Less than two months before the European Union enforces its stringent General Data Protection Regulation (GDPR), businesses are rushing to achieve compliance, procedurally and technologically.
Key to avoiding hefty fines under the GDPR is “data protection by design and by default” (Article 25), which requires data protection to be baked into the development of business processes for products and services.
Essentially, controllers must take technical and procedural measures to ensure that processing complies with the regulation throughout the lifecycle, and ensure data is processed only when necessary. Finally, to safeguard the privacy of end users, encryption and decryption operations must be carried out locally – even when the controller stores user data on a cloud – because both keys and data must remain in the custody of the data owner.
For DevOps, “data protection by design and by default” has become serious business, as three in 10 organizations have suspected or verified breaches stemming from vulnerabilities in open source components, a 55% increase over 2017, and 121% more than in 2014, according to a Sonatype survey.
DevOps describes a software engineering practice aimed at unifying software development (Dev) and software operation (Ops). The main goal in DevOps is automation and monitoring at every step of software creation, from integration and testing to rollout and deployment. The term DevSecOps is used when application development includes a focus on security from the onset, minimizing the chance of vulnerabilities cropping up during or after deployment.
Organizations pursuing DevSecOps transformations reported making “critical” investments in open source governance (44%), container security (56%) and web application firewalls (58%). And mature DevOps practices were 338% more likely to integrate automated security than organizations with no DevSecOps practice.
Spotlight on Open Source Governance
Last year’s Equifax incident is perhaps the best example of vulnerable open source software opening the door to bad actors. However, it was the credit reporting agency that twice failed to patch known vulnerabilities in Apache Struts, the open-source web application framework for developing Java EE web applications, leading to the breach exposing personal and financial data of 147 million customers.
With GDPR fast approaching, businesses involved in DevOps have no choice but to live up to the task.
“As application breaches tied to open source components jumped more than 50% year over year, those investing in DevSecOps showed 85% higher levels of cyber readiness, compared to those who aren’t,” said Wayne Jackson, CEO of Sonatype. “It’s evident that recent high profile breaches have heightened investments in DevSecOps. The survey also revealed strong investments from organizations striving to stay ahead of May 2018’s ‘secure by design’ requirement stipulated within the EU’s General Data Protection Regulation (GDPR).”
Other key findings
- 77% of mature DevOps organizations have open source policies
- 59% of mature DevOps organizations are building more security automation into their development process
- 88% of those with mature DevOps practices are investing in application security training
- 63% of respondents with mature DevOps practices say they leverage security products to identify vulnerabilities in containers
- 48% say developers know application security is important, but lack time to spend on it
Endpoint Detection & Response (EDR)
Another technology that has caught the eye of organizations targeted by GDPR is Endpoint Detection & Response (EDR). 80% of large organizations are investing in endpoint detection & response, placing EDR on track to becoming a key security asset by 2020.
Demand for incident response tools that offer early visibility into advanced threats is further expanding the market, with expectations of a compound annual growth rate (CAGR) of 45.27% from 2015 through 2020. The EDR market grew from $238 million in 2015 to about $500 million in 2016. By 2020, it is expected to become a billion-dollar market, rivaling the multi-billion-dollar market for endpoint protection platforms (EPP).
To learn more about EDR and where it falls into the GDPR compliance saga, download our free whitepaper: Endpoint Detection & Response (EDR) – How to safeguard customers’ personally identifiable information under the GDPR.
GDPR goes into effect May 25 and applies to every entity that collects, controls, stores or processes data of European Union citizens, regardless of whether the organization does business inside or outside the Union.