Data is the currency of today’s digital economy, the oil of the 21st century. Personal data is considered our economical asset generated by our identities and our behavior and we trade it for higher quality services and products. Online platforms act as intermediaries in a two-sided market collecting data from consumers and selling advertising slots to companies. In exchange for our data being collected, we get what appears to be a free service.
The growth and the market capitalization of social platform providers like Facebook and search engines such as Google demonstrate the value of personal data. Personal data also provides new ways to monetize services as news organizations are finding it difficult to charge ‘real’ money for digital news, but leverage our willingness to pay for a selection of ‘free’ news with our personal data. Every 3 out of 4 persons prefer free registration with selective access over a paid registration with full access.
Where there are valuables, there is crime.
Sharing information on our whereabouts on Facebook, posting a picture with our current GPS coordinates in the meta data on Instagram, using Foursquare to find a good place to eat and drink. Got a fancy new car, post a picture on Facebook. Did you blur the number plate on your car’s picture? Cozy family photo in the restaurant, credit card on the table… these are just a few examples of social information and personal leaks thieves can leverage.
Cybercrime is trending up and the crime economics of personal data, whether sold off or used for extortion, is paying off big time. Breaching and leaking personal records can be leveraged as a strategy for depreciating the value of an organization (the Yahoo! hack) or destroying its customer trust. In 2016 alone, over 2.2 billion records were reported stolen in almost 3,000 data breaches. And it’s not over as we started of the new year with 1.5 million user records being leaked after the Esports Entertainment Association (ESEA) refused to pay a $100,000 ransom.
The General Data Protection Regulation
In January 2012, the European Commission proposed a comprehensive reform of the data protection rules in the EU. The General Data Protection Regulation (GDPR) is the largest reform in data protection law in the past 20 years. The objective of the new set of rules is to give back control to EU citizens over their personal data and to simplify the regulatory environment for business through making it consistent across EU member states. The regulation provides protection concerning the processing of personal data and the free movement of such data and will apply from 25 May 2018.
Creating business opportunities
Consumer research in the last several years shows a decline in trust and an increase in levels of concern about the protection and processing of their personal data, and this is believed to have an influence on the future growth of digital technologies. For the EU citizen, the GDPR means a reinforcement of their individual rights, while businesses restore the trust of their consumers. The GDPR is creating business opportunities for established organizations, small and large, EU Members and foreign organizations, and levels the playing field for EU cloud companies to compete with established hyper-scale, world-wide cloud service providers within the EU market. This new regulation will provide a one-stop-shop for companies doing business in the EU, having them deal with a single supervisory authority. A single law to abide by will save money and ignite businesses across and within the EU.
The flip side of the GDPR is a whole new set of regulatory rules and measures to comply with and implement by any organization that controls or processes any form of personal data. Personal data is to interpreted in the wide sense of the term and pertains to any information relating to an individual, whether it relates to his or her private, professional or public life and can be anything from a name, a picture, an email address, financial details, posts on social networks, or even a computer’s IP address. Not abiding to the GDPR will be met with enforced action including fines of up to € 20,000,000 or 4% of your annual worldwide revenue when facing a breach of the data protection rules. The GDPR includes provisions that promote accountability and governance that can be audited with non-compliance, leading to administrative fines of up to € 10,000,000 or 2% of annual worldwide revenue.
Whenever a company wants to trade or do business with one or several of the EU Member States, it will have to prove adequacy – in other words, its data protection standards would have to be equivalent to the EU’s GDPR starting in May 2018. This virtually makes GDPR a global, worldwide regulation affecting organizations and businesses around the globe.
What does it mean to online businesses and cloud service providers?
For online businesses and cloud service providers, GDPR compliance means adherence to the principles of “Privacy by Design” and “Data Protection by Design” during the design, development, implementation and deployment of web applications or services, and any components or services associated with them. With the rapid adoption of cloud security services there is a heightened concern with regard to the readiness of these applications and services. A recent study conducted by Symantec/Bluecoat shows that 98% of today’s cloud applications do not even come close to being GDPR-ready.
WAF/DDoS and the GDPR
Based on recital 39 of the GDPR, personal data should be processed in a manner that ensures appropriate security and confidentiality, including preventing unauthorized access to or use of personal data and the equipment used for the processing. Recital 49 goes further by requiring the ability of a network or an information system to resist accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems. The recital literally says “This could, for example, include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”
Most businesses will face the urgent need for increasing protection on published applications and services on all topics and purposes of Data Leak Prevention, Access Control, Web-based Attack Prevention and Denial-of-Service prevention. Leading providers of cloud and on-premise Web Application and API Protection services as well as on-demand, always-on cloud and hybrid Denial-of-Service mitigation services do provide an adequate solution for this acute need. A fully managed web application firewall (WAF) and Cloud DDoS service provides a fast route to check off one of the regulatory compliance boxes and a worry-free GDPR compliance strategy.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
Recognized Cyber Security and Emerging Technology thought leader with 20+ years of experience in Information Technology As the EMEA Cyber Security Evangelist for Radware, Pascal helps execute the company's thought leadership on today’s security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels. As part of the Radware Security Research team Pascal develops and maintains the IoT honeypots and actively researches IoT malware. Pascal discovered and reported on BrickerBot, did extensive research on Hajime and follows closely new developments of threats in the IoT space and the applications of AI in cyber security and hacking. Prior to Radware, Pascal was a consulting engineer for Juniper working with the largest EMEA cloud and service providers on their SDN/NFV and data center automation strategies. As an independent consultant, Pascal got skilled in several programming languages and designed industrial sensor networks, automated and developed PLC systems, and lead security infrastructure and software auditing projects. At the start of his career, he was a support engineer for IBM's Parallel System Support Program on AIX and a regular teacher and presenter at global IBM conferences on the topics of AIX kernel development and Perl scripting.