The GDPR is now in effect. As the first data protection regulation enforceable by law, there is much uncertainty about how the European Union will enforce it. How strict will governing bodies be? How will different member states vary in their enforcement of the law? Until the first major penalty is enforced for non-compliance, no one knows how the enactment of this law will affect businesses around the world.
One of the stipulations in the GDPR causing the most trepidation is the 72-hour reporting rule. Until we see the first penalties from non-compliance, organizations will continue to struggle to catch a data breach and report it within these dubious 72-hours, and the reality of this shortcoming is almost certain. According to the Ponemon Institute’s 2017 Cost of a Data Breach Study, the average time it took to discover a breach was 191 days. Given that the mainframe is generally out of sight and out of mind to your distributed SIEM team, if your mainframe is breached, most likely, you won’t catch it in time to be GDPR compliant.
Everyday the Mainframe grows closer to the internet, and the myth that it is un-hackable is causing a harmful complacency among network security professionals. In CorreLog’s “Anatomy of a Mainframe Breach” whitepaper, we discussed some past mainframe breaches, and the growing cyber-threat to the mainframe. The reality is that 80% of corporate enterprise data is stored on mainframe computers including the most valuable PII data to hackers –electronic health records and credit card data. The GDPR is an EU directive; however even if you operate outside of the EU, and even if you only have one EU citizen’s data in your CRM system, you must be ready to comply with the regulation, or face the penalties for non-compliance (up to €20 million or 4% of your global annual revenue.)
In the GDPR Article 33, the legislation states that in the case of breach “the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55…”
As mentioned previously, the statistics are not favorable for you to be able to meet the 72-hour reporting rule in the event of a mainframe breach. Given the current results from the Ponemon/IBM research, this capability seems impossible. it should be noted that the GDPR recognizes two functions within your organization that need to be working very closely together – the “Controller” and the “Processor” in the management of EU citizens’ data. The Controller generally determines purpose, conditions, and means of data processing, while the Processor is naturally the computation entity acting on behalf of the Controller. You can read more about the role of data Controllers and Processors here. It is important to understand the Controller-Processor responsibilities and the systems they use with the GDPR in mind. It is also noteworthy that the GDPR introduces direct obligations for data processors for the first time, whereas the old directive (EU Directive 95/46/EC) only holds data controllers liable for data protection noncompliance. Controllers and Processors will both now be subject to penalties and civil claims by data subjects for the first time. To empower both Controllers and Processors to stay compliant with the regulation, it is essential that they are notified of a potential breach immediately from your SIEM system or Security Operations Center (SOC).
Securing your data means knowing and visualizing the user interactions to your data in real time and from all sources. Theoretically, we will never be able to build a hack-proof data store because humans are mistake-prone. But we can prepare ourselves with real-time visibility with SIEM technology. The latest Verizon DBIR reveals that 81 percent of hacking-related breaches leveraged stolen and/or weak passwords. Security industry pundits agree that a breach is inevitable, and the focus should be on real-time threat visibility with instantaneous notifications of a breach, followed immediately by corrective action to stem the bleeding. (The EU, with the GDPR believes this too!) What makes this all possible is a security policy based on 100 percent visibility of the activity across all the threat vectors in your network in your SOC –both mainframe and distributed systems. Where the GDPR is concerned, this visibility will give the Data Protection Officer or DPO a path to validate the technical and organizational measures they are undertaking to maintain compliance and in the event of breach, an audit trail of forensics with which to determine the who, what, when and where of the breach.
CorreLog is one of the only mainframe security vendors that offers a software-based InfoSec system that will send real-time alerts to a SIEM system or SOC. The product is called CorreLog zDefender™ and it uses facilities already built into IBM z Series (including the new z14 ZR1) mainframes to send up-to-the-second alerts to InfoSec personnel when anomalous user behavior is detected. zDefender™ holds certified integrations with the world’s leading SIEMs including QRadar, ArcSight, RSA Security Analytics, and McAfee ePO, and also field integrations with SIEMs such as Splunk, LogRhythm, Dell SecureWorks, and others. In addition to the ability to send real-time alerts about potential mainframe breach, zDefender can also trigger an event into your service desk to create a ticket.
For mainframe data security auditing, CorreLog offers its dbDefender™ product for both of IBM’s Db2 and IMS database products. To read more about CorreLog’s GDPR recommendations and expertise for mainframe user access and data protection click here to download the whitepaper, “Impact from the New GDPR: Countdown to the new EU General Data Protection Regulation (GDPR) has begun, and its Impact will be Global.” For more information on CorreLog security products for z/OS click here.