The European Union’s GDPR regulations go into effect in May of this year. In essence, GDPR is a strict data privacy code that holds companies responsible for securing the data they store and process. Although GDPR was approved in April 2016, companies affected by the regulations are still struggling to reach compliance by the May 2018 deadline. A lot of hype has been built up about this systemic unpreparedness, especially in the cybersecurity sector, where GDPR is seen as “the coming storm.” Despite this atmosphere, the main challenge facing GDPR-covered entities remains largely hidden: third-party vendors.
Securing primary systems is one thing— we know all the cybersecurity cliches about endpoints and perimeters. GDPR, however, is solely focused on data, which means that any surface over which that data passes must be protected from exposure, even if it’s in the hands of a vendor. Vendors in this sense include both managed services, like outsourced IT, and hosted services, like cloud servers and storage. The enterprise technology ecosystem has evolved to include a complex interrelationship of hosted and managed services, in addition to traditional on premise network and data center architectures— all of these must be factored in to GDPR compliance.
Before we go into more detail on the vendor component of GDPR coverage, it’s important to understand why these regulations are being implemented, as well as what the consequences are for noncompliance. The European Union has recognized that the digitization of business and social activity has extended the question of citizen rights into cyberspace. Companies today thrive on data, requiring ever more quantities of it to operate. Analytics, ecommerce, and other ubiquitous business practices now demand an enormous amount of data be collected and stored, pertaining to every single person. GDPR is an attempt to protect citizens’ rights in regard to their data, and to ensure entities that handle that data adhere to best practices.
Breaches, Fines, DPOs
The real reason GDPR is a big deal to so many people is that it has teeth. The fines and penalties for data mishandling are severe— up to 4% of annual global revenue or 20 million Euros per breach. Breach response protocols will be more restrictive as well, requiring organizations to report data breaches within 72 hours to appointed Data Protection Authority (DPA), who will handle the legal ramifications of the data exposure. Large companies, and those who specialize in data handling, will have stricter operating requirements, such as the mandated establishment of a Data Protection Officer (DPO) position. Finally, it’s crucial to remember that GDPR doesn’t just affect companies headquartered in the EU; it covers any company that provides goods or services to EU citizens— a far greater scope of coverage.
"If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR." - eugdpr.org
Vendors, the Hidden Challenge
This brings us back to vendors. GDPR exists to protect data, not systems. This means that the consequences for a breach relate to how sensitive the exposed data was, not where in the handling chain it was exposed. Security and compliance now extends beyond the perimeter, into third-party environments and processes. The heavy GDPR consequences for data exposure make third-party data handling a significant business risk, one that must be dealt with proactively, and with the same care as any serious financial risk to the organization.
Third Party Exposures
Unfortunately, third-party data exposure is a major problem. In the past year, UpGuard has discovered some of the largest data exposures in the world, and the majority of them involved third parties. Whether the third party is an enterprise vendor whose operating processes fail to secure cloud storage, a contracted developer storing sensitive code in a public repository, or an analytics firm that leaves a production database open to the internet— exposures can occur throughout the data lifecycle. Unless proactive steps are taken to ensure compliance down the line, the primary entity doesn’t even know something’s wrong until it’s too late.
Addressing Vendor Risk in GDPR
What are the proactive steps that companies can take to mitigate third party risk under GDPR? There are three ways to proactively reduce the risks that third parties pose in their data handling capacity: independent external assessment, vendor questionnaires, and data breach auditing.
1. Independent External Assessment
The first thing organizations can do is examine the internet-facing posture of a vendor. This will reveal any obvious problems, and also show how seriously they take data security. This assessment should ensure that the vendor follows best practices against common threats and breach vectors and does not have any glaring misconfigurations in their internet accessible architecture. As this assessment can be done independently, it provides an objective set of data from which questions and concerns can be raised.
2. Vendor Questionnaires
External assessments only look at a portion of a vendor’s infrastructure. To get visibility into the inner workings of their technology and processes, it is necessary to have the vendor fill out a technical questionnaire that details such information. As this process relies on the vendor’s good faith, it is important to ask specific, directed questions that make them show how they protect your data as they store and process it. For example, understanding how the vendor utilizes cloud technology can help inform you of the risk of public bucket exposure.
3. Data Breach Audits
GDPR fines are tiered based on how negligent the entity was in processes and events that led to and caused the data breach. Proactive measures to ensure data privacy have a real dollar value for companies under GDPR. With the number of vectors for breach, the most effective way to ensure exposures do not exist is to audit them independently as part of a regular privacy effort. Much like how red teams can audit defenses by staging an attempt to break-in, looking for public exposures before they become problems can protect companies and their customers.
GDPR does represent a sea change in business data. For decades now, organizations have built up massive datasets, copied and stored around the world on various platforms. GDPR puts some power back into the hands of the people described in this data by giving them individual recourse to privacy, as well as holding responsible companies that handle data, ensuring that their processes are resilient. Managing an infrastructure that extends beyond the borders of your data centers is a difficult process, but it is one that you can get your arms around by taking proactive measures to ensure your vendors are up to snuff and that your data is not exposed.