Skip Navigation
BlackBerry Blog

Zero Trust Security Makes GDPR Compliance Easier

FEATURE / 09.12.19 / Sam Bocetta

In light of a never-ending tsunami of data breaches and leaks, consumers, businesses, and developers are taking a second look at how data is collected, used, stored, and secured.

They're not the only ones.

Governments are acting to take matters into their own hands by placing the tech community under tighter scrutiny and passing regulations meant to protect the citizens' right to privacy and control over their information.

Since its passage, there's been a lot of talk about the EU's new data retention requirements, including controversy about the huge fines for non-compliance with the General Data Protection Regulation (GDPR).

Although the GDPR was constructed and deployed to protect European citizens, its reach extends globally due to the borderless nature of the Internet. That means developers from America to Australia should be (and are, according to this survey) concerned about incorporating security into the design process in a way that ultimately supports privacy protection after an app or web platform is deployed:

Privacy, Security, and Web Development

It's difficult to guard privacy without also strengthening security, which is leading developers and website administrators to redefine how they approach both. One of the tenets of the GDPR is the concept of privacy by design, which is spelled out in Article 25 of the regulation:

“... data protection by design; data controllers must put technical and organizational measures such as pseudonymization in place — to minimize personal data processing.”

Building compliant systems means that new functionality needs to be added to deliver data pseudonymization, encryption and other privacy enhancing measures.

The Internet is Poorly Designed for Security

With more websites being deployed and managed on a cloud platform, attack vectors are proliferating. Many of the data breaches that have made the news in recent years can be directly tied to flaws or weaknesses in design rather than end-user apathy or neglect. This places additional pressure on developers and security experts to get it right before a platform is launched rather than patch up the problem later.

Security is essential at every stage of web development, and standard security protocols should be baked into the core framework of app design and testing. This can be managed by following the foundational principles of security through design and implementation:

  • Operating within the legal guidelines and being accountable
  • Knowing and understanding the regulations regarding privacy and security
  • Considering the ethical elements of design and system development
  • Communication with users through the design and deployment process to ensure that data privacy concerns and best practices are addressed
  • Implementing measures for data security, retention, and retirement to prevent leaks and breaches
  • Developing and documenting guidelines, policies, and procedures related to privacy protection and security
  • Developing standards and methods within your organization for applying concepts and procedures
  • Monitoring, evaluating, and restructuring guidelines and procedures as needed

Where Does Zero Trust Fit In?

Zero trust is a security model in which access to a network from inside or outside is never automatically granted but rather forces anything and everything to be verified and authenticated each time it uses the system. It’s essentially a “trust no one” approach that is the polar opposite of traditional security measures like a firewall or virtual private network (VPN), both of which categorize you as “okay” for eternity once you pass the initial verification process.

This isn’t to say that those just jumping on the VPN bandwagon for the first time are advised to jump back off because, for either individuals or business networks, the encryption and IP-cloaking features of most leading VPN service providers boost online privacy and security by essentially creating a private tunnel through which data flows between your device and the Internet. It’s a great way to hide from hackers, especially if you have remote workers who need to securely access the company network.

But businesses with an online presence should be working towards zero trust as a foundational strategy. This is a security protocol that makes no assumptions; in other words, it assumes zero trust. It operates on a threat model that any users, services, or systems interacting within the security perimeter are inherently untrustworthy and need to constantly verify their authenticity before being granted access to any part of the system:

The GDPR doesn't necessarily have the same compliance guidelines and remedies as other recent regulations like California's Consumer Privacy Act, AB-375. But, they do share several common denominators that developers can use to create a comprehensive approach to data privacy and security. This common ground includes information regarding compliance that companies must know and convey to users, employees, partners, and anyone else whose data is collected, such as:

  • What data is collected and stored
  • Where in the database or network it's stored
  • How the information is accessed and by whom
  • Whether that data is sold, shared, or processed outside of the immediate storage perimeter
  • How the data is secured within the storage perimeter

Implementing a zero trust architecture makes up for any lack of visibility by allowing for discovery of the data flow at every access point within and across networks and platforms by requiring that all communications be verified across every channel. The point of zero trust is to eliminate the concept of trust by making it irrelevant.

By adopting a zero trust posture, companies are able to automatically discover and inventory all assets, including applications and databases, and incorporate asset management into their security plan. They're also able to lock down these assets through standards like least privilege access.

This has the effect of reducing the attack surface, provides accountability and transparency, and shows that developers and their clients are taking data privacy and security seriously. Providing this type of proof is one of the requirements for GDPR compliance.

In addition, zero trust:

  • Helps prevent data breaches
  • Frees up IT security specialists and management to focus on other areas of growth
  • Enables eCommerce and digital business platforms to meet full GDPR compliance
  • Establishes and nourishes consumer and employee trust in businesses and software developers
  • Maintains professional integrity and reputation

Final Thoughts

Robust design is about more than functionality and UX. A main feature of both is how secure a website or app is constructed, and how far it goes toward protecting website owners from liability and users from malicious activity. You can't separate privacy and security, and these regulations aren't going away anytime soon. In fact, they're likely to strengthen and proliferate as more governments get into the act.

Implementing a zero trust security architecture at the initial design stage, hardening it through discovery during testing, and continuous monitoring after deployment will help ensure that security that protects privacy is built-in to the process. 

Sam Bocetta

About Sam Bocetta

Security Researcher & Freelance Journalist

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography. 

Previously, Sam worked as a security analyst for the DoD, and spent 30-plus years bolstering cyber defenses for the Navy. Much of his work involved penetration testing Navy ballistic systems. He also helped plan, manage and execute sophisticated "ethical" hacking exercises to identify vulnerabilities and reduce the risk posture of enterprise systems.

Sam is now semi-retired and educates the public about security and privacy technology. He is currently writing his first book about democratizing personal privacy solutions for the broader public, due for publication in early 2021.