On Pervasive Encryption and GDPR

 

How much of your personal data is encrypted? Is your hard drive encrypted? Do you know? Only if you caught WannaCry, am I right?

How about your corporate data? Is that encrypted? Do you know? How would you go about finding out?

Should you care?

We spend so much time on the Internet these days that we seem to assume wire encryption is all that we need. We’ll just encrypt the connections and everything will be find. Hey look dad – HTTPS – we’re all good!

But enterprises in mature industries have this annoying thing called “regulation”, which means you have to worry about “audits” and “controls”. Sometimes regulations even affect startups – no really, it’s true.

25th May 2018 a doozy comes into effect – GDPR, which will cover any organisation handling personal data of EU citizens, regardless of where the company is located. Organisations are going to have a legal responsibility to do some annoying and expensive things, like inform customers there has been a breach of customer information within 72 hours. They will need to maintain “state of the art” controls. They will need to be able to provide an electronic record of the data they hold on citizen. GDPR also enshrines right to be forgotten – with data erasure if someone wants you to delete a record about them. It’s going to be Silicon Valley’s favourite.

But enterprises are generally more used to this kind of stuff. GDPR is going be the biggest market for IT controls since Sarbanes Oxley came in. It’s hard to say whether it will be any more effective, but that’s not the point. The EU is making a market.

So why bother? The most serious violations could apparently result in fines of up to €20 million or 4 per cent of turnover (whichever is greater). Note- WHICHEVER IS GREATER!

Obviously one way to avoid damaging breaches is to encrypt everything. With that in mind today IBM announced “Pervasive Encryption” as part of it’s Z14 mainframe launch. Mainframes uh, right? I think I can hear your eyes rolling. But mainframes are still the most solid platform for data management, and they happen to be a place where most Fortune 500 companies keep a significant amount of transaction data – that is, customer information. IBM is telling mainframe customers they can take significant strides to being more secure with an upgrade. It has significantly upgraded its cryptographic processors, and worked out pricing models to make overheads not punitive.

For some companies they might look at GDPR, and think “I know let’s use GDPR as an excuse to replatform all our data somewhere else instead”. Except that would obviously be insane.

So IBM has a pretty solid sales pitch for its new boxes, when it comes to circling the wagons. Will organisations decide to move data back onto the mainframe, to manage it more effectively under GDPR though? Less likely but not an impossible scenario.

Centralisation is definitely one approach that can make data management easier. IBM coined another neat phrase to talk about the regs – “data is the perimeter”.

As I pointed out the other day, Google expects GDPR to accelerate corporate adoption of the cloud – centralisation again. All the cloud providers see GDPR as an opportunity. Oracle is going to be in there. Compliance is always a great sales tool for technology. Microsoft is making play too.

What else did IBM talk about at the Z14 launch? It also announced some machine learning stuff (without the usual Watson hooplah). It said it could run open workloads faster than x86 (less relevant in the age of the cloud). I was expecting a blockchain onslaught, but actually there wasn’t so much of that. So a clear message.

 

 

disclaimer: Google, IBM, Oracle and Microsoft are all clients.

(Read this and other great posts  @ RedMonk)

LinkedIn Twitter
James, aka @Monkchips is co-founder of RedMonk, the open source analyst firm, which specialises in developer advocacy and analytics.