The General Data Protection Regulation (GDPR) comes into effect in May 2018 and has huge repercussions for the way global businesses address privacy and security, especially those that hold personal data on EU citizens.
There are some notable changes from the existing EU directive (95/46/ec), from the introduction of the ‘right to be forgotten’ to data breach fines and a mandatory obligation to report security incidents within just 72 hours.
Consequently, to comply fully with GDPR, organisations will need to re-evaluate their IT infrastructure as well as the processes within their IT teams. In fact, experts are advising businesses to build in data protection by design and default into any new systems: sometimes referred to as ‘privacy by design’.
Embedding data privacy
In a recent report from PwC on technology’s role in data protection, the consultancy firm says, “The GDPR delivers a fundamental change in how data controllers and data processors handle personal data. Instead of an ‘add-on’ or afterthought within business operations, protections for personal data will now have to be designed into the very fabric of data processing systems, meaning that entities will need to re-examine how they approach the use of technology in their organisations.”
The problem is that cyber-attacks are coming down the stack, from the application and operating system layers into firmware and hardware. A Ponemon Institute study on the cyber-security environment and cost to businesses found that there were 720 million hack attempts every 24 hours worldwide last year; and that it takes the average business 99 days to detect malicious code. Ponemon also reports that companies lose $9m on average each year due to cybercrime.
This is where having hardware-based security becomes essential. For example, by using ‘roots of trust’ (RoT) validation at firmware and hardware level, the enterprise can establish a safe environment for hosting the operating system, business applications, storage and their use of sensitive data, and interconnected systems.
RoT alerts the business, or prevents attacks if it detects malicious activity, or that sensitive data could be compromised. (In essence, it acts as a separate compute engine, and controls the ‘Trusted Computing Platform’ cryptographic processor on the server, PC or mobile device in which it is embedded.)
HPE has developed RoT security firmware that works hand-in-hand with its server processors, to provide a protected environment that does not rely on security software or perimeter security to detect and prevent threats. This technology is incorporated into HPE’s Gen10 servers.
Jason Shropshire, SVP and CTO of cyber-security consultancy InfusionPoints, says, “As advances have been made in operating system and platform security, attackers have really turned their attention and focus on platform firmware and embedded systems. Attackers are looking to gain persistence, and if they can’t gain a foothold on the application or operating system, because they’re too hard, they are going to look for other vectors.”
Shropshire adds that HPE’s Gen10 servers prevent system breaches by blocking them at firmware- and silicon-level, thereby significantly improving an organisation’s data protection.
“We believe this technology will really raise the bar in the industry: for being able to validate the integrity of the platform firmware,” he comments.
Follow this link for more information on HPE Gen10 servers.