Comment: The EU’s Proposed 24-hour Breach Disclosure Rules will Drive Automation

Says Hamelin: "the arrival of proposed revisions to the EU Data Breach Directive could serve as a huge opportunity to impose a rational design on security that rewards the best practices and the companies willing to bring them into effect"
Says Hamelin: "the arrival of proposed revisions to the EU Data Breach Directive could serve as a huge opportunity to impose a rational design on security that rewards the best practices and the companies willing to bring them into effect"

It’s not often that a single speech has the power to reshape the computing industry, but EU Justice Commissioner Viviane Reding’s confirmation in a January 2012 address that the European Commission is planning a raft of new directives on data security will come to be seen as an important turning point. The proposed directive includes a number of tough new provisions on data handling, but the element that will give security professionals the most immediate anxiety is the insistence that organizations doing business in the 27-nation EU zone inform national information commissioners of data breaches affecting consumers or citizens within 24 hours, or risk heavy fines for not doing so.

This is a radical jump. Having been under little or no obligation to formally disclose a data breach in most EU countries, companies will suddenly be required not only to inform the authorities, but do so in some detail on an accelerated timescale. Moreover, the change will affect not only companies in the EU, but those doing business in it, making the proposed directive the first de facto global data breach law.

Informing the authorities that a breach has been discovered sounds straightforward, but it’s not so simple. Assuming administrators have evidence that something has gone awry, will they have the tools to say precisely what without delay? What sort of reporting systems will they have to explain the extent of a breach? Will possible security failures have any regulatory and legal consequences and, if so, what will these entail?

A major consequence of this development is that old-fashioned periodic, manual security audits and the manual configuration processes that underlie them are heading for obsolescence.

Currently, security is often measured for regulatory and compliance purposes through an external audit that takes place quarterly or annually, depending on the business sector. Some organizations also perform more regular internal checks, but the design of these is open to interpretation, and their frequency varies from organization to organization.

The reality of the proposed data breach directive is that administrators could be asked to audit their security stance at any moment when a breach is uncovered, with only a few hours notice. Referring back to an audit possibly months or weeks in the past will be useless; CISOs will require an overview of security policies, compliance and data protection that reflects what is happening at the moment the request is made.

This makes complete sense – can any company possibility understand its security state using an audit that is possibly months out of date? Here the proposed directive imposes an important level of discipline organizations should welcome.

What such continuous auditing does is render manual assessment impractical. The solution – automated auditing in real time – goes from being a useful convenience to an essential component of any security infrastructure.

Today, real-time security and auditing requires that organizations integrate information from multiple types of hardware systems, and across a range of vendors that generate reports through proprietary management consoles. On top of this, any reporting infrastructure must also make sense of the flow of security data from different elements of the system, comparing this to a set of security policies. At any moment, security managers must be able to react quickly when a particular setting infringes on a policy, and have the means to describe what action was taken and why.

Although new reporting systems will be needed to build such an infrastructure, a key issue is whether this change from causal to mandatory and continuous auditing will be viewed positively by the people tasked with putting it into practice – the security professionals themselves. How professionals interpret and react to this change is the biggest unknown of the proposed data breach directive.

A recent survey of 100 network managers by Tufin Technologies provides some perspective. Forty-two percent of them said that proposed Data Breach Directive would lead to an increased risk-awareness within their organization. A third believe that their attitude toward continuous compliance will change when the new regime is in place, with just over half convinced that automated audits would make it easier to comply with the proposed changes.

Close up, attitudes probably vary from individual to individual, organization to organization, with some seeing the proposed directive as more of an aspiration, others as the medicine needed for an industry that – even after an onslaught of recent high-profile data breaches – remains complacent.

According Jericho Forum board member, Andrew Yeomans, the proposed directive serves to focus security professionals on data security over systems.

“From a Jericho Forum viewpoint, any strengthening of regulations is an incentive to implement pervasive data-centric security, so the data is protected wherever it is”, he says . “The Jericho Forum has highlighted that the ‘perimeterized’ [that is, traditional] model misses many possible breaches, especially data that has been intentionally passed to other organizations, which subsequently suffer a breach.”

The concern about ‘false positives’ drives the need for accurate, real-time auditing and monitoring. “The regulators may also get overloaded with potential data breach reports that turn out to be false alarms, if only 24 hours is allowed for any initial investigation”, Yeomans warns.

Far from being an imposition, the arrival of proposed revisions to the EU Data Breach Directive could serve as a huge opportunity to impose a rational design on security that rewards the best practices and the companies willing to bring them into effect.

As daunting as it appears, the proposed directive’s biggest plus is its scope, which imposes the same rules across the 27-nation EU zone and beyond. This creates short-term hurdles, but the pay-off is potentially huge. For the first time, multi-national organizations will no longer have to interpret a confusing array of data breach and protection rules in different territories, allowing for the sort of policy centralization that can enhance security. For the first time, everyone will be playing by the same rules based on a swift response.

It is critical that organizations approach the toughness of the directive head on, using the right tools and processes, with automated auditing to the fore. The world of manual, ad-hoc auditing was always one based on assumptions about risk; however, now these assumptions are much less certain. In a world of uncertain security, there is no longer time to waste.

As chief security architect, Michael Hamelin identifies and champions the security standards and processes for Tufin Technologies. Bringing more than 16 years of security domain expertise to Tufin, Hamelin has deep hands-on technical knowledge in security architecture, penetration testing, intrusion detection, and anomalous detection of rogue traffic. He has authored numerous courses in information security and worked as a consultant, security analyst, forensics lead, and security practice manager. He is also a featured security speaker around the world, widely regarded as a leading technical thinker in information security.

Hamelin previously held technical leadership positions at VeriSign, Cox Communications, and Resilience. Prior to joining Tufin, he was the principal network and security architect for ChoicePoint, a LexisNexis Company. Hamelin received Bachelor of Science degrees in chemistry and physics from Norwich University, and did his graduate work at Texas A&M University. 

What’s hot on Infosecurity Magazine?