The GDPR is no joke, with hefty fines of up to 4% of worldwide revenue—not just EU profits—for companies who fail to comply. That has a lot of companies scared and has created a massive number of so-called experts ready to protect information.
As I scan the approaches, I see ways to map data flow, encrypt data, detect breaches, build firewalls—all the usual suspects. And these are all great things.
We are experienced with them and they work—mostly.
I have seen companies update or create a network diagram as the first step to understand their problems. But I have yet to see a company pull out its network diagram to solve a problem.
The problem is we get in a hurry. Changes get rolled in without updating the architecture diagram or changes get applied to the wrong version. Over time, the firewalls, virtual machines, and even network topologies morph away from the plan. A good network engineer who’s been with the company for a while can often compensate for discrepancies, but a little turnover and it’s time to start over.
Even with all these tools, we still suffer breaches. We have firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS). If firewalls were perfect, we wouldn’t need IDS and IPS. Likewise, if our IPS was perfect, firewall vendors would be out of business. All these tools are great at keeping people out…until hackers find a way around them (phishing, drive-by downloads, vulnerable endpoints). We already use these systems to protect our extremely-critical PCI, HIPAA, PHI, and SOC2 data, yet leaks still occur.
Is the answer more features on existing tools or are we hitting a point of diminishing returns? Each additional capability adds more to system costs while providing less and less incremental protection. It takes more processing power to do deeper analysis. As we continuously upgrade, this means throwing away very expensive tools (or at least moving them to less critical and less trafficked zones). And with the potentially catastrophic “gravest infringement” penalty of the GDPR, it’s a great time to reconsider our approach.
What if, instead of replacing those systems, we provided a complementary tool that attacked the problem in a different way? Think about it: we already do this in our homes. Instead of replacing a door because the lock is insufficient, we add a deadbolt. Then we add a security system that detects if the doors or windows are opened, and we deploy sensors that detect movement.
HOPZERO provides a new approach to data security. I hope my colleagues at RSA will drop by to see how we keep data in the data center while they help keep intruders out. Working together, we can help keep our customers’ critical information safe. That works for every type of sensitive data, all over the world, not just the EU’s GDPR-covered treasures.