With GDPR now the new reality, Andrew Elcock from Xynomix explores how to encrypt and secure your data
In 2017, we saw vulnerabilities such as WannaCry exploit millions of devices worldwide, gaining access to valuable personal information. With many organisations now holding several hundreds of terabytes of customer data, the digital world has never been so heavily scrutinised.
The exclusivity and sensitive nature of data is what makes it so valuable to cyber criminals, presenting law firms as a significant target, regardless of size of organisation.
While some businesses are specifically targeted and exploited, other criminals will attack non-discriminately, and if your data is readily available to hackers, an EU fine is likely to accompany the fallout of the breach in security.
As GDPR is a complete business obligation, it is vital to consider some of the questions you may be asked in the face of a data breach. At an IT level, this could include things such as a database encryption, patches and upgrades, and internal procedures such as the security of test and development environments.
A strategy for success
When it comes to protecting your physical assets, IT security strategies are the first and most effective step.
Yet, with the implementation of GDPR now upon us, it is vital to continually assess and evaluate your approach to securing the data stored within these assets. Encryption provides one of the most powerful ways to keep your data safe from malicious activity – even if data is stolen, it will be rendered essentially useless without the relevant decryption keys.
With encrypting data, there are three common ways to automate this process:
- Encrypted file system – operating system (OS) tier.
- Transparent data encryption (TDE) – database tier.
- Encryption module – storage tier.
In general, the lower in the stack that encryption is deployed, the simpler and less intrusive the implementation will be. However, the number and types of threats these data encryption approaches can address are also reduced. On the other hand, by employing encryption higher in the stack, organisations can typically access higher levels of security.
OS-tier encryption is a viable method, though will significantly reduce server performance in comparison to database or storage-tier methods.
Another option is to purchase a storage array capable of ‘encryption at rest’, which could offer better value in comparison, at the expense of a lower level of security.
At the database tier, TDE has proved popular among IT professionals. To acquire this functionality, businesses will require Enterprise Edition for their Oracle or Microsoft SQL databases.
Not only will the business gain an unintrusive solution to encrypting its assets, Enterprise Edition also enables businesses to look at and improve other aspects of their database estate, such as scalability, resilience and performance.
The value of data
While encryption is not stated as mandatory within the regulation, in a hypothetical future where your businesses experiences a data breach, you will be expected to answer the question: ‘Was the data encrypted?’
Legal companies should have their data security reviewed by a dedicated specialist, and look to improve upon their policies and processes based on the results. It is vital that your organisation is on board with GDPR to ensure protection against the consequences of non-compliance, and that you are seen to be making a conscious and documented effort to protect your data, and encryption is one such reinforcement.
For more information, please contact:
Andrew Elcock, managing director
Nottinghamshire NG10 5BA
T: 0345 222 9600
To return to the Law Tech Focus menu, please click here.