Address GDPR With Module-as-a-Service

Effective May 25, the General Data Protection Regulation is a framework to enforce data protection and privacy laws. Although GDPR is a European regulation, financial services organizations doing any kind of data processing for European consumers will have to adhere to the requirements to remain in compliance.

While financial services organizations are no strangers to regulations, GDPR may very well set a new standard for securing consumer data and possibly start a trend in privacy laws globally. Hundreds of pages long, GDPR includes basic methods to empower consumers to control their privacy and sensitive financial data.

GDPR recognizes the global impact of e-commerce and complexity of organizations operating across multiple jurisdictions. It protects the information of all those living within the EU regardless of where the data is collected, stored or processed. This applies to financial organizations on a global level that collect data and distribute it across multiple data centers and nations. GDPR is a binding, legislative act that can lead financial services organizations to be fined up to 4% of their global revenue or €20 million, whichever is the maximum for being out of compliance.

All information that can be used to identify a person – directly or indirectly – such as financial data, photos, home addresses, medical information, social media and IP addresses, is all protected under GDPR. Private information can be collected from consumers only for legitimate business needs. Consumers must be presented with clear, easy to understand and easy to reject options before they consent to organizations collecting their data.

Financial services organizations need to take a “people and process first” approach to GDPR. They need to instill a culture of privacy by design and adopt initiatives for business process change. Financial companies need to understand their exposure and commit to continuous compliance. Cross-functional teams of business, legal and IT leaders must drive efforts and come together to help ensure this commitment.

Financial services organizations have considerable experience in leveraging technology to protect data and achieve compliance. To help achieve compliance with access control, pseudonymization, right to be forgotten and reporting requirements of GDPR, organizations can benefit by leveraging encryption and central key management. Since financial organizations need to categorize and create a set of rules for processing data, they can use encryption keys to control access and secure the data.

Next-generation Hardware Security Module-as-a-Service is one approach that can help address GDPR requirements. It delivers security with software flexibility, and encryption keys can be securely generated, distributed, stored, imported, revoked, exported and managed. HSM-as-a-Service can act as a control layer between the data controller and data processor to help address GDPR compliance requirements around data audit, control and erasure. The data processor is an entity that processes the personal data according to the rules set by the data controller.

Important functionalities of this type of HSM that help address GDPR requirements include:

• Fine-grained access controls for users and data: Only the authorized processor can access the HSM encryption keys protecting the needed data, and only for the duration for which a business case exists as required by GDPR.
• Tokenization: Consumers can use HSM to tokenize primary account numbers, addresses, date of birth, etc., to reduce the possibility of wrongful exposure.
• Key destruction: Once a key is destroyed, no one (not even the organization, HSM-as-a-Service provider, or the user) can restore it. As a result, financial organizations can easily remove access to certain data.
• Data-masking: This masks private data before it is processed in a test cluster, greatly reducing the GDPR compliance surface.
• The right to be forgotten: If a consumer requests data erasure, the decryption key can be deleted. Such a deletion is logged into the central audit log and is irreversible. Financial organizations are assured that data cannot be accessed once the key has been deleted.
• Portability of encryption keys: Personal data can be encrypted and the keys marked exportable.
• Geo-fencing: Financial organizations can leverage this technology to adopt policies based on the location of data.
• Global logging: All access to private information is automatically logged in a centrally viewable, tamper-proof global audit trail. There is never any confusion about who accessed which data and when.

Financial organizations should consider an HSM-as-a-Service that works seamlessly across nations to secure information spanning multiple regions, data centers and cloud environments. It should also offer telecom-grade service availability.

Self-Defending Key Management Service is an example that combines HSM and key management capabilities with software-defined simplicity and a scale-out architecture for modern cloud applications. Encryption keys can be securely generated, distributed, stored, revoked and managed within SDKMS. The encrypted data can then be made available to all data processors worldwide according to the data architecture. SDKMS will allow only decryption of the data following defined access rules.

SDKMS’ multiple integrations with cloud providers – including AWS, Azure and Google – and its ubiquity of interfaces including developer-friendly RESTful APIs, enable a wide range of use cases. SDKMS allows financial organizations to generate, control and distribute keys for payment applications, public-key infrastructure, database encryption, IoT devices and more. Centralized management capabilities enable organization-wide key management policies with unparalleled simplicity.

SDKMS is a global solution, available as SaaS and as an appliance for on-premises deployment. Its unique value proposition is its ability to serve any environment and any cloud while ensuring the consumer remains in complete control of their keys and data. This type of assurance is particularly critical as a growing majority of financial organizations are considering adopting cloud, but need to maintain control over their data.

GDPR compliance will require a number of processes, technologies, internal culture shifts and more to all come together. There is no single magic bullet to meet 100% GDPR compliance, but there are some very solid options for helping financial organizations improve security and help combat today’s evolving threat and regulatory landscape.

Ketan Shah is VP of Products for Fortanix. He can be reached at 650-224-0614 or ketan.shah@fortanix.com.