string(7) "English"

Cost Efficient GDPR Compliance: Encryption is Key

Have you received a plethora of new Terms of Service emails from your favorite website and apps lately? Have you also noticed that new policies all began on May 25, 2018? It’s not a coincidence. May 25, 2018 was the first day the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect.

Now that the new EU GDPR policy has kicked in, GDPR compliance is critical for any enterprise that interacts with citizens of the EU. Our recent annual user conference Pure //Accelerate 2018 was governed by GDPR, because citizens of the EU attended the conference, and as part of their registration, we collected personal information about these attendees. In fact, any enterprise that collects personal information about any EU citizen has to comply with GDPR.

Many surveys including GDPR:Report agree that most enterprises are not ready for GDPR. Is yours? Perhaps Pure Storage can help.

For the most part, GDPR is about updating your business processes and leveraging technology to manage personal data you collect about EU citizens. You must be able to find, update, restrict, and/or destroy data specific to a citizen’s request.

To achieve this, there are multiple things that enterprises can do:

  • Consolidate data;
  • Ensure data availability;
  • Provide restricted and audited access to data; and
  • Secure data through encryption.

The IDC Technology Spotlight Paper 

“Data at Rest Encryption and Key Management in GDPR”  highlights new EU GDPR policy compliance requirements, specifically with regard to the role, benefits, and considerations of data at rest encryption and key management.

Consolidate Data

Enterprises should consolidate workloads and data for many reasons, not just for GDPR. By centralizing and consolidating workloads and data, this minimizes the number of copies of data that an enterprise has to manage and protect. Consolidated data can also help improve business processes by increasing the value of the data stored, by providing as close to a “single copy of the truth”.

Minimizing the number of copies of the data is good for data quality, because there are fewer copies of the data that need to be updated, when a citizen demands rectification of verifiable errors, or when the citizen demands restrictions to the use, or when the citizen commands his/her right to be forgotten.

Good data hygiene also leads to greater data accuracy. So it is just simply good business and data practice to consolidate data.

But consolidating data puts pressure on the underlying storage system to be able to support multiple mixed workloads, without performance penalties.

Here, Pure Storage can help!

Our all-flash FlashArray and FlashBlade products are shared accelerated storage systems. Our enterprise NVMe DirectFlash modules provide the highest levels of enterprise performance and is capable of supporting multiple mixed workloads – including SAP HANA, Oracle, Microsoft SQL, artificial intelligence/machine learning (AI/ML), analytics, file, and object workloads.

Ensuring Data Availability

Data availability means having a robust data center infrastructure. It starts with the data storage system. You can have a highly available network, and highly available physical and/or virtual server farm, but without the data, everything falls apart.

Many storage vendors make claims for availability numbers for their systems. But most offer only five nines of availability. Pure Storage FlashArrays have a proven > 99.9999% availability. While Dell EMC’s VMAX’s claims six nines of availability, that comes with the caveat that this is achieved when used with a pair of PowerMaxes or VMAXes running SRDF (which is their DR solution).

Furthermore, Pure’s >99.9999% availability number includes our controller upgrades, capacity upgrades, and even our chassis upgrades!

Provide Restricted and Audited Data Access

Our arrays require credentials to access the array. And, each user has a defined role. Administrators cannot access or modify data. We keep a detailed audit trail of who logs into the arrays, and when.

Secure Data through Encryption

In today’s IT world, encryption should not be an afterthought. It is essential. Data encryption can occur at one of many points – at the application, in flight, and at rest (i.e. on the storage system).

Encryption at the application layer

At Pure, we believe this is the least effective, both in terms of allocation of resources, and in terms of business efficiency. Servers (virtual or physical) are sized for the application they run. When encryption is added on top of this, it takes CPU cycles away from some applications, making the application less effective. Laying encrypted data down on a storage system makes that data exclusive to the application that wrote it, meaning that it is not sharable. Data that is not sharable cannot be consolidated. A lack of consolidation brings us full circle back to the first issue we highlighted above – multiple copies, more copies to manage, more points of error, more points of data leakage, more cost associated with additional storage.

Since encrypted data is hard to compress and deduplicate, this means that datasets cannot be reduced, and requires physically more data storage. This increases wear on the storage system, which in terms reduces the life of the storage system, leading to more cost.

Encryption in flight

Data in flight would ideally be encrypted as well. This is true for data that travels outside of the “four walls” of a datacenter. However, within the “four walls”, it can be argued that the data should be secure enough that it does not need to be encrypted.

Skeptics will argue that the data could be tapped. They are correct. if someone is tapping the network for data, that is a security issue that needs to be addressed. But this is something that is so fundamental to basic network security, it leaves room for the question, whether a two-bit hacker could be stealing data from this enterprise from, say, the cafe across the street.

Part of the reason why SANs have been slow to converge with traditional LANs, and why fiber channel still exists as a leading storage networking protocol, is because it is abstracted from the LAN and the Internet, and data traveling on it only travels between servers and the storage system. Many of our customers agree, and they confirm that data encryption within the confines of the datacenter is not a high concern.

Encryption at rest

That leaves data encryption at rest. We believe that this is the best way to secure data is to encrypt it at rest. Some vendors approach this with optional self-encrypting drives (SEDs). Dell EMC’s SC-series (previously Compellent) and IBM does it this way. But SEDs are expensive, and inflexible. The encryption is on each disk, requiring keys for each and every drive, increasing the load on the storage system to manage and maintain keys. Unless an enterprise forks out the expense of upgrading every storage system with all SEDs, then, some data may be left exposed. Additionally, since each drive has its own encryption, it reduces the impact of compression and deduplication as each piece of data written to each disk, after compression and deduplication, would have to be individually encrypted, and decrypted for each read and write. It is simply untenable.

The best way is to enable it in software at the array level. For some systems, such as NetApp’s AFF A-series using its NetApp Volume Encryption (NVE), and HPE’s Nimble arrays, this is available. But it comes as the cost of performance.

Only Pure has the ability to compress, dedupe, and encrypt data without any performance overhead. Furthermore, Pure’s industry leading compression and deduplication, along with its encryption algorithms are all done inline, always-on, without the need for the customer to tune or configure anything. So, using a Pure array will result in the best cost efficiency, and the highest level of security for the enterprise’s data.

For details on Pure’s data at rest encryption features, IDC wrote a paper, ““Data at Rest Encryption and Key Management in GDPR” that highlights new EU GDPR policy compliance requirements, specifically with regard to the role, benefits, and considerations of data at rest encryption and key management.

At the end of the day, we live in a data-centric world, in which new customer experiences, new business models, faster time-to-market, and the fastest insights, will change the course of businesses and enable market leadership. And, since we do live in a data-centric world, we need a data-centric architecture to match. Pure FlashArray, FlashBlade, FlashStack, and AIRI AI-ready solutions ensure that your enterprise has the best and most secure data-centric architecture.

“GDPR offers businesses a unique opportunity to take control of their most valuable asset: data. Pure enables customers to reduce costs associated with data management and storage, and unleash intelligence and competitive advantage by processing data more efficiently and securely. Encryption by default and robust access control management are just part of a set of industry best practices to effectively manage customer data in the most secure way.” 

David M’Raihi, PhD. Head of Product Security. Pure Storage

Data is the center of your business’s digital universe. Digital data is what GDPR is trying to protect. So, start with the industry’s most secure data-centric architecture vendor: Pure Storage. To find out more about Pure’s Security and GDPR solutions at https://www.purestorage.com/products/purity/purity-secure.html.

To learn more about Pure Storage security and GDPR solutions:

IDC White Paper: “How to Become GDPR Compliant Cost Efficiently: The Role of Encryption in Storage Arrays”

IDC White Paper:  “Data at Rest Encryption and Key Management in GDPR”  

FlashArray GDPR White Paper

FlashBlade GDPR White Paper

Purity Secure web