Securing Containers for GDPR Compliance
Around the world, enterprises are anxious about May 25, 2018, the day enforcement begins for the European Union’s General Data Protection Regulation (GDPR).
They have good reason.
Perhaps the most comprehensive data privacy standard to date, the GDPR presents a significant challenge for organizations that process the personal data of EU citizens – regardless of where the organization is headquartered or processes the data. And, with potential fines of up to four percent of global revenues or 20 million EUR (whichever is higher), the GDPR has the attention of CEOs and Boards of Directors. No matter where your organization is located, if it processes or controls the personal data of EU residents, it must be in compliance with GDPR, or it will be liable to significant fines and the requirement to inform affected parties of data breaches.
We at Thales have blogged about the GDPR, its global impact, reach, and penalties. My purpose here is to provide guidance on how enterprises that are using, or are planning to deploy, container technology can ensure these are secured for compliance.
Container Adoption and Security Concerns
Nearly one-quarter (24%) of the respondents to the 2018 Thales Data Threat Report (DTR) survey1 indicate they already are using containers in production. This shows a rapid adoption of an only recently commercialized technology.
Also according to the 2018 DTR, the top security concern globally for container environments is the “security of data stored in containers.” And, close behind that, in third place is “unauthorized access to containers.”
It is no surprise that the container security concerns of the senior security executives surveyed, and what the GDPR requires for compliance, seem to be walking hand in hand.
GDPR Data Security Requirements
The GDPR calls for a layered or “Defense in Depth” security approach to protect sensitive data from compromise. Layers should include not only perimeter security, but also, among others as prescribed by GDPR Article 32:
- Limiting access to data
- Encrypting or pseudonymization of sensitive data
- Monitoring and reporting user access patterns
GDPR Compliant Solutions for Containers
Vormetric Container Security from Thales eSecurity, using Vormetric Transparent Encryption (VTE) addresses all three GDPR data security requirements. It:
- Offers a Container Security option that incorporates per-container policy based encryption and granular access controls for users, processes, and resource sets, as well as privileged user access controls. This guards against unauthorized access to data from containers and keeps administrators with root access and other privileged users from getting to data they’re not specifically authorized to see.
- Runs transparently and, therefore, requires no changes to the containers, applications, or storage.
- Enables container-level data access audit logs through its Container Security extension. This provides insights into data access and usage. The prevailing logs create an audit trail to demonstrate security controls called by compliance and IT security audits.
What this means for enterprises that use VTE to protect their containers is:
- They bolster their GDPR compliance posture.
- If they are breached and the breached data is encrypted, they may not have to report the breach (GDPR Article 34).
- They are using best practice container data protection techniques and protecting their organization from a myriad of data security risks in addition to those presented by not complying with GDPR.
For global enterprises doing business with EU citizens and entities, all this adds up to reduced scope, cost savings, and peace of mind for CISOs, their staffs, and senior management.
Container security solutions from Thales eSecurity and Red Hat OpenShift ensure you can be prepared to meet GDPR requirements. To learn how to stay #FITforGDPR visit our landing page and sign up for our webcast.
1The 2018 DTR surveyed more than 1,200 senior security executives from around the world.