GDPR and application security: Why a holistic view is key

As unsettling as the European Union's General Data Protection Regulation is for businesses around the world, it can be a blessing, too, because it will force many to take a more holistic view of application security.

The GDPR is a refresh of Europe's data-protection laws that harmonizes statutes across the 28 EU member states. Becoming effective on May 25, it replaces legislation that dates to 1995, before the dot-com boom and prior to the birth of Facebook, Google, Twitter, and cloud computing.

Much as PCI is designed as a framework of security controls for the credit card industry, the GDPR is designed to protect citizens' personal data. But rather than an industry-developed standard, the GDPR is a law that will apply to any organization doing business in the EU or with EU-based customers.

A major driver behind the GDPR is the principle that data related specifically to a person belongs to that personnot to the organization creating, possessing, or processing it. As a custodian of EU citizens' personal data, the organization is responsible for protecting the data under the framework laid out in the GDPR.

If an organization is going to retain personal data about EU citizens, the GDPR recommends reducing the risk of holding that data. This is where pseudonymization and encryption come into play. Think of this as a way of de-identifying, or neutralizing, the data, so you can still get meaning from it, but without the costs associated with a breach. 

Here's how to approach application security for the GDPR.

Application Security Research Update: The State of App Sec in 2018

GDPR and its impact on app sec

The EU expects organizations to process data for business use without identifying the individual to whom the data belongs. Consider what that means for data lakes created for use by various applications:

  • Telecommunications companies use their global networks to collect call records from subscribers and consumers as well as to track the location of mobile phones. The telecoms' applications process data for fault detection, roaming data, and network optimization.
  • Car manufacturers collect sensor data from millions of vehicles globally to find defects to get ahead of recalls and service issues. With today's connected cars, however, manufacturers can also have applications that could merge different datasets and track what you are doing and where you are going.
  • Retailers look at customer data to determine buying patterns and brand loyalty, detect credit card fraud, and create new customer services.
  • Health insurers analyze sensitive customer data to detect prescription medication fraud and insurance overpayments and to customize access to this information for customers.

These industries, and others, cast a wide net to collect data for analytics, a net that could include EU citizens' personal data that requires protection under the GDPR. However, sensitive data that organizations manage is often not protected as well as it should be. The many large-scale data breaches that have resulted have undermined consumer confidence.

The keys to data protection

While the GDPR mandates neither encryption nor pseudonymization, the EU has strongly hinted that these are best practices. Unfortunately, few industry segments, let alone specific companies, have a long history of operating encryption systems and managing encryption keys.

To understand the limitations of encryption, it's helpful to look at TCP/IP, the protocol suite used by most computer networks, including the Internet. The suite is made up of a stack consisting of four layers: application, transport, IP, and network.

The biggest and most severe data breaches that have affected both the public and private sectors all operate at the application layer. This includes almost all versions of both malware and advanced persistent threat (APT) attacks. Because of this, encrypting at the application layer is the only form of encryption that will address such threats.

Encryption alone will not ensure data security. It must be supported by strong key management. In a nutshell, key management is crucial to all aspects of encryption that do not directly relate to encrypting or decrypting data. That includes generating keys, storing keys, transporting keys, and so forth.

Key management is so important to the business use of encryption that Micro Focus likes to echo the sentiment of Gen. Robert H. Barrow, the former commandant of the Marine Corps. Barrow once noted that "amateurs talk about tactics, but professionals study logistics," while Micro Focus is fond of saying that "amateurs talk about encryption, but professionals study key management."

It is not too hard to create secure encryption schemes, but devising secure ways to implement key management is much, much harder. Essentially, anything that can go wrong with hardware or software can affect the security of key management. In particular, software vulnerabilities in the application layer can dramatically reduce, or even eliminate, the security that encryption provides.

Take a holistic view

For a comprehensive assessment of data security, businesses must take a holistic view, and include application security and vulnerability assessment as part of their software development programs. Those assessments should enable organizations to:

  • Ensure privacy of user data through encryption or pseudonymization. Data confidentiality and the privacy of the individual are compromised when applications fail to encrypt or pseudonymize data before writing to external devices such as the console, file system, or network.
  • Ensure that data is protected by avoiding encryption snafus. While encrypting data at the application layer ensures that data flows, encrypted, through the lower layers of the system stack, any flaws in the implementation or configuration of the encryption algorithm will defeat the purpose.
  • Identify implementation and configuration errors in authentication, authorization, and access policies, including weak password requirements, missing authorization checks on critical resources, and misconfigured access control policies.
  • Identify vulnerabilities that lead indirectly to protected data. There is a whole suite of application vulnerabilities that can result in indirect access to sensitive data. Low-level vulnerabilities such as memory leak, cache management errors, and buffer overflows can compromise data by allowing unauthorized access to unencrypted data.

By reflecting upon the mistakes of the past, IT security professionals in the enterprise will be better able to plan for data security in the future. As businesses garner their resources to address GDPR compliance requirements, it would be a mistake to implement data security measures without a holistic consideration of application security.

With the advent of the GDPR, it is imperative that businesses ensure that all systems, services, and applications that handle and process sensitive data are themselves secure.

Topics: Security