lapse can cost the company many thousands of euros.

Solution: Cloud-like File Sharing and On-Prem Storage with Cloudian + SME

Cloudian now offers a simple solution: Cloudian storage plus Storage Made Easy (SME) collaboration software.

GDPR compliant solution for file synch and share from Cloudian

The combined solution is cloud-like file sharing software and an on-prem storage system that is under your control… and behind your firewall.

 

File synch and share within your data center

 

This combines the best of both worlds:

  • Ease-of-use: A cloud-like experience for your users makes it easy to adopt and use the service
  • Your security framework: The shared data repository receives the same protection as any other file, and the same access controls (VPN, AD, LDAP)

This lets you handle collaboration just as you would manage and monitor any other file service, with the same controls, same firewall, and your preferred data protection method.

Personal Data / Personally Identifiable Information Management

Personal data, or PII, is central to GDPR compliance and data privacy laws. Passport numbers, social security numbers, credit cards, etc, are ideally not being shared, but we’ve seen too many instances of laptop theft resulting in the disclosure of sensitive PII.

 

Identify personal data, or personally identifiable information in files, and control its distribution

 

The Cloudian/SME solution scans documents for PII, and takes action or sends notification as defined by your policy. Out of the box, it recognizes over 60 forms of PII, and you can add definitions to suit your needs.

Recognize personal data use in shared files with Cloudian solution

 

Shared Links Include Time Limits and Password Protection

Shared links to files can be password protected and time limited, providing an additional level of control. No more evergreen links that can be widely shared outside of your control.

Easy-to-Use

The solution is as simple to use as any cloud solution. Files can be accessed from Windows, Mac, Linux, IoS and Android platforms. You can view files/folders in Explorer/Finder, as with any storage system, and view within the apps own UI. The included UI adds capabilities as viewing the physical location of the file’s storage system, an important attribute for compliance. And you can see at a glance what personal data is present.

Highly Rated Storage

Best of all, the storage repository is Cloudian Object Storage, the most highly rated object storage system on Gartner Peer Insights. This limitlessly scalable system earned the highest “recommended” level at 96% positive, and the highest rating with 4.8 out of 5 stars. With up to 14 nines data durability and integrated data protection, it’s the ideal foundation for enterprise collaboration.

 

Gartner Cloudian review MQ

 

Find out more about this solution and GDPR compliance at cloudian.com/collaboration.

 

 

 

Location, Location, Location

Like in the real estate market, the value of data is determined in large part by location.

You want to store data as close to its users as possible. That may be on-premises, if you have a centralized organization, or in your branch offices, retail outlets, factories or labs.

But if your applications run in the cloud, you may want your data to be in the cloud as well. And if your data is on tape, it may not be as accessible as you think.

Local compliance rules and regulations – think GDPR – may stop you from going to the cloud with at least some of your data. Regulations require that you need to know where your data is, and you need to be able to find and delete “personal data” (and the copies and the backups) from all of your systems, as GDPR mandates that people have the “right to be forgotten.”

As long as the major cloud providers have not solved the compliance and “where is my data?” issues, you will probably need to store specific data locally, behind your own firewall. Or you may want to work with a trusted local service provider that guarantees your data will stay in your own region for compliance reasons, stored according to your organization’s requirements, rather than storing your sensitive data on an unprotected S3 server.

Whatever option you choose, the location of your data has a huge impact on cost, speed and durability. To find the best location for your data, you need to know what that data is, who will use it, and what will access it. To make an educated decision, start by understanding whether the data is hot, warm or cold.

Hot, warm and cold data

Cold data is typically old data, or data that has not been requested for a longer period. Think of most of your office files written in Word, Excel, and PowerPoint. Do they really need to be in your office and on your employees’ laptops and on back-ups? Most of your data is cold – 60-70% of the data that is stored is only read once.

This cold data consumes expensive primary storage. Tape storage or the cloud may be a better place for your archived, untouched data.

Warm data – the data you use more than once, or the data you need for research and analysis – is something else. The cloud may impose performance limitations on your data, or regulations may prohibit usage of the cloud. You should also take the transportation cost into consideration when getting data back from the cloud.

If you use applications that live in the cloud, the cloud may be the best place to store your data. But if you run your applications with your local provider or in your own data center, you will likely want your data to be there.

Hot data is used intensively: the latest report or video, production numbers, transactions, databases. This data has its own specifications (block storage) and requires performance and speed, most likely Flash or SSD technology. That is exactly why you invested in these expensive machines. But along the way you and many others have been adding less valuable data that decrease performance and increase cost.

GPS to track your data

Is does not matter if the data is hot, cold or warm, you still need to know where that data is, and protect it.

Enter object storage. Compared to traditional storage, object storage has a lot of common sense already built in. All data is encrypted, at rest and in motion. The system distributes data over several nodes, in different locations, based on your requirements. And object storage is built to store unstructured data, which is 80% of the data stored by enterprises today.

Cloudian’s object storage platform HyperStore has a “data GPS” that shows you where your data is, down to which disk it’s on, in which server, and in which rack. This “data GPS” provides a partial solution to one important part of cyber-security and data protection: knowing where your data is at all times.

So, where is your data heading?

And why should you care?

As mentioned before, GDPR requires that you “know where your data is,” which becomes tricky when you’re dealing with cloud systems whose very design encourages you not to care about exactly where your data resides. If you care that your data is on a specific server, then that server can’t be quickly and easily replaced as a commodity part. Disks die all the time, and servers are constantly upgraded to newer, faster models.

But does it really matter where in a datacenter the server is?

If the server stops being in the datacenter because it’s been stolen, yes, you do care. Because data isn’t physical, “moving” it requires copying it first, then deleting the copy you don’t need. You need some level of assurance that the deletion actually happened.

Object storage allows for hyper-converged access. Your customers, colleagues and partners can get to their data, independent of location. You can make temporary copies to any node in the network at any time, so your data is always close to the user, application or machine that needs it. But with that ability to put the data where it needs to be comes control – you always know where the data is stored physically.

Which all comes back down to control. Do you have control over where your data gets stored, who can access it, copy it, change it? In today’s world – where both data accessibility and compliance with regulation are mission-critical – location is everything.

To learn more about Cloudian HyperStore, visit the HyperStore page.

How to Prepare Your Organisation for GDPR Compliance

The EU’s General Data Protection Regulation (GDPR) was approved last year, and the enforcement date of May 25, 2018 is fast approaching. After that, organisations found to be in non-compliance will face heavy fines. With only nine months until the enforcement date, it’s important to understand the potential problem areas in your data storage architecture and how you can improve it in time to be GDPR-compliant.

 

What is the GDPR?

The GDPR was designed to harmonize data privacy laws across Europe, bolstering privacy protection for EU citizens and empowering them to better control how their data is used. The regulation introduces the ‘Rights of the Data Subjects’, which essentially states that data belongs to the individual, not the organisation. For individuals, this means that they can access their personal data that’s being stored, and can request changes or even removal. They also have the right to compensation if their rights are violated. For organisations, information must be held only as long as it’s required, and in many cases they’ll need to appoint a Data Protection Officer to ensure that personal data is not compromised.

Organisations are now facing challenges interpreting what the new regulations mean to them and understanding what they need to do to ensure compliancy. Just deploying technology is not a good answer here, as organisations need to understand the data they are storing to ensure they have a legitimate reason for holding this data. It’s important to keep in mind six core principles when storing personal data. Data must be:

  • Processed lawfully, fairly, and transparently
  • Collected for specified, explicit, and legitimate purposes
  • Relevant and limited to what is necessary
  • Accurate and up to date
  • Retained for only as long as necessary
  • Processed in an appropriate manner to maintain security

The Path to GDPR Compliance

Because of the greater control individuals have over their personal data, it is the organisation’s duty to ensure that nothing happens to that data. There are two big questions you should ask yourself when assessing how compliant your organisation is with the GDPR:

1. Is the data protected?

If the personal data your organisation stores ends up compromised, the organisation will be held accountable. You must make sure your data is protected from:

  • Device failures – This includes any physical storage component, such as disk drives, storage controllers, and data centres.
  • Logical/soft failures – This refers to human errors such as accidental deletion/overwrite, as well as viruses and file data corruption. This currently accounts for up to 80% of data losses.
  • Security breaches – Data must be secure from forceful entry/hacks.

Data availability must be guaranteed not only for the security and privacy of personal data, but also in the event that individuals want to make changes to their data.

2. Can I find the data?

The second question you should ask is around data location awareness. If someone requests their personal data, would you be able to quickly locate and procure it? Not only does the data you’re storing need to be housed in GDPR-compliant systems and data centres, but the data itself needs to be searchable and well-organised. If you are not able to produce the requested data in a timely fashion, you may face fines under the new regulations.

 

Turning to Object Storage

One way you can start moving your organisation towards GDPR compliance is by looking to object storage. The inherent capabilities of object storage give you some real advantages in achieving compliance:

Customizable metadata tags: To ensure compliance, you must be able to find information. Traditional file systems only allow you to view limited metadata information on a file, such as the owner and the date created. With object storage metadata, you have no limit on how you tag your data, making it easily searchable for data requests.

Scalability: When data is consolidated, it’s much more easily searched and checked for duplicate records. The limitless capacity of object storage makes it feasible to consolidate data to a single, searchable pool.

Data protection features: Data must be available at all times. With data protection features such as erasure coding, replication, and multi-tenancy (to segregate users), you can ensure that data can still be retrieved no matter what situations arise.

Full GDPR compliance will not be an easy task, but you can start prepping your organisation for the enforcement date by making sure your data is protected, available, and searchable.