Share this post:
The new EU General Data Protection Regulation (GDPR), the revised set of rules to protect all EU citizens’ personal data, will become effective May 25th 2018. Following and adhering to GDPR is mandatory for all EU-countries, and even non-EU countries need to follow the same rules, if they treat or store data “belonging” to EU citizens. This is nice to know for cloud-providers with data centres in US or elsewhere outside of EU.
If a company or public institution exposes individual’s personal data, by for example a data leak or a security breach, and fail to flag the problem or data breach within 72 hours a company can be fined up to 4% of the company’s yearly turnover! Another interesting GDPR feature is “The right to erasure”, meaning that any EU-citizen can demand a company or institution to erase all personal data related to him or her, unless there are very good and well defined reasons to keep the data in the system(s). Again this is independent of whether data is located within or outside of EU.
Honestly the GDPR will be tough for many companies and institutions. Some may need to redefine and implement business processes, some have to rewrite applications, most need to buy and implement more security and antivirus solutions and we all have to reconsider, how we store and keep track on every piece of data which can be defined as “personal data”. This creates a lot of work that needs to be done for the companies, for legal advisers, law firms and of course IT-vendors. As you would probably expect, IBM is on top of the situation and have GDPR knowledgeable entities all over, locally and centrally ready to assist companies and institutions prepare for GDPR.
Getting back now to my headline. You as an IT-manager or CIO can actually do something here and now to help your company to prepare for GDPR. You can encrypt all or part of the data being stored in your systems. As the GDPR article 32 reads: ”… the controller, and the processor shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate: (a) The pseudonymisation and encryption of personal data.” and again in article 34: ”The communication to the data subject … shall not be required if… data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption … ”. What it means in non-legal language is that if you take all possible measures – especially encryption – to secure personal data, you are in a much better [legal] situation, if you have a data breach or something similar.
If you are about to replace your storage system, PLEASE make sure, the new system can deal with encryption!
IBM has always been a frontrunner in encryption, and to prove that let me just mention some of our storage solutions providing encryption. At IBM we have always believed encryption is important, so no matter the IBM product this is mature technology, not just invented overnight to please GDPR.
Our portfolio of well-respected backup solutions, previously known as TSM. IBM Spectrum Protect simplifies data protection, whether your data is hosted in physical, virtual, software-defined or cloud environments, and you can protect data on systems of all sizes from a single point of control. This is really an enterprise class backup solution with use of policy-based multi-site replication and flexible restore capabilities.
Encryption has been part of Protect/TSM for as long as I can remember, and many companies already today encrypt their backup data using IBM products. You use Spectrum Protect to protect data during a backup or archive operation, and you can either use Advanced Encryption Standard (AES) 128-bit encryption (default) or 256-bit Advanced Encryption Standard (AES) for the highest level of data encryption. The data that you include is stored in encrypted form, and encryption does not affect the amount of data that is sent or received.
Spectrum Virtualize is the software part of our very mature but still leading edge storage virtualization solution: SVC. Besides being part of SVC (with IBM specific SVC-hardware/nodes), you can now acquire Spectrum Virtualize as software only or as the software component of our virtualized storage solutions: IBM Storwize, IBM VSC, VersaStack and IBM V9000. Same functionality across all products!
Spectrum Virtualize supports optional software encryption of data at rest, and protects against the potential exposure of sensitive user data and user metadata that is stored on discarded, lost or stolen storage devices. What is especially interesting if you have non-IBM storage is that placing Spectrum Virtualize in front of your total storage environment will add the encryption functionality to ANY of the 400+ supported storage systems that you can virtualize behind Spectrum Virtualize, SVC and Storwize! In summary, encryption is now possible using internal SAS attached storage (SVC nodes & Storwize), external virtualized storage (IBM and non-IBM) and external already encrypted storage, and any combination thereof that you wish to use.
IBM Spectrum Scale is a renaming of IBM GPFS, the global file system, which is the de-facto standard at many HPC-sites as well as in media companies. Very robust and extremely flexible, since you can handle both files and objects and use almost any available storage platform as the underlying hardware. Spectrum Scale is designed to provide high availability through advanced clustering technologies, dynamic file system management, and data replication. Interfaces for everything files and objects, and you can even run Spectrum Scale in a hybrid setup with part of the installation running on-premises and the rest running in the cloud. With policies you can automate data movement between different storage tiers, which can prove very relevant in a GDPR context. You can acquire Spectrum Scale as software-only running on AIX, Linux or Windows Server or as part of the IBM ESS appliances.
Spectrum Scale provides support for file encryption that ensures both secure storage and secure deletion of data. Encryption is managed through the use of encryption keys and encryption policies. Secure storage uses encryption to make data unreadable to anyone who does not possess the necessary encryption keys. The data is encrypted while “at rest” (on disk) and is decrypted on the way to the reader. Only data, not metadata, are encrypted.
IBM bought the company Cleversafe a year ago, and since then this has been our #1 offer to customers with a need for a dedicated object storage system. Since more and more data is objects by nature, just think of Big Data, IoT, video, audio and pictures, IBM is addressing a pretty big market with IBM Cloud Object Storage (IBM COS) and quite often as an on-premises solution. Customers who want to run their own private cloud for one or more reasons: Security, very high uptime, low price per GB, total control of data and with the guarantee that all their object data stay in their country. This last argument is really gaining momentum now because of GDPR and because of political changes around the world.
In IBM COS we do in-line encryption, so whenever we write a new piece of data (= object) to the system, both the object’s data body as well as the meta data are encrypted before being sliced up and distributed to multiple servers with built in disks using IBMs Information Dispersal Algorithms. When we want to read the object, we decrypt the data body and the meta data – once again in-line. Does it work? We have plenty of 100+ PB IBM COS customers, and it works for them J
Yes, it is going to be painful for a lot of companies and institutions to “adjust” their processes, organizations and it-systems to GDPR, but there is no way out, if you deal with any kind of “personal data”. GDPR is going to happen no matter what in 1½ years from now. Help yourself to get things in order where you can do it now, and encrypting data at the storage system level is a smart place to start. [IBM] Encryption software is mature, available and ready to implement, and as you have just read, we even have a Spectrum Virtualize solution, which can add encryption to the data, you have residing in non-IBM storage environment.
IBM Spectrum portfolio: www.ibm.com/systems/storage/spectrum/
IBM COS: www.ibm.com/marketplace/cloud/object-storage/us/en-us
The official GDPR-text: eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN