GDPR Data Discovery On Tap from Raz-Lee
April 18, 2018 Alex Woodie
With less than six weeks to go before the General Data Protection Regulation (GDPR) goes into effect, it’s crunch time for remediation. For IBM i shops that aren’t sure where sensitive data resides in their databases, a power tool from Raz-Lee Security can provide some automated relief.
The GDPR represents a dramatic overhaul of the privacy laws governing what companies can do with data about European citizens. Backed by the central European Union government, the GDPR provides sweeping new rules that require any organization storing data about EU citizens to obtain consent for that data, to ensure that it’s protected, and to delete the data upon citizen requests (i.e. “the right to be forgotten”) among other things.
While the law nominally impacts only those dealing with EU citizens, the fact that EU citizens represent more than 10 percent of the Earth’s population means that the GDPR is the first global law providing guidance on storing data used for general purposes (as opposed to healthcare data, which is governed by HIPAA and credit card data, which is covered by PCI DSS). Nearly every big American company will be impacted by GDPR, and a large number of smaller firms across various industries will also have European clients and, thus, need to comply with the GDPR or risk fines of up to 4 percent of annual sales per incident.
In the IBM i space, organizations are now under the gun to explore some far-flung reaches of their database to ensure there’s no GDPR-governed data in it – or if there is, make sure that it’s properly protected (through encryption) and that the European citizens whom it belongs to has provided the proper consent. If you haven’t started on your GDPR remediation program, chances are slim that you’ll finish in time, but starting now would show the beginnings of a good faith effort to comply.
IBM i security software provider Raz-Lee Security this week rolled out a product called Data Discovery for GDPR & PCI that can help with GDPR remediation. The Windows-based product is designed to simplify and accelerate just one aspect of GDPR and PCI compliance: identifying the culprit data.
Finding the data isn’t easy because many IBM i shops have been collecting data for years, says Raz-Lee Security Marketing Manager Anjel Sadiky. “This can be a real challenge because database environments can be very dynamic and organizations lack the capability to see if they have sensitive data,” she says.
It may be relatively easy to find names, birthdates, phone numbers, and email addresses, but article 4 of the GDPR states that any data that identifies a European citizen – including descriptors of physical, genomic, mental, cultural, or social indicators – falls under the scope of GDPR.
“Each business is unique in terms of what kind of information they have,” Sadiky tells IT Jungle. “I think a lot of businesses up until now didn’t have to take full responsibility for what kind of information they gathered. The more the better. And now, they actually need to start taking account for what kind of information they have, what they need to protect, because for each business, their method of dealing with it will be a little different.”
In addition to potentially storing rare or unusual types of data, IBM i shops may be challenged by the location where they store data. Ideally, the Db2 for i schema is well documented, or at least the administrator in charge has a firm grasp of the data his company is collecting. Of course, reality has a bad habit of throwing curveballs at the most well-prepared, and bits of data can show up in the darndest places.
“Maybe you don’t have people’s birthdates, or you don’t think you do,” Sadiky says. “Maybe at some point you did and it’s in a different library or it’s stored in some place that hasn’t been used for years, so you don’t know about it. You need to be able to locate all that information in order to make the proper decision and become compliant properly.”
The new Data Discovery tool helps with GDPR remediation by scouring the Db2 for i database for particular types of data. The user tells Data Discovery what kinds of values to look for in database fields, and the tool goes off and finds all instances where the fields match the value.
The Windows-based product works in a wizard-like fashion, and returns results in a table format. In addition to telling the user where particular pieces of data is located, it tells them whether the data is encrypted or not. (GDPR does not require sensitive data to be encrypted, but it does require data to be protected, and encryption is viewed as good method of protection.)
Data Discovery is part of a new suite of products under the Raz-Lee iSecurity brand that will soon be announced. Dubbed Security Investigator Suite, the suite will include two additional products, Authority Inspector and Assessment, besides Data Discovery. The Authority Inspector product will provide insight on excessive user authority, while Assessment identifies the security risks to IBM i systems. “Together,” Raz-Lee says, “they deliver a comprehensive view of the vulnerabilities within an organization.”