Companies collecting data on European Union citizens have to comply with new strict rules established by the General Data Protection Regulation (GDPR) since May 25th. Can you tell us more about this regulation, these rules on personal data and their impact on companies and consumers?
The GDPR is a harmonization of 28 national regulations relating to data protection, regulations dating back more than twenty years and no longer efficient in the face of multiple evolutions such as the rise of security breaches and the arrival of disruptive technologies. This regulation defines the standards in terms of the management, the security and the sharing of the EU citizens’ personal data.
The GDPR has an important impact on companies because it is applicable to all companies that process European citizens’ data regardless if these companies are based, or not, within Europe. Furthermore, it is a legal obligation that carries substantial financial penalties if not strictly followed (4% of revenues or €20M). In order to be compliant with the GDPR, companies will have to keep a record of their personal data processing activities, issue notifications when security breaches occur as well as nominate Data Protection Officers (DPO), among others.
Concretely, this regulation strengthens citizens’ rights in terms of their personal data by bringing more transparency, since companies will have to inform them on the usage of their data, and by making this data “portable”, meaning that any user will be able to get his/her own data back and give it to a third party.
When one thinks of data, and data protection, software solutions come to mind. Is it possible to protect data with hardware solutions?
The GDPR specifically states that encryption and pseudonymisation are appropriate data protection tools in article 32.
- Pseudonymisation consists of separating data from any kind of identification in order for that data to not be linked to an individual.
- Encryption makes it impossible to understand data without the associated decryption key.
The European Union Agency for Network and Information Security (ENISA) recommends conducting encryption and decryption activities locally which means that decryption keys need to be in the possession of the data owner at all time. Managing and securing these decryption keys is therefore extremely important and this is when hardware solutions come into play. Indeed, keeping these keys in a Hardware Security Module (HSM) prevents physical access to them. These cryptographic modules insure the cryptographic keys’ integrity and all cryptographic operations are conducted inside these modules, meaning that the keys never leave them.
The integration of a hardware solution in an IT infrastructure guarantees therefore the highest possible level of security. Additionally, the management of keys hosted in these modules is handled by a quorum of administrators and security officers. Thus, the modules can self-destruct the data they hold in case of physical tempering of said modules.
Evidently, Worldline helps its customers in terms of GDPR compliancy with software solutions but do we also offer hardware solutions?
Indeed, we have been manufacturing cryptographic modules for over 30 years and today, we offer ADYTON, our latest generation HSM. This name was not randomly picked as it means “a place not to be entered” in ancient Greek and is also a reference to a room in ancient Greek temples.
ADYTON is not only a cryptographic module but also a cryptographic accelerator. It is compliant with the highest security levels required by the financial industry which means it is suitable for any actor from any industry processing secured and confidential data.
ADYTON enables the easy and efficient management of cryptographic keys and the encryption of the company’s data.
How does ADYTON stand out from the competition?
There are indeed several key elements that make ADYTON stand out from other modules currently available on the market.
The first key elements are its reliability and its performance, while maintaining an attractive ownership cost. Indeed, ADYTON is certified FIPS 140-2 levels 3 and 4 for hardware, which is the highest FIPS certification. Moreover, our module features its user interfaces, such as the screen, the keyboard, the card reader, the biometric reader and the USB port, on its front. Finally, ADYTON does not include any mobile or rotating pieces making it a very durable module.
Another key element is its design, which is very appreciated by its users. Indeed, this module, which is no bigger than a TV box, can be hot swapped in its secured rack. Its interface is user friendly with assistants displayed on its screen, enabling a fast startup process.
Handling the module is pretty straightforward as the focus was put on its user friendliness and its ease-of-use. It only takes a few minutes to set up an ADYTON without the need for complex processes or user manuals.
Finally, an essential feature of ADYTON is cloning, which enables duplication and synchronization of an ADYTON to, or from, another ADYTON on the network. This is particularly useful when adding a new module in the network or when a fleet of ADYTON needs to be updated when a new secret key needs to be added.
What other current issues does ADYTON cover beyond the GDPR?
Initially, ADYTON was already covering issues from the financial industry, specifically in the context of secured operations tied to electronic payments. Our module is clearly adapted for any industry in which high security cryptography is needed for its high value data. One example is database encryption and electronic signatures but there are others: in industrial manufacturing when injecting cryptographic keys in TPM (Trusted Platform Module) chips; in the energy industry to secure smart meters; and even in the Telecom industry for SIM card customization and mobile wallets, to name a few.