The EU Digital Operational Resilience Act (DORA) reinforces the principles of the GDPR (adding to our GDPR compliance) to strengthen data protection measures for banking institutions operating within the EU. Its aim is to create a more robust and secure digital environment for these organizations, recognizing that as the financial sector relies more on technology, digital disruptions could compromise financial stability or consumer protection.
Within these guidelines are specifics around encryption, which plays a vital role in data compliance. By adopting encryption as a fundamental security measure, financial organizations can safeguard sensitive data, enforce data protection, and ensure data privacy.
Pure Storage solutions include the technical components needed to meet the challenges of complying with DORA, especially around encryption. Through the architecture of its solutions as well as their efficiency and performance, Pure and Evergreen//One storage-as-a-service (STaaS) solution add the necessary operational resilience.
What is DORA and What Does It Mean for Banking Organizations?
DORA was designed to help promote operational resiliency, stability, and continuity in the financial sector with six key objectives organizations must address for total compliance. Among those objectives is “ICT Risk Management,” which includes various measures be taken to protect data:
“Financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.”
Encryption is often considered a critical component of any cybersecurity and data protection plan (and is often mandated for healthcare, financial, and government institutions). Here’s an overview of encryption and how it can benefit financial organizations seeking compliance with the DORA framework.
Types of Data Storage Encryption to Know
In today’s IT world, encryption should be a fundamental pillar in any modern data protection strategy. In general, there are three ways that businesses can encrypt their data:
- At the application layer
- In flight
- At rest
Encryption at the Application Layer
Encryption at the application layer is the least effective, both in terms of allocation of resources and business efficiency. Servers (virtual or physical) are sized for the application they run. When you add encryption, it takes CPU cycles away from some applications, making the application less effective. Laying encrypted data down on a storage system makes that data exclusive to the application that wrote it, meaning it is not shareable, and you cannot consolidate data that is not shareable. A lack of consolidation can lead to a few issues: multiple copies, more copies to manage, more points of error, more points of data leakage, and more cost associated with additional storage.
Since encrypted data is hard to compress and deduplicate, data sets cannot be reduced and require more physical data storage. This increases wear on the storage system, which reduces the life of the storage system, leading to increased costs.
Encryption in Flight
Data in flight should ideally be encrypted as well. This is true for data that travels outside of the “four walls” of a data center. However, in most cases, data within the “four walls” should be secure enough that it does not need to be encrypted.
Skeptics will argue that the data could be tapped, and they aren’t wrong. However, if someone is tapping the network for data, that points to a fundamental security issue that needs to be addressed.
Part of the reason SANs have been slow to converge with traditional LANs, and why Fibre Channel still exists as a leading storage networking protocol, is because it is abstracted from the LAN and the internet, and data traveling on it only travels between servers and the storage system.
Many of our customers agree, and they confirm that data encryption within the confines of the data center is not a prominent concern.
Encryption at Rest
That leaves data encryption at rest—the best way to secure data. Some storage vendors approach this with optional self-encrypting drives (SEDs), but SEDs are expensive and inflexible. The encryption is on each disk, requiring keys for every drive, increasing the load on the storage system to manage and maintain keys. Unless an enterprise is willing to take on the expense of upgrading every storage system with all SEDs, then some data may be left exposed.
Since each drive has its encryption, it reduces the impact of compression and deduplication as each piece of data written to each disk, after compression and deduplication, would have to be individually encrypted and decrypted for each read and write. This can make the whole process simply untenable.
Encryption at Rest with File-level Encryption
File-level encryption, also known as file-based encryption or filesystem-level encryption, is a type of encryption at rest to know. Individual files and folders stored on a local device or network storage may be encrypted without needing to encrypt the entire storage medium itself. Administrators can specify files and data that must be encrypted, including files with sensitive corporate data, intellectual property, trade secrets, or customer information are encrypted.
Encrypt at the Array Level with Pure Storage
The best way is to enable encryption in software at the array level. Pure Storage data storage solutions can compress, dedupe, and encrypt data with no performance overhead. Furthermore, Pure’s industry-leading compression and deduplication, along with its encryption algorithms, are all done inline, always-on, with no need for tuning or configuration by the customer. Pure Storage® FlashArray® provides you with the highest level of security and best cost efficiency for your enterprise data.
Encryption can ensure that data remains secure, even in the event of unauthorized access or breaches. Encryption also aligns with the principles of data protection and compliance, enabling organizations to meet the regulatory requirements and responsibilities for managing the data they collect. As banking organizations adjust policies and technologies to adhere to DORA regulations, encryption may be one of the swiftest and most effective ways to meet the regulation’s intent.