GDPR Compliance in the Cloud

With the upcoming onset of the GDPR, many companies are seeking to leverage their cloud services for GDPR compliance. The Microsoft Office Modern Workplace episode, ‘GDPR: What You Need to Know’ includes outlines to make this process painless.  Companies want to ensure that those cloud services in use are compliant.  The GDPR places a higher burden on companies storing data on Europeans, and for many businesses, this data resides in the cloud.  Some important GDPR compliance considerations include building support for the consent requirement, rights to erasure and data portability, and 72-hour breach notification, among other GDPR requirements.

The good news is that cloud providers have not been standing still and they can be a valuable partner for a company’s compliance effort.  The decision to utilize the services of cloud providers was likely made not only for the features they provide but because cloud providers can often implement security controls and procedures that would be cost prohibitive for a company to do on its own.  Many cloud providers are actively considering how to comply with GDPR, and some have already adopted GDPR compliant practices.

Today, cloud services are not only present in organizations, they are often ubiquitous.  One study found that European companies are using over 600 cloud services on average and it is likely that U.S. companies use a similar number of cloud services.  So how do companies with such a large cloud presence comply with GDPR?

Assign compliance responsibility

The first step in the GDPR compliance effort is to identify which person or group will be responsible for ensuring compliance with GDPR.  This may be different groups depending on the organizational culture or the business use of personal information.

According to Karen Lawrence Öqvist, CEO at Privasee, the group responsible may include legal, compliance, or even IT.  IT is often the driver in companies where collecting data is not core to the business while legal often has responsibility when there is an emphasis on the collection of personal information.   No matter which person or group is chosen, someone must be accountable for bringing the company into compliance.

Identify cloud providers

The individual or group responsible for compliance must then determine which cloud providers are in use and what data is stored or processed on these cloud services.  It can be tempting to reduce the scope of the process only to those that house data on Europeans, but this might be a short-term perspective.  Companies must be careful not to limit their scalability and agility by staying on non-compliant systems because those systems may need to house such data in the future as the company evolves.

GDPR compliance can also be an opportunity to build a better relationship with customers.  According to Brendon Lynch, Chief Privacy Officer at Microsoft, the increased control and transparency mandated by the GDPR can be a way to build and maintain more trust with customers.  This is a benefit not only for European customers, but also those around the globe.

Once cloud providers have been identified, consider ways to consolidate services to reduce ease management and compliance with GDPR.  Take the time to identify redundancies and standardize those services across the enterprise with a single provider.  Tiered pricing models and bundling of services can reduce cost, but the primary driver for these changes is reduced complexity of data flows to and from cloud providers.  Do not limit this analysis to cloud providers only.  Consider also which activities are performed in-house and whether moving those operations to a GDPR compliant cloud provider would increase efficiencies or lower costs.

Gap analysis

Next, conduct a gap analysis of each cloud vendor.  Vendor management or compliance groups may send out questionnaires to assess whether cloud providers have the capability to meet GDPR requirements and, if not, whether they have a reasonable plan on how to implement these capabilities before the May 25, 2018, deadline.

Mainstream cloud vendors have been some of the most proactive in implementing methods to secure data in their cloud service offerings and to do so in a way that is compliant with the GDPR.  For example, in the recent Microsoft Office Modern Workplace episode, GDPR: What You Need to Know, the Office 365 prebuilt filters were demonstrated.  These filters are already in place for personal data types such as those used by European countries.  Administrators can use filters to define a policy that will automatically identify data in email, SharePoint, and other Office cloud services, and then take specific compliance actions.

Conduct privacy impact assessments

Privacy impact assessments should be performed on high-risk assets such as HR or financial data to ensure that this information is adequately protected with whichever cloud providers are storing or processing the data.  Privacy impact assessments analyze what personal information the company is collecting, why it is collected, and how it is stored, used, and protected.

Document and train on procedures

It is not enough for the cloud provider to have the capability to comply.  The company must be able to use these capabilities in their compliance strategy.  For example, the option to remove or transfer personal data may be possible on a cloud system, but the company must document how to utilize these features if needed.

Persons or departments in the company must then be trained on how to perform these actions so that they will be ready and able when customers make data requests.  Training alone is not sufficient to ensure that staff will meet the GDPR’s stringent 72 hour notification period.  Here, simulation can provide more reliable assurance that incident response activities can be performed in compliance with the GDPR.  Simulations should have incident response teams and cloud service providers work together to effectively investigating a data breach and gather information for notification.

Wrapping it up

Companies who wish to comply with the GDPR by the May 25, 2018 deadline are trying to understand where their data is, particularly that of Europeans, and how that data is handled.  Cloud providers can be a great partner in this effort and companies should embrace their cloud providers in the effort to become compliant.  Consider your cloud provider a core partner in your compliance rather than a liability and utilize what they have to offer in order to meet the GDPR requirements.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Important considerations for your business and GDPR

The General Data Protection Regulation (GDPR) is the latest in a host of rules designed to protect privacy.  It is significant because it affects companies that do business in Europe or collect data on Europeans.  GDPR’s wide-ranging scope ranks it right at the top of significant regulations, sitting beside well-known requirements such as HIPAA and PCI.

Your business may be doing quite a few things required by GDPR already because GDPR has similar goals to other regulations.  While HIPAA is designed to protect patient information in covered entities and business associates and PCI to protect credit card information from card processing environments, GDPR aims to protect the personal information of Europeans.  This overlap of objectives results in a considerable similarity in GDPR specifications to those of other regulations.  However, GDPR does introduce some new requirements that companies need to understand.

The upcoming Microsoft Office Modern Workplace episode “GDPR: What You Need to Know” incorporates the expertise of Brendon Lynch, Chief Privacy Officer at Microsoft, and Karen Lawrence Öqvist, CEO at Privasee on how to prepare for GDPR.  Some fundamental aspects of GDPR that are distinct from other regulations include the consent requirement, rights to erasure and data portability, accelerated breach notification, and the requirement for a data protection officer.

Consent requirement

GDPR mandates that companies obtain consent from individuals before storing their information.  Consent must be specifically for how the data will be used.  Organizations must first spell out how they will use an individual’s data and then obtain the approval for that use.  Data use is then limited to only what the person allowed, and the organization must keep records on how information is used and processed.  This information must be produced upon request by supervisory authorities, a local governing body that the business has associated with for purposes of compliance and reporting.

Rights to erasure and data portability

Under GDPR, individuals have the right to erasure and the right to data portability.  Companies must remove the data they have on a person if requested to by the individual, and they must facilitate the transfer of a person’s information from their systems to another system using an open standard electronic format that is in common use.

Accelerated breach notification

Breach notification timelines are greatly accelerated in GDPR.  The supervisory authority must be notified within 72 hours of the breach.  This notification must include the relevant details of the breach including the number of victims impacted, and personal records disclosed, likely consequences to victims due to the breach, how the company is handling the breach, and what the company will do to mitigate possible adverse effects of the breach.  This accelerated schedule will require businesses to have a much more robust incident response and investigative procedures as well as effective coordination of incident response, legal, investigative, and executive teams.

Data protection officer

Much like HIPAA’s privacy officer requirement, GDPR requires public authorities and organizations to have a data protection officer when their core business involves large scale processing or monitoring of individuals.  The data protection officer must be a senior person in the organization who reports to executive management.  They must have the freedom to operate independently from the rest of the company and be provided with adequate resources to perform their role.

Next steps

We live in an incredibly globalized world, one where businesses of all sizes work with customers spread around the world.  GDPR has a wide-ranging impact on these companies, so it is important to understand its requirements.  In addition to what has been presented here, the Microsoft Office Modern Workplace episode on GDPR provides some excellent guidance.  Begin the process now to position your company to operate and thrive under GDPR. The deadline for companies to comply with this regulation is May 25, 2018.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Key security strategies for data breach prevention

If we have learned anything over the last few years about data breaches, it is that they are likely to happen.  However, data breach frequency can be reduced and its impact minimized with some key strategies.

Both response and prevention efforts are greatly impacted by organizational culture.  Organizational culture is formed over years as certain values and behaviors are reinforced or discouraged through a series of successes and failures.  Security is seen as important and vital to organizational success in positive security cultures while it is ignored or even discouraged in negative security cultures.

You can reinforce an existing security culture or bolster a lagging one with some of the same strategies.  The first strategy is to make the topic of security a common one.  Discuss risks in meetings and common decision-making situations.  Ensure that managers and knowledge workers are on the same page with risk, knowing how much risk is acceptable and how their decisions affect risk.  Employees also need to understand what it is they are trying to protect, such as customer information, trade secrets, or strategic business information.

Security awareness training can provide the skills and knowledge necessary to prevent data breaches and respond to those that happen.  It is also a crucial component of a security culture.  Security awareness training should be consistent and enacted for employees at all levels of the organization so that they can accurately recognize threats and understand their role in the response effort.  Since a large percentage of attacks target the human element in organizations, this training can equip employees with the skills to avoid such attacks.  Awareness training prepares employees for their role in incident response by teaching them about incident indicators and how to properly report an incident.

Incident response planning is also necessary to ensure that the response is performed correctly and in a timely manner.  An effective response can greatly minimize damages to both the organization and its customers.  Incident response plans should be regularly reviewed and updated, and those involved should participate in drills and exercises so that the response activities come naturally to them.

Leading all these efforts is a Chief Security Officer (CSO) or Chief Information Security Officer (CISO).  This individual should have the authority to interface at the highest levels of the organization to ensure that preparation and protections are placed appropriately throughout the organization.  Responsibility for security lies not only in IT but in the entire organization, from senior management to the factory floor; remote office workers to branch office managers; and from interns to HR.  They will also need a budget to perform these activities.

Choose your CSO or CISO wisely because they will be a driving force behind security initiatives.  They will need to be an effective communicator and leader with good vision and planning skills.  In a recent Modern Workplace webinar on cyber intelligence and data breaches, Vanessa Pegueros, DocuSign CISO, said that the CISO should have breach experience.  Breach situations are often high-stress, but the lessons learned are invaluable for a security leader.

Put the right strategies in place to bring about cultural change, increase awareness, refine and communicate incident response plans.  Then, equip a CSO or CISO with the authority, responsibility, and budget to make it all happen.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

FashionLens – A virtual dressing room for Microsoft HoloLens

You probably remember Microsoft’s announcement for their augmented reality hardware called HoloLens which occurred around the announcement of Windows 10.  For those of you who did not see their popular promotional video, look below.

Microsoft has requested ideas for uses of their HoloLens hardware so I submitted an idea called FashionLens which I am also posting here on my blog.

Try on clothing virtually!

There would be two modes to this functionality. First the program needs to get detailed body measurements and then you could choose products from participating stores and try them on yourself with holoLens and see it from your own point of view.

The second mode I would call “mirror mode”. Here, the user would choose to create a mannequin or avatar of themselves and the clothes would be placed on the personal avatar. The user could walk around the avatar and look at it from different angles or command the avatar to sit down or position it in different poses my moving it around with their hands.

There are a number of features that would be common to both modes. Users would be able to adjust how the garment hangs on themselves, tuck shirts or blouses in, wear pants at their preferred level on their hips, or leave buttons undone. Users would also be able to try items out with those from their own wardrobe. Speaking of the wardrobe, users would be able to scan the barcode on their own clothing or search through a database to add clothing to their wardrobe so that they can mix and match new items with those they already own.

Users would also be able to take pictures of themselves in the virtual clothing that could then be submitted to participating stores to be potentially included with product information or they could easily share the pictures on social media to receive feedback from others before making a purchase.

So what do you think?  Check out other ideas at Microsoft’s Hololens site or vote for this idea here:

https://microsoftstudios.com/hololens/shareyouridea/idea/fashionlens-a-virtual-dressing-room/

 

Become a Windows 10 Power User with Keyboard Shortcuts

Shortcuts, as the name implies, are key combinations that you can press with your keyboard to perform semi-complex actions.  These shortcuts can save you many clicks and a lot of time.  Windows 10 utilizes many of the shortcuts that were present in previous operating systems such as Ctrl + C to copy, Windows Key + M to minimize all windows, Alt + Tab to toggle between open windows, Windows Key + L to lock the screen, and Ctrl + A to select all.  Here are some of the new shortcuts you might want to learn to be a Windows 10 power user.

Windows key + A: Launch the Action Center (System and Application notifications)
Windows key + C: Issue voice commands to Cortana (Similar to Siri on IOS)
Windows key + I: Launch settings
Windows key + S: Search using Cortana
Windows key + Tab: Open Task View
Windows Key + Left: Align the current application border with the left side of the screen
Windows Key + Right: Align the current application border with the right side of the screen
Windows Key + Up: Align the current application border with the top of the screen
Windows Key + Down: Align the current application border with the bottom of the screen

What you need to know about Windows 10 Security and Privacy

Microsoft officially launched its successor to Windows 8.1, Windows 10, on July 29, 2015, and millions have already downloaded this free upgrade or utilized Microsoft’s queued digital delivery system. Windows 10 offers users many new features including a new browser and integrated Cortana search which essentially means that your operating system is integrated with the cloud. However, don’t let all these features and launch celebrations distract you from its security, which is somewhat in the fine print.

By default, Windows 10 collects information from your microphone, location, camera, handwriting, and searches. According to Microsoft’s privacy statement, this information is used to provide services. For example, Cortana uses location, speech, handwriting and searches to provide intelligent information to you. The information is also used to send product and service information, distribute security notices and display advertisements. Information is shared with Microsoft affiliates, subsidiaries and vendors. This is a common practice for many companies and Microsoft explicitly states that they do not collect information from email, chat, video calls, voice mails, and personal files for advertisement targeting. However, unlike the web, your operating system is resident on your machine, potentially collecting information even when you are not actively using the computer.

The good news is that the default tracking can be disabled by editing Windows 10 and the Edge browser privacy settings. Microphone, location, and camera settings can be managed by clicking start and then going to settings and finally privacy. This will open the privacy menu. Search privacy is managed by opening the Edge browser then going to advanced settings under settings. After viewing advanced settings, you will see a privacy section where you can turn off the Cortana search assistance called “Have Cortana Assist Me in Microsoft Edge.” You can also manage some settings online by opting out of ads based on browsing history and interests here.

As a side note, Windows 8 integrated Microsoft online accounts with local accounts which allow Microsoft to combine data gathered from multiple computers linked to a Microsoft account and online activities together. This is also present in Windows 10, but you still have the option to use a local account rather than a Microsoft account. Using a local account will disable some application downloads and synchronization features, but it will limit the data collected to that machine so that it is not integrated with usage on other platforms or the Microsoft online community. This also prevents someone who compromises your online account from remotely accessing your computer using that account or vice versa.

Windows 10 includes a feature called Wi-Fi Sense. This feature allows your contacts to connect to your wireless network, and it has received a lot of negative press after its release. However, initial concerns raised were premature or exaggerated. Wi-Fi sense is not turned on for all your contacts automatically. Contacts are not granted access to your network unless access has been assigned and this is only available after you make a wireless network available for sharing. This feature makes it easier to allow friends to connect to your network without providing the wireless password to them, and the feature can be disabled if and when it is not needed.

What about the good features?

Windows 10 also comes packed with new security features. It has Device Guard to protect against unsigned applications, support for biometric authentication through Windows Hello, new security features in Microsoft’s Edge browser and a suite of parental controls.

Device Guard blocks unsigned applications from running on the machine. This helps prevent malicious programs and infected program files from executing malicious code on your computer. For a program to run, the software company must sign the installer file with a key that only they have. Windows checks this key to verify that the file originated from the software company and not some other third party such as a hacker and allows the installation if the key is verified.

Second, Windows 10 now supports multiple ways to log into your computer including face, eye, and fingerprint authentication through a feature called Windows Hello. The software is built into the operating system, and users just need to attach biometric devices that are Windows Biometric Framework supported to use the feature. Third party support has existed for biometric authentication for quite some time, but Microsoft’s adoption allows for enterprises to integrate biometrics into their identity management systems through native Microsoft technologies.

Microsoft’s built in browser, Edge, helps prevent websites from tampering with your machine or stealing credentials through new security controls. Edge is equipped with an even better version of SmartScreen phishing detection that checks the reputation of sites you visit while Passport encrypts saved passwords. The browser also supports W3C content security policy and strict transport security standards. Furthermore, the browser is remarkably fast with all these controls under the hood.

Lastly, Windows levels the parental controls playing field with Mac OS and even adds a few new features through Family Features. These features allow parents to better control the programs their children run and the content they view online. Parental controls include time limits on logins, block or allow rules for applications and games, web filtering and activity logging.

In the end, I think Windows 10 is a good step forward in both features and security, but it can be enhanced by turning off a few features, especially if you are not using those features. Remember that Windows 10 is still new so there will most likely be many updates as these features are put under the strain of attacks and normal workloads.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site PowerMore. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

My thoughts on Xbox One

I watched the XBOX One launch video today on my XBOX 360 console dashboard.  It is impressive in some ways but I am really disappointed that they are going to charge you if you buy a used game.  I only buy used games so this made me quite upset.  Actually, I got so angry at Microsoft that I cancelled my Xbox live subscription so it will end in January and I will not renew it.  They will only be hurting themselves.  A minority but still significant portion of people who buy new games count on being able to sell them when they have finished playing the games.  They use the money they get from the sale to buy more games.  Those that buy the used games when they are still relatively new might still buy the game new if it was not available used but many of the other used buyers like me would not buy the game new.  I get about $10 of fun out of the average game so I will not pay more than that for it.  Some games like Civilization, Dragon Age, Sacred or Kingdom Under Fire were worth a lot more to me but then there were games that I bought and then only played once or twice.  Maybe they will realize the economics of the situation when they finally start selling the system and as games age.  Maybe that will cause them to reverse their policy but that will take a while.

The media components of the Xbox are cool but many of the new TVs or blu ray players have social networking, video on demand, chat and audio streaming built right into them and those who do not have that can get a Roku or an Apple TV.  I would rather get an Apple TV for $100 than pay several hundred for an Xbox One.

I didn’t see anything on it but is it going to output in 4k resolution?  I am looking forward to the 4k technology.  If I was designing a game system I would make sure it had 4k video and 7.1 surround sound and make it very social for gamers. Make it easy to take pictures and videos of games and to post those to social networks.  Let gamers update their social networks with gamer stats and live updates from games and create parental controls to keep kids safe.

 

June 19, 2013 update: Microsoft backs down on DRM.  http://www.cnn.com/2013/06/19/tech/gaming-gadgets/xbox-drm/index.html