comforte Lounge Blog

comforte and NonStop News

  • Blog Article

    Get Ready for GDPR, PSD2: Here's What You Should Know

    Imminent new security and data privacy regulations require a rethinking of traditional approaches to enterprise architectures. Here is some insight on GDPR, PSD2.

    comForte Blog Get ready for GDPR, PSD2

    Imminent new security and privacy regulations invite a rethinking of traditional approaches to enterprise architectures for cyber security and data protection. Pending regulations, such as the European Union General Data Protection Regulation (GDPR) and the European Commission’s revised Payment Services Directive (PSD2), will usher in new requirements, including stiff financial penalties for noncompliance. GDPR, which goes into effect in April 2018, will levy fines of up to 4% of global annual revenue for data breaches.

    Rethinking current practices is particularly relevant to administrators and architects of HPE NonStop systems, which enable many of the world’s most critical transactions and therefore process many types of sensitive data covered by regulations. NonStop systems are currently deployed across many industries, ranging from financial services and retail to telecommunications and energy.

    Industry-specific regulations vary widely. For instance, the financial sector tends to provide more broadly standardized approaches, such as the Payment Card Industry Data Security Standard (PCI DSS). In other industries, such as telecommunications, the growing body of regulations is more diverse, ranging from International Telecommunication Union (ITU) to country-specific standards.

    These increasing, stringent regulations coincide with a proliferation of cyber risks, threats, and vulnerabilities. Businesses recognize their exposure. For instance, Egress Software Technologies research found that 87 percent of CIOs believe they would be exposed if the regulations came into force today, while Netskope-commissioned YouGov research found 80 percent of IT professionals in medium and large businesses are not confident of ensuring GDPR compliance by the April 2018 mandate.

    Characteristics of Future-Oriented Architectures
    Our view is that future-oriented NonStop architectures, in order to satisfy regulations and protect the enterprise, must contain the following core characteristics:

    1. Enhanced operations beyond the status quo. This includes collecting, consolidating, and merging existing logging mechanisms like application, Safeguard, and iTP Secure WebServer. This should be possible without modifying applications.
    2. Extended cyber security architecture with system-alerting functionality, including in-depth NonStop Safeguard coverage and keystroke logging for all NonStop subsystems (e.g., Tandem Advanced Command Language [TACL], Open System Services [OSS], Pathway, etc.). In addition, the architecture should “de-isolate” NonStop systems by providing for a Single Sign-On (SSO) solution that integrates with the rest of the enterprise IT infrastructure as a foundation for upcoming 2FA (2 factor authentication) requirements.
    3. Enabled generic intercept architecture (e.g., all Common Gateway Interface [CGI] and Pathway server-based application subsystems) to support a smart cyber security and monetization architecture. Intercept technology collects far more data than log files, without changing the underlying application(s). Alternately, non-intercept solutions in some enterprises could involve modifying the log files of up to 5,000 scripts/micro services. In addition to security, increased data collection can be monetized via the increased customer insight it provides, especially when combined with or supplemented other data (e.g., location data).
    4. Implemented pseudonym/tokenization based on several regulations (e.g., GDPR, PCI DSS). Such measures provide effective protection against external attacks and insider threats, as explained in our series on tokenization.
    5. Centralized security incident and event management (SIEM) solution to store the collected data. A SIEM allows for searching, sorting, filtering, and analyzing data as part of the core enterprise Governance, Risk, and Compliance (GRC) function.

    Figure 1, below, illustrates a recent solution we deployed that illustrates these architectural characteristics.

    Fig. 1 NonStop solution employing characteristics of a future-oriented architecture for cyber security and data privacy.
    GDPR compliant NonStop Architecture

    Choosing a Partner Architect
    As deadlines approach, much work must be done to plan, design, and implement revamped architectural solutions. In evaluating potential partners, consider their ability to achieve the following:

    • Develop a clear strategy (including case studies, proofs of concept, etc.) and path to implementation. When time is short, experience is key.
    • Provide a unique combination of broad perspective (i.e., range of experiences with regulations, industries, country requirements, etc.) paired with deep NonStop expertise. Deficiency in either area could be costly.
    • Maximize solutions based on an understanding of technical requirements and business issues. The ability to provide guided learning via domain expertise and engineering skills will be invaluable throughout all project stages. So will the ability to suggest additional sources of business value, such as opportunities for monetization.

    The Future is Now
    Security and data privacy regulations like GDPR and PSD2 introduce a huge number of data-governance obligations.

    The implementation strategy for appropriate technical and organizational measures must ensure a level of security commensurate with the risk. Timing is critical, as the latest April 2018 key privacy standards have serious commercial implications, including penalties for noncompliance.

    For a deeper discussion of your potential options, contact us today to speak with a NonStop expert.