Back in May 2018, the General Data Protection Regulation (GDPR) launched in Europe, and if nothing else, preparation for its taking effect has made clear that privacy and security are intertwined concepts. Data privacy - and the unprecedented breaches in data protection and exploitation of private data we’ve seen - has become more than just talk. And more importantly, perhaps, cybersecurity has become a concern for everyone in a company - not just the domain of IT professionals who specialize in (or maybe don’t even specialize in) security. Security - and by extension - safeguarding privacy - has become the concern of senior executives and corporate boards as well, given the severe and far-reaching consequences of data breaches in the post-GDPR era.
Responsibility for data security
Until recently, companies have placed responsibility for cybersecurity, and thus privacy, mostly on the shoulders of (often overburdened) IT departments. But now that there are real financial consequences for non-compliance (hefty fines worth 4% of the company’s annual revenue), the cost of ignoring security and privacy - and of not weaving it into every aspect of the business - is too high. It’s a more complex issue than many company executives might imagine, and only now is it becoming clear what data security (and preserving privacy) really means.
Defining data security
Data security means knowing what data you have and how it is retained. With retention, you must understand how to store and encrypt it. You must know who has access to this data, how they access it and ensure that adequate access controls are in place.
One of the tenets of the GDPR is that companies will need show evidence that they handle personal data with respect and care and what processes they have in place to do so (in case they are audited or in case there is a problem). One piece of the compliance puzzle is data encryption; companies are encouraged to encrypt user data in case it should fall into the wrong hands... rendering the data useless to malicious operators and still private. Of the more than 9 billion data records that have been stolen since 2013 only 4% were encrypted. There is room for vast improvement.
This is not insignificant: by 2021, damages caused by data security breaches are projected to reach USD 6 trillion annually.
Obviously multiple security measures work hand in hand to provide many layers and types of protection. Varnish, of course, offers both client-facing TLS and a backend TLS, which in combination form one modern, minimalistic and fast TLS proxy for end-to-end transport security.
Varnish is also the pioneer of total cache encryption, which is designed to encrypt all your caches across Varnish instances at all times. Varnish Total Encryption essentially encrypts each cache item, locking it down completely, and prevents a whole class of cache vulnerability - the cache leak.
With Varnish, a number of defensive measures and countermeasures exist to help you not only comply with GDPR but also create a security-by-design cybersecurity strategy, including protective measures against DDoS attacks and more. Varnish helps mitigate your risk, develop a security-first policy and continually tighten up your security. Read our latest security white paper to learn more.