Five Vaultive Features That Will Improve GDPR Posture
With the EU General Data Protection Regulation (GDPR) due to take effect in May of this year, it’s essential for all organizations that are storing or processing EU citizens’ data to develop a sound GDPR compliance strategy. Vaultive’s unique cloud security capabilities can help you address key GDPR requirements, such as the personal data protections outlined in Article 32 and the recommended encryption practices described in Article 34.
Here are five features of the Vaultive Cloud Security Platform that will help you improve your organization’s GDPR Posture:
Vaultive offers a much stronger data encryption model than you get out of the box from cloud service providers. We give you exclusive custody of the encryption keys without disrupting an application’s ability to search and sort data or weakening the core encryption algorithm. Strong encryption “pseudonymizes” personally identifiable information (PII) stored in the cloud, rendering it useless in the event of a cloud service provider security breach. This approach is specifically prescribed in Article 32 of the regulation, which states “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a)the pseudonymisation and encryption of personal data;”
Encryption with Vaultive can be applied on a per field basis, so you have the flexibility to encrypt only those fields containing PII data. Article 34 of GDPR describes how proactive steps like this can potentially exempt your organization from data breach notification requirements.
Cloud Data Loss Protection
Another way to prevent PII from being compromised in the cloud is to prevent it from being transmitted to the cloud in the first place. The Vaultive platform can inspect cloud computing activities and block or redact certain types of information, such as Social Security or National Insurance numbers, before they are uploaded to your cloud applications.
Least Privilege & Access Controls
A big part of the newly appointed Data Protection Officer’s (“DPO”) role is to define clear policies governing access to PII and other sensitive data. Vaultive can automatically enforce these policies by limiting user access to only the cloud service functions and areas that are necessary for productivity. This reduces the risk of compromised credentials or user error in an administrator account in a solution such as Amazon Web Services (AWS) where a few wrong clicks or a misconfiguration can lead to significant downtime.
Supplementary to limiting access based on user identity, the Vaultive platform can also block a transaction or require additional approval in specific contexts, such as a bulk data export from a cloud service. This allows companies to comply with another section of article 32 which calls for “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”
Many organizations already use an identity and access management (IAM) service to authenticate users and enforce policies at login time. Vaultive extends the value of these services through inspection of the entire user session. For example, if a user attempts to perform activities that could put PII and other sensitive data at risk, the Vaultive platform can interact with your existing IAM service to re-authenticate the user or step up to two-factor authentication.
Auditing & Alerting
Vaultive not only consolidates information furnished by your cloud service provider but also grants you added visibility with custom logs. The resulting data can be transmitted to your organization’s data analysis or security information and event management (SIEM) tools of choice. This will help you fulfill the ongoing requirement to assess and evaluate your security controls that is described in Article 32 of GDPR, which requires IT security teams to implement “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Though the gap to prepare your environment for GDPR is fast closing, it’s not too late to improve your posture and cloud security strategy. Get in touch today to discuss how we can help you ready your cloud environment before the May deadline.