GDPR Compliance and Container Security: Key Topics
At Twistlock, we recognize the role compliance regimes play in implementing secure container technology. Customers regularly come to us to understand how the Twistlock platform can help them achieve HIPAA and PCI compliance, while also keeping in mind the Docker CIS benchmark.
Update: With the release of Twistlock 2.3, the Twistlock Platform now includes a pre-defined compliance template for GDPR, alongside templates for HIPAA, PCI, and NIST SP 800-190. These pre-defined templates make it easy to begin implementing GDPR compliance when using containers at your enterprise.
In May 2018, companies that do business in the European Union (EU) will have to ensure that they are following the EU General Data Protection Regulation (GDPR). The regulation is significant because companies can be hit with fines up to 4 percent of global revenues or €20 million, whichever is greater according to Forrester. While companies are beginning to move toward compliance, Help Net Security reported data from Veritas that states only 2 percent of GDPR-ready organizations are actually compliant — meaning companies worldwide have work to do to avoid hefty fines and legal action.
While there are many key topics that impact enterprises doing business in the EU, I’ve chosen to highlight a few that are most relevant with the Twistlock Platform that we have been discussing here regularly.
Secure Personal Data
This requirement should not surprise security and compliance professionals. GDPR emphasizes security of any personally identifiable information (PII) Richard Stiennon, CSO at Blannco Technology Group, states:
As part of GDPR, many types of personally identifiable information (PII) will be protected, such as banking information, health records and government identity records, as well as any data that can be tied back to a data subject such as geo-location data from a cell phone, home address or data from a medical device.
This regulation makes it essential for enterprises to evaluate their data protection and storage policies similar to other compliance regimes. With the release of Twistlock 2.0 earlier in 2017, we added a compliance management capability formally called Twistlock Compliance Explorer. Compliance Explorer provides a single view of all policies enforced in your environment, the current compliance state, and historical compliance data. Twistlock users can test compliance at three critical points, the CI/CD pipeline, the registry, and in production, to ensure that personal data is secure.
Privacy By Design
A requirement that goes alongside securing personal data is the idea of privacy by design. According to PrivacyTrust, businesses will will have to design policies, procedures and systems which comply with the GDPR from the inception of the product’s or processes’ development. Many in the cybersecurity community have been discussing how this requires a risk-based approach to cybersecurity. This idea goes hand-in-hand with how we secure personal data at Twistlock — ensuring that security and privacy are addressed and architected at the earliest stages of development.
As containers are built and deployed at increasing speeds, security professionals need solutions that leverage machine learning and automation to provide security throughout the SDLC. Twistlock is able to offer:
- Automated policies that allow you to define and enforce vulnerability requirements as code is built
- Powerful threat intelligence from the Twistlock Intelligence Stream that is more comprehensive than any other container cybersecurity vendor
- The ability to monitor and track vulnerabilities and threats over time and take action on any gaps in your environment
Establish A Cybersecurity Framework
Similar to HIPAA, GDPR does not directly describe countermeasures that enterprises must implement. Instead, GDPR requires companies to establish a cybersecurity framework —“appropriate technical and organizational security measures.” At Twistlock, we utilize the NIST Cybersecurity Framework for HIPAA, which could also be utilized for GDPR.
The NIST Cybersecurity Framework, in contrast, is a comprehensive framework of security controls built on a rigorous analysis of the types of threats faced by organizations that use similar information technologies. The NIST Cybersecurity Framework is useful because it’s prescriptive. It tells you how to secure sensitive data using existing standards and best practices. Piotr Foitzik, Data Protection Manager at ALK-Abelló, offers an in-depth breakdown of other NIST guidelines that may be helpful. While the NIST Cybersecurity Framework does not include direct mappings to GDPR, it is a good resource that cybersecurity professionals can utilize.
Just this month, NIST released Special Publication 800-190, Application Container Security Guide, which Twistlock CTO John Morello co-authored. The special publication identifies “potential security concerns associated with the use of containers and provides recommendations for addressing these concerns.” To better help enterprises incorporate recommendations and successfully secure their containerized environments, Twistlock released a Companion Guide to NIST 800-190 — this companion guide addresses top security challenges for organizations and helps organizations enable countermeasures, specifically through Twistlock, that meet NIST compliance guidelines more quickly and easily.
Next Steps When Approaching GDPR Deadlines
As you look to establish proper GDPR compliance, feel free to connect with our solution architects in order to properly measure your current security and compliance measures, implement the Docker and Kubernetes CIS Benchmarks, and how Twistlock can help you better approach GDPR. At the same time, stay up-to-date with additional resources such as EUGDPR.org.
i-Scoop also has an in-depth guide that can be sorted by topic that could be helpful.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
Baking Compliance in your CI/CD PipelineRead the Blog
Serverless Security Suggestions: Tips for Keeping Serverless Functions SecureRead the Blog
Why a Common Security Toolset is Essential for DevSecOpsRead the Blog
Putting the “Ops” in DevSecOps: Why It’s Hard and How to Do ItRead the Blog
Why the Point Solution Mindset for IT Security is DeadRead the Blog