Recently, I returned from the European PCI DSS community conference in Barcelona. As always, the conference featured analysis of current hot topics within the PCI community and was helpful for any security professional looking to learn about the latest advancements in data security and protection.
The dominant theme during the event this year was how businesses can prepare for the upcoming European GDPR (Global Data Protection Regulation). Every presentation and discussion made some mention of how to deal with the impending data security privacy law coming into effect in May 2018.
The tie-in with the PCI DSS and data privacy laws such as the GDPR may be obvious to some, and the fact they both have data security at their center is a good indication. At Carbon Black, we’ve long been advocating the use of the PCI DSS as a baseline framework to add clarity to the security and protection of endpoints, as well as a guide to implementing security policy within the enterprise.
(You can read more on why Carbon Black prioritizes the alignment to the PCI standard in my follow up blog where we answer common questions we get from the security and regulatory marketplace on the value of being an active part of the PCI community.)
As for the European community meeting, Carbon Black was pleased to be an integral part of the mission and the community in helping secure the enterprise and discuss our techniques and solutions with the attendees on how they can achieve those quick wins on their journey to a robust data security and protection policy; one that will help achieve further clarity as they tackle the GDPR requirements.
On that note, here’s a high-level summary on our positioning and our theme at the community meeting. Carbon Black utilizes the PCI DSS to get a reading on one’s enterprise data security posture and we consider it a good practice to implement for those that need those quick implementation measures to accelerate their path to meeting the compulsory and heavy consequential requirements of the GDPR.
We harness security data within our solutions to capitalize on some core principal similarities between the objectives of the PCI DSS and the GDPR:
Data protection by design and by default: In Article 25, the GDPR data controllers must implement technical and organizational procedures to minimize data use and define on the front-end default data security principals to protect data subjects. This is much like the procedural policies within the PCI DSS around minimizing the value and scope of critical card data on the front end through various default, pre-designed security requirements. Carbon Black can help with the alignment and definition of a security policy that will help to control and prioritize events that relate to critical data, processes that should and should not change that data, as well as help to control the protection of that data.
The definition of “critical data”: store, transmit, and process. The PCI DSS has always been very clear on the definition of PCI in-scope data. If you store, transmit, or process data, you are in-scope for PCI and must adhere to the requirements. The GDPR is the same except you need to replace credit card data with the broader definition of PII as defined by the GDPR. Using this similarity, Carbon Black employs its proactive monitoring capabilities, like streaming prevention, to help prioritize the data and security events that are most closely related to the processes interacting with defined core critical data. Carbon Black can automate the identification of potential unauthorized data exfiltration based on quickly identifying potential access to critical data.
Define the BAUs: Prioritizing your critical security events and filtering out the noise. Like the PCI DSS did a while back (advising to ensure security controls were properly implemented that companies should adopt a business-as-usual (BAU) approach as part of their overall security strategy) the GDPR requires understanding and justification on how PII data in at risk-based way, is used by your business. Carbon Black encourages a security policy where your defined BAU’s can complement your security posture, helping to filter out the noise associated with daily security event information and ensuring that the root cause of any attempted data exploit is always brought to the forefront.
Looking to Learn More?
Hear more about Carbon Black’s support of the PCI DSS and how we help businesses close the security control gap to achieve continuous compliance by registering for our webcast on Nov 15.