IAPP CIPT – GDPR for Cloud Service Providers (CSPs) Part 4

14. Software and CSPs to consider – part 2

Hi guys. In this lesson, we’ll discuss about three other cloud vendors Comb, Drova and Google Cloud. Let’s start with Combo. Combo uses its Arbit and data protection tools to provide GDPR compliance, backup, data management, storage and security capabilities. Combo delivers a unified platform for backup and our Hiding, which allows customers to leverage a range of data management, security and analytic tools. This flexibility and ease of access under one platform will appeal to customers looking to address the full range of security and compliance needs required by the GDPR.

Convolt works with customers to simplify and automate GDPR compliance by ensuring that their data is appropriately classified and understood at the point of collection or ingestion, and then routed to backup and their high repositories convert’s. Platform accomplishes this task with native indexing and entity extraction capabilities, which can automatically identify sensitive personnel information and make sure it is backed up and arrived with the right security models and compliance policies in place.

Combo also offers built in quarantine and data deletion tools, federated search, Ediscovery, chain of custody and audit capabilities within its platform. Combo’s strategy to focus on the identification and classification of data should appeal to customers dealing with both structured and unstructured volumes of data dispersed across multiple sources.

Analytics capabilities like Datacube will also help save customers time and money as they work to establish efficient and automated data governance processes. We believe there are two areas where Convolt will look to improve its portfolio for GDPR related customers over the short term. First, Convolt must continue to simplify the licensing of its platform to allow customers to easily switch on and off the tools that they need. Customers are reevaluating their infrastructure data protection and are hiding portfolios in the scope of GDPR, creating opportunity for solution modernization and competitive displacement.

Allowing customers to easily add to their existing platform without the need for additional software licenses will be a key differentiator. Secondly, Combot will look to improve the breadth of its data classification, detection and text analytic capabilities. Many compliance use cases require proactive detection and management of sensitive information. In the case of GDPR, this becomes a significant challenge, especially when considering the sheet volume of personal Identifiable information, data passing through organizations and the range of classification policies which need to be applied. To help customers address this challenge, Convolt is improving its internal data classification capabilities and also working with an ecosystem of specialist partners that can provide added layers of analytics and intelligence. These types of advanced capabilities will remain high on Combo’s development roadmap as regulatory requirements like GDPR become increasingly complex and demanding in the future. Second we’ll talk about druva.

Druva provides data protection and information management solutions for enterprise It systems across endpoints servers and cloud applications. Like many of the other vendors covered in this lesson and the following lessons regarding GDPR and poor the GDPR, Drova takes on both the role of the data processor and data control. As such, the company must attest to article 25 and 32. Druva has numerous third party validations to validate security and privacy compliance at both the application and the infrastructure layer. In addition, Drava works with AWS and Microsoft Asia, which also provides GDPR’s destination for their infrastructure services. In the end, finally, Drove A’s products were designed and built with security and privacy in mind. Drove secures data on devices and in the cloud with 256 bit AAS enforceable encryption and secures data in transit with TLS Twelve encryption. Its solutions also provide controls around user authentication and accesses.

Because the GDPI has the potential to negatively impact any organization considering a processor or controller, with little tactical guidance as to how those organizations should go about complying with the new regulation, it is left to the enterprise to prove security and compliance to regulators. Thus, reporting and auditing capabilities are imperative. Druva is enabling organizations to do just this with temper proof audit logs that can be fed into any event management solutions to show records of data processing when required. These features address article 30 for records of processing. Drew US in sync product offers defensible deletion, enabling an efficient process for data deletion as well as let’s call it auditable trail of proof of erasion.

This is how they provide compliance with Article 17. The right to eraser the solution allows a user to search for a file or keyword within a data set to retrieve all the data associated to all those data instances, regardless of where they reside. This level of visibility is extremely useful in proactively, managing and protecting the enterprise data attack surface. Existing customers are leveraging this tool to perform privacy impact assessments, to create data threat profiles, and to map out their corporate data landscape. Overall, Drew VI is a technology solution that enables GDPR compliance for organizations to help them in securing their personal information and provides greater visibility into protecting their corporate data. Let’s talk about Google Cloud. Google has been extremely vocal regarding its approach and strategy for GDPR compliance. As a leading cloud services provider, Google Cloud must adhere to GDPR regulations according to its role as a data processor. However, Google has also focused on educating customers on their responsibilities, many of whom are considered data controllers under GDPR.

While setting clear lines of responsibility and ownership will help Google and its customers ensure compliance and mitigate security breaches, Google has publicly stated that all its enterprise cloud and data services across its G suite and also the Google Cloud platform, or GCP, is GDPR compliant. Google plans to update its process returns for Google Cloud platform and also for G suite in relation to GDPR. For example, they currently provide contractual obligations around incident notification for G suite and GCP. These obligations are updated to align with the breach and notification policies of GDPR. Where Google hopes to establish a more strategic long term relationship with its customers is around data security. Specifically, the governance and management of personally identifiable information. Google sees data security as a shared responsibility under GDPR, a goal which both the cloud provider, the data processor and the customer, the data controller must collaborate and continuously improve on. Google focuses equally on preparing its own services for compliance and educating customers only areas where they must ensure compliance to meet this goal.

The shared responsibility approach to GDPR makes Google a valuable partner to any customer looking to adopt cloud services that are designed to meet specific security, governance and compliance needs. G Suite and GCP customers can be sure that GDPR related investments Google is making in its own services will add value and reduce development time for their own security, storage and compliance initiatives. From a product perspective, most of the capabilities that Google delivers to help customers comply with GDPR can be found within the vendor’s identity and security services. Solutions include cloud identity and access management data loss prevention, two step verification and security key enforcement encryption or cloud key management service information right management mobile device management, stepdriver logging and monitoring or cloud security scanner. Depending on the complexity of the environment and your compliance needs, customers can also use services like Google Vault to apply more advanced policies for data recovery, litigation, long term retention, deletion, and also.

15. Software and CSPs to consider – part 3

Hi guys. Let’s follow up in this lesson with three more vendors HPE, IBM and Microsoft. HP Enterprise well, HP Enterprise leverages its software services and years of experience in the security, information management and information governance market to help customers address their GDPR challenges. HP Is sees GDPR implementations as an opportunity to engage with customers around infrastructure and software modernization and help customers evaluate how to get the most out of their data in a secure, cost effective manner. HPE leverages its size and breed as core differentiators when it comes to GDPR, bundling its security, data protection, data management and compliance capabilities into a single solution set that maps directly to customer GDPR requirement. As a provider of infrastructure, software and even professional services, HPE can approach GDPR with a holistic solution tailored to customers across a broad range of industries. Visibility into both hardware and software environments, let’s say, helps HPE assess a customer’s structured and unstructured data.

They are able to classify the data and then apply a range of policies using its own software IP to move, delete, encrypt or quarantine data from a product perspective, control Point, structured Data Manager, Content Manager, Digital Safe Policy Center, and Secure Data are the core solutions leveraged to help customers assess, apply and secure GDPR policy. In an effort to facilitate GDPR engagements and also conversations with customers, HPE has also released a GDPR Starter Kit and the Readiness Assessment Tool, which customers can use to better understand how GDPR regulations will impact your individual business and determine the best course of action to ensure compliance. HPE also partners with professional services like providers PwC, Price water house Cooper or Arsenal to help guide customers to the right solution set and facilitate any custom implementation work. Let’s talk about IBM. IBM brings its storage infrastructure and professional services and also cloud services together to provide a comprehensive GDPR solutions portfolio.

More specifically, IBM relies on a combination of its spectrum software suit and system storage product portfolio to assemble the necessary storage and infrastructure capabilities which would provide encryption, copy, data management, archive backup and duration. The customers need to adhere to these GDPR regulations using these products from IBM. They made significant investments in the spectrum solid over the past, let’s say three four years, including IBM Cloud Object Storage, an enhancement to spectrum products that will help clients become more effectively in the identification, classification and managing GDPR related data across on premises and cloud storage environments to help customers comply with data encryption requirements.
IBM Flash disk and tape products support encryption and spectrum virtualized can be used to provide encryption for other fiber channel or icecasy block storage. Spectrum scale and protect also have native dead duplication and encryption capabilities for data placement. IBM provides spectrum control for block Environment and Spectrum Scales policy engine to automate and audit this process in file environments.

Spectrum protect and spectrum copy data management can help users manage and automate the placement of backup data and copy data spectrum Protect also provides long term retention and arriving tools necessary for customers. Finally, IBM leverages the resiliency, high availability and disaster recovery tools with Spectrum Protect to provide customers with the appropriate data protection and retention capabilities. IBM’s greatest strength when it comes to GDP is the solutioning and the vendor’s existing presence in large infrastructure and database environments. Many customers will approach GDPR as an infrastructure and database modernization opportunity.

This gives IBM the ability to educate and work with its existing install base, first and foremost preparing them for GDPR compliance with new tools and capabilities within its Spectrum suit. IBM also provides professional services that can plan, deploy or operate a GDPR ready infrastructure and can even host compliant computing services on the IBM Bloomix cloud. IBM’s greatest challenge will be helping customers expand beyond the IBM ecosystem. Personally identifiable information can be scattered across a wide range of applications and databases situated either on premises or either in the cloud. While IBM is adept at helping customers in managing their data within their own ecosystem, extending functionality to third party environments may lead to some reduced functionality and increased complexity. IBM is aware of this challenge and has focused on expanding the integration capabilities of Spectrum Protect, in particular adding support for Amazon, for example, S Three, and expanding its SAP and VMware management capabilities.

Well, a final differentiator for IBM is its ability to integrate analytics capabilities, particularly Watson, with a range of arriving backup, data management and infrastructure solutions. As data volumes and complexity continue to grow, I believe that prescriptive and predictive analytics will play a crucial role in helping to reduce complexity, maintain compliance, and mitigate significant fines like those possible under GDPR. As a result, I expect IBM to prioritize the integration of more analytics and Watson based capabilities within its data protection and management portfolio. Let’s discuss both. Microsoft microsoft takes a platform approach to GDPR deploying on premises and cloud capabilities across its wide range of portfolios to aid customers with their regulatory requirements. Microsoft has outlined a four step strategy for GDPR compliance designed to help customers discover, manage, protect personal data, and provide continuous reporting and assessment over the long term.

From a granular product perspective, Microsoft offers a combination of solutions, including, but not limited to Office 365 I Ram, the Rights management part of Office 365 and Data Loss Prevention Advanced Ediscovery, again in Office 365 as your Information Protection as your Security Center, and the full Office 365 Security and Compliance Center. These products help customers meet their GDPR compliance obligations. Although this may seem like a wide range of products and services, customers can be confident that the solutions Microsoft offers, combined with the vendor’s role and obligations as a data processor, will meet old GPR standards.

This promise is backed up by contractual commitments from Microsoft. However, some Microsoft customers will struggle to apply new data discovery and management tools to their existing storage, repositories and applications across which personal data may be scattered. Microsoft looks to mitigate this challenge by clearly defining the tools and capabilities across its portfolio, which can help customers prepare for GDPR. The vendor has also published an in depth white paper that maps relevant products to each of its four GDPR compliance pillars. However, solution mapping is just one step in the process. The next challenge Microsoft six to help customers overcome is data management and visibility into increasingly complex environments, which distribute personal data across clouds, databases, applications and devices. To help customers develop complex data discovery and management tasks required by GDPR, microsoft is making significant changes to its Office 365 Security and Compliance Center, which will allow the platform to act as a central hub for all GDPR related management and reporting tasks. Also, Azure Information Protection is a top product for classification, labeling and protection of data no matter where it goes, including on personal email addresses like Gmail or Yahoo.

16. Software and CSPs to consider – part 4

Hi, guys. Let’s end up the series with the last two vendors. First, Mimecast. Mimecast is an email security continuity under Hiving software as a service provider and serves as a key piece of the GDPR puzzle. Email remains a major data and information repository which may potentially contain a wide range of personally identifiable information across multiple devices and even across multiple locations. Mimecast has designed its email security and archiving services to ensure this data remains secure and compliant and can be easily located and even eliminated upon request. Mimecast primarily uses its targeted threat protection, data leak prevention and Cloud archiving services portfolio to help customers secure and manage their email while supporting GDPR compliance initiatives to minimize data leakage and compromise.

Mimecast services inspect all inbound, outbound and internal emails for threats, as well as offer secure messaging service to analyze and encrypt emails and messages. Users also have the ability to set more granular security policies for messages that contain specific types of sensitive data. Mimecasts can provide automated data late notifications to help customers respond to security alerts or breaches in a timely manner and report them as necessary. Mimecasts Built in Search Capabilities Case Review The Ediscovery service can be utilized to identify, aggregate and transport data to the necessary customers or service providers to support GDPR subject access requests the right to be forgotten and erase your requests. Finally, Mimecast indexing, retention management and audit log tools allow emails to be securely retrieved and erased upon request. It is important to note that under GDPR law, Mimecast is considered a data processor.

This means Mimecast will be held to the same standards as its customers, and therefore Mimecast services are designed with GDPR compliance in mind. Ultimately, Mimecast position as a data processor eases the burden of compliance for customers, making Micas a valuable partner. Secondly, we’ll discuss about Veritas well. Veritas approach to GDPR compliance focuses on two key and really important areas. First, it’s data analysis and second is compliance enforcement.

Well, data analysis involves helping businesses identify what data they have and where it falls in the spectrum of GDPR requirements. Compliance enforcement, or compliance in general, includes the application of policies, automated rules, and management procedures which ensure that an organization remains compliant as customer and employee data moves between devices, repositories and geographic locations. By focusing on these two key areas, Veritas helps customers develop better visibility and managing their GDPR related data and PII. Veritas, Data Insight enterprise Vault. Enterprise Vault cloud and Ediscovery Platform, along with Information Map are the core products used to help customers meet their GDPR requirements.

I believe Veritas GDPR portfolio is strongest in the data assessment area. The vendor solutions help customers answer the where, who, and what of all their data and identify which data is important and which is redundant, obsolete, or trivial. Establishing an effective data assessment and identification program allows customers to pinpoint what data is personally identifiable and critical to control for GDPR compliance needs, and what data can be stored or argued under less stringent policies. Well, Veritas has further expanded its data assessment capabilities with a set of consulting and professional services. This offers practically a tailored approach to GDPR. Veritas currently offers GDPR workshops designed to help customers establish roles and responsibilities and receive basic education around GDPR. A GDPR assessment will help practically the customer in analyzing data in their environment and identify the gaps and recommendations around compliance. Last, Veritas customers can use the Vendor Solution Delivery Service, which focuses on implementation and operationalization of GDPR related compliance and security changes.

Veritas deploys many of these services in conjunction with partners like Kabgemini, CSC and Wipro to improve its compliance enforcement portfolio. Veritas is focusing investment in the data classification capabilities, and they release data inside 60 It’s advanced analytics tools and its ability to operate alongside, let’s say, a range of cloud services. Provider Veritas plans to implement more advanced search capabilities, more granular policy controls, and more automation tools so that PII data can be identified, quarantined and stored in a GDPR compliant manner. With minimal user intervention, planned enhancements to Veritas information map, data insight and enterprise vault products will be critical to achieving this goal. Finally, Veritas is closely partnering with leading cloud service providers like Microsoft to help customers retain data visibility across different storage environments, either Asia or on premises, and ensure secure security and compliance policies intelligently adapt to the type of environment that data is being stored or accessed from.

• Category: Uncategorized