Safer, Cheaper and Defter

May of this year marked the third anniversary of one of the most important legislative implementations of the last decade: The General Data Protection Regulation (GDPR). In Fluid Attacks, we have talked a little about what GDPR is, but today we want to dedicate a particular blog post to talk about what it has achieved, why it is essential and, above all, how it has affected you directly.

The GDPR "is the backbone of the EU’s data protection and privacy legislation." Its main objective is to strengthen privacy laws across the European Union to fit the digital age. This legislation updated and unified data privacy laws, by replacing the 1995 EU Data Protection Directive, a policy designed for the last millennium.

The law was published in the European Parliament legislative act 679 on 27 April 2016. Its main premise is that "the protection of natural persons in relation to the processing of personal data is a fundamental right." Before its creation, the running data protection standard law was the 1995 EU Data Protection Directive. Rules established there did not have a global or general range, but they must be “ implemented through national legislation.” Previously, personal information management legislation was not standardized, though there were some guidelines. Before the 2000s, personal information used to be stored on massive shelves full of documents. Today most of that information is digital. Therefore, it is urgent to establish rules of the game for large companies that privately store data.

As we shared in our GDPR Compliance section, this policy was approved by the European Parliament on 14 April 2016 and went into effect on 25 May 2018. Almost the entire approach revolves around a set of rules designed to protect personal information from unnecessary risks by specifying how companies should store, handle and share such data. It was approved by the European Union (EU) and the European Economic Area (EEA). The regulation applies to companies that have operations in the EU and that process personal data. Besides, it doesn’t matter if the holding company activities take place in the Union or not. Any company in the world with customers or employees in the EU must comply with GDPR.

GDPR requires organizations to understand better what data their businesses have and how it is stored. In another blog post, we talked about this when we explained the controversy over the opening of the Apple Data Center in Guizhou, China. The point is that this increased understanding proactively helps streamline detection and response in the event of a costly security incident (like a data breach). Of course, beyond the legal need to comply with the standards called for by the GDPR, there is a necessity to make companies safer from cybersecurity breaches.

A company committed to GDPR compliance proactively identifies vulnerabilities and prepares autonomously to validate the security of their trade of personal data. One of the ways in which companies would fulfil the GDPR’s privacy requirements would be by reducing the amount of unneeded information. In this sense, companies "shouldn’t hold data they don’t need for longer than they need." This strengthens the company’s security and reduces storage costs, as there is less data to store.

Along with these commitments, the company must (a) identify personal data and evaluate their access permission, (b) corroborate that they are asking for explicit consent to use others information, and (c) be sure to process data following legal support. Besides, they must strengthen security, reduce risks of attacks, and transmit trust. One such situation is the regulation of passwords. Nowhere in the document is a rule that explains what kind of security filters a password should have.

However, that doesn’t mean it’s a minor issue or that you can’t establish a rule of your own that is in line with what the GDPR requires. The Hacker News, for example, recently published a list of recommendations that should be considered "to create a GDPR compliant password policy." Their most important recommendations are (a) avoid secret questions, (b) consider implementing multi-factor authentication (MFA), and (c) "use a 3-rd party tool to help your password policy reach your entire end-user directory."

For example, we at Fluid Attacks use Okta as our identity management platform. It allows us to give access to applications without disclosing credentials and maintaining the least privileged approach. It is a very comprehensive tool because it supports MFA by using a one-time password (OTP). Every half minute, it generates a new OTP. You can also send push notifications to your trusted device (usually your phone) through its Okta Verify app. Finally, because you must use your phone to sign in to the Okta Verify app, it enforces biometric MFA for both face and fingerprint (if the device supports it).

Finally, it should be noted that GDPR has not been exempt from controversy. On 1 July, Johannes Caspar, a leading German regulator who worked for more than ten years at the helm of the Hamburg data protection commission, stepped down. His disillusionment with the EU’s General Data Protection Regulation stemmed from the fact that the policies allow, precisely, security weaknesses and flaws.

His criticism is based in two situations. First, companies that did not comply with GDPR policies had been estimated to have penalties. These were set out in article 83 (5). It states that infringements shall be subject to administrative purposes “up to 4% of the total worldwide annual turnover." But to date, no company has come close to paying that penalty. Second, GDPR gives regulators lots of room for interpretation" of the rules. Which makes it onerous to verify law enforcement.

At Fluid Attacks, we are specialized in cybersecurity through Pentesting and Ethical Hacking. For more information, don’t hesitate to Contact us!