Part Two: GDPR Offers an Opportunity to Rethink Security

Part two of this two-part blog article explores the technologies that can help meet GDPR requirements and enhance data security across your IT infrastructure. If you missed it earlier, here is a link to part one.

GDPR and the Hybrid Cloud

Risk practitioners and data protection officers love hybrid cloud implementations because hybrid cloud offers so many choices for reducing data security risks. Lowering risk to an appropriate level requires balancing available choices, economics, and controls. GDPR tells us that we must protect personal data, but the inherent risk in the system (in any system) means that there is always some chance—even if minimal—of a breach. What is risk and where does it come from?

Risk stems from a situation in which potential threats and vulnerabilities create security weaknesses. Inevitably, vulnerabilities will be exposed for any and every asset. The more assets you have, the greater the risk. Rising threat levels—from more sophisticated cybersecurity attacks—create increasing levels of risk. Risk mitigation measures that were sufficient a year ago may prove insufficient now. It stands to reason that the controls considered sufficient today will not be sufficient in the future.

Today’s information security organizations employ many techniques to ensure risk is mitigated to an appropriate level. The key to reducing risk is the application of appropriate and cost-effective controls. When you deploy an Intrusion Prevention System (IPS), you deploy a control. When you encrypt data at rest, you deploy a control. Virus scanners, malware detection, data classification tools, all are controls.

Applying controls is both an art and a science. Defense-in-depth practices remind us that applying controls at a single layer is never sufficient to protect our assets. Choose controls carefully and consider which controls are the most cost-effective while ensuring an appropriate and effective level of personal data protection.

Private Cloud

The critical controls available to private cloud owners include:

  1. Boot protection – To help protect against compromise during the boot operation, ensure that the main server boards have a Trusted Platform Module (TPM) or leverage a firmware instance of the TPM called Intel® Platform Trust Technology (Intel® PTT) for managing keys. Then use Intel® Trusted Execution Technology (Intel® TXT) measurements of the platform and software components during the boot cycle to help protect system BIOS and firmware, as well as defend against system configuration changes.
  2. Encrypt everywhere – This may sound like a cliché, but encrypting data everywhere is rapidly becoming a de facto control in the data center. Perimeter breaches are inevitable, but you can mitigate against many attacks by leveraging Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI) to encrypt data at rest. Intel® AES-NI provides effective encryption acceleration for file storage and can also help provide protection of messages on the wire with minimal impact to the performance or CPU consumption. Intel® QuickAssist Technology (Intel® QAT) can also offload encryption of data packets completely from the CPU. Intel® QAT is available in many Intel® network products, as well as the most recent chipsets (part of the Platform Controller Hub) on select Intel® Xeon® Scalable processor platforms.
  3. Relevance to GDPR – The GDPR requires controllers and processors to implement technical and organizational measures to ensure a security level appropriate to the risk. These controls may be considered by many to be some of these technical measures. It is critical to deploy controls but also demonstrate that the controls are providing the necessary and intended mitigation on an ongoing basis. Many recent examples of breaches have shown that while organizations do have appropriate controls, failure to deploy them and maintain them has led to compromise.

Expanding Controls Into the Hybrid Cloud

Techniques to expand controls into a hybrid cloud implementation include:

  1. Pseudonymization ­– This technique minimizes potential exposure of required personal data by replacing identifying fields in a data record with one or more artificial identifiers or tokens. The required personal data stored in the private cloud can benefit from all necessary controls. Appropriate identity and access management (IAM) controls allow authentication and authorization along with the appropriate amount of personal data and pseudonyms to complete processing.
  2. Advanced Data and Key ProtectionIntel® Software Guard Extensions (Intel® SGX), an exciting new technology for the data center, helps software developers protect personal data while in use in memory. This set of Intel® architecture extensions helps increase security by running selected code and data in enclaves (protected regions in memory) that are cryptographically isolated from the rest of the operating environment.

Key Points to Remember

Always apply the most capable and most advanced controls to the most sensitive data. These advanced controls typically cost more, so they should be used judiciously. To take maximum advantage of available resources, analyze the trade-offs and base your decisions on where controls are best deployed to help ensure that your hybrid cloud will be cost effective, as well as secure. Many data protection issues can be simplified and risks minimized by separating the most sensitive personal data from all the other data.

Hybrid cloud implementations provide security and data protection by offering a broad range of control choices to IT professionals tackling GDPR compliance issues. Intel® architecture-based solutions offer the flexibility and built-in capabilities to help address GDPR challenges effectively. Explore the available solutions and prepare to be ready for compliance when that big date—25MAY18–arrives.

An extended version of the content featured in this article is available as a solution brief. Visit here to access this document.

Intel® technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at