As the deadline for GDPR was nearing, the Internet Corporation for Assigned Names and Numbers (ICANN) came up with temporary solution to comply WHOIS with GDPR.
WHOIS is an internet protocol that is used to query databases and obtain information about registration of a domain name. ICANN asked for a year to fully comply WHOIS data privacy with GDPR, but the request was declined.
“Unless there is a moratorium, we may no longer be able to … maintain WHOIS. Without resolution of these issues, the WHOIS system will become fragmented … A fragmented WHOIS would no longer employ a common framework for generic top-level domain (gTLD) registration directory services,” argued ICANN.
So, with the temporary solution, the Registry Operators and Registrars will still collect the registration data like registrant, administrative and technical contact information.
The new thing is that most of the personal data wouldn’t be available publicly. If the users want to access non-public data, they’ll have to request the Registrars and Registry Operators, with mentioning the legitimate and proportionate purpose. The request will be submitted via an anonymized email or web form.
The temporary solution will be applicable to all the registrations, and will cover the data processing arrangements between ICANN, Registry Operators, Registrars, and Data Escrow Agents.
“WHOIS is an important system, and preserving it allows it to continue to act as a key tool in the ongoing fight against cybercrime, malicious actors, intellectual property infringement, and more. This Temporary Specification, which is based on the Proposed Interim Compliance Model, aims to prevent fragmentation of WHOIS and ensure that WHOIS continues to be available, to the greatest extent possible,” said Cherine Chalaby, Chair, ICANN Board of Directors.
Around 25% organizations experienced cryptojacking activities in their cloud environment in 2018, up from just 8% in last quarter, according to Cloud Security Trends report by RedLock.
RedLock’s Cloud Security Intelligence (CSI) team published the report to shed light on the cloud security trends in 2018.
Cryptojacking becoming mainstream
The report highlighted that cryptojacking, a cyber-attack where hackers hijack processing power of target to mine cryptocurrency, is becoming a serious emerging threat to the businesses.
Organizations are aware of the attacks against cloud and use several practices to prevent from attacks, but still the attack vectors are on the rise. The cryptojacking increased by more than thrice this year.
The cryptocurrency mining requires a lot of computing power, and hence the attackers are stealing cloud computing resources to mine it. CSI team found that some attackers were using advanced evasion techniques for cryptojacking.
Majority of resources do not restrict outbound traffic
85% of the organizational resources related to security groups didn’t have any firewall restrictions on outbound traffic, up from 80% a year before. This could lead to accidental data loss and data exfiltration in data breach incidents.
RedLock suggested that organizations should implement a ‘deny all’ default firewall policy, monitor network traffic to identify suspicious activities, and monitor the user activity as well for any abnormal behavior.
43% of access keys not rotated in last 90 days
Another key finding of the report was that 43% of organizations had not changed their access keys and credentials in last 90 days. It’s a big concern because despite the past issues like leaked credentials in GitHub repositories, a majority of organizations left themselves open to attack vectors.
Around 17% organizations suffered from potential account compromises, and 51% organizations publicly exposed one or more cloud storage service.
20% organizations allowing root user activities
A positive finding of the report was that only 20% of organizations allowed root user account to be used for performing the activities, down from 73% last year. The root user accounts should not be used for regular operations. The multi-factor authentication should be enforced on root user accounts, and should be monitored for any suspicious behaviors.
49% of databased not encrypted
With the growing trend to encrypt databases because of cybersecurity standards like GDPR (general data policy regulation), the database encryption has increased. Last year, 82% databases were found unencrypted, which has now decreased to 49%.
CSI team further revealed in the reportthat 24% of organizations had hosts missing critical patches in public cloud. This left the host vulnerable to suspicious traffic from internet.
“We understand why there might be fatigue with endless reports on IT infrastructures that lack adequate security, and there are signs that corporations are stepping up initiatives to minimize vulnerabilities, but there’s definitely more to do,” said Gaurav Kumar, CTO of RedLock and head of the CSI team. “That’s why this report not only shines a light on emerging dangers but also offers concrete advice on how best to ward off attacks. Cloud computing environments bring tremendous flexibility and great economies of scale, but those advantages are meaningless without top-level security. This is a constant and shared responsibility.”
The deadline for General Data Protection Regulation (GDPR)compliance is just three weeks away, and around 60% of the companies are likely to miss the deadline, as per the 2018 GDPR Compliance Report by Crowd Research Partners.
GDPR is a kind of regulation that will require companies to protect the information and data of EU subjects and those who are dealing in any goods or services with the EU citizens. First approved and adopted by the parliament of EU in April 2016, it will generally come into action from 25th May 2018.
With this, the companies that are falling under European Union countries will need to comply with strict rules revolving around collection and usage of customer data, enforceable by the new GDPR law.
Here, the companies will need to implement strict data protection policies to safeguard the user data, like IP information, cookies, name, contact or address and ensure that it is not publicly available.
Only 40% companies will be GDPR compliant by deadline
In last year’s survey, it was found that only 5% companies were in full compliance for GDPR. The number hasn’t improved much till then, with only 7% companies indicated compliance readiness in the latest GDPR compliance survey.
According to the report, 33% of the companies expected to meet all the compliance requirements before the deadline.
32% companies had started the compliance process but were not sure about meeting the deadline. Whereas, 28% had plans but hadn’t made any progress.
Half of the companies quite familiar with GDPR
50% of the companies had either deep knowledge or were quite familiar with GDPR regulation. Whereas, one quarter of the companies knew some details about GDPR.
What’s shocking is that despite the publicity surrounding GDPR, 25% of the companies had either very limited knowledge or no knowledge at all.
Majority of companies consider GDPR compliance a priority
Most of the companies (80%) considered GDPR compliance a top priority, with 34% counting it among top three priorities, and 46% counting it among a number of priorities.
Whereas, 20% of the companies were not even counting GDPR compliance a priority.
Top GDPR Compliance challenges
The lack of expert staff (43%) and lack of budget (40%) were the primary challenges for companies to become GDPR compliant, revealed the survey.
The other significant challenges for GDPR compliance were limited understanding of regulations (31%), lack of necessary technology (23%), and lack of management support (20%).
GDPR compliance efforts will increase data governance budget
56% of the companies expected rise in their data governance budget to tackle the GDPR compliance challenges. 39% companies believed that it would neither increase nor decrease their budget, while only 5% expected a decline.
Majority of companies expect to make minor changes in security practices
The surveyrespondents cited cybercriminals(60%) and accidental loss by employees (57%) as the biggest threat to their organization’s data.
To become GDPR compliant, 28% of the companies said that they would need to make major changes to their security practices and systems.
A majority of companies (56%) expected minor changes, whereas 16% expected no change at all.
Majority of companies to spend at least 500 staff hours this year on GDPR efforts
Around 77% of the companies said that they would need to spend at least 500 staff hours this year on GDPR compliance.
Whereas, 23% expected to spend more than 1000 hours this year on the GDPR compliance efforts.
63% companies will take more than two months (from survey date) to become GDPR compliant
Majority of companies (63%) said that they would need more than two months from the survey date, to become GDPR compliant. 37% expected to spend at least two months more, whereas 14% will need more than 48 months.
The GDPR set of compliance and policies will be in effect on May 25th, 2018. With this, companies in EU or those running businesses in EU, need to be aware of the different ways in which GDPR will affect their business strategies.
The GDPR Interactive Sessions – powered by the Innovation Enterprise, provides senior executives and attendees the platform to discuss and debate the latest technology trends and innovations that are shaping, or has the potential to shape the future of businesses.
As part of the London Data Festival 2018 – featuring 4 summits across 2 days, the GDPR sessions will primarily discuss topics like Impact of GDPR on marketing and sales; compliance to GDPR; is GDPR an opportunity; and trust, transparency and progressive information rights.
The GDPR Interactive Sessions will witness 8+ industry leading speakers, 80+ senior level attendees, case studies, and 10+ hours of premium content and networking opportunities.
The sessions will also discuss the role of senior executives in the implementation ofGDPRpolicies across the organization. As GDPR will affect the entire organization and not just one department or process, the senior level executives have a primary role to play in order to reframe the current company policies to make them GDPR compliant.
The list of speakers includes Tini Sevak – Global Director of the Data Application, YouGov, Peter Jackson – Chief Data Officer, Southern Water, Moad Raghie – Global Digital Projects Manager, JLL, Damien Austin – Walker, Product Director, Do-It.org, and James Sandberg – Chief Customer Devotee, Customer Devoted Ltd.
The sessions will take place at the etc.venues 155 Bishopsgate conference and exhibition centre, located next to the Liverpool St. Station in the heart of London City.
Stay tuned to get latest updates from the sessions.
The European Union’s General Data Protection Regulation (GDPR) will be getting implemented in May 2018. With this, the companies that are falling under European Union countries will need to comply with strict rules revolving around collection and usage of customer data, enforceable by the new GDPR law.
The GDPR compliance will take into account issues like the collection of personal identification information by various companies including big names like Google and Facebook. Here, the companies will need to implement strict data protection policies to safeguard the user data like IP information, cookies, name, contact or address and ensure that it is not publicly available.
Here, the case in point is the future of WHOIS public library – the protocol that provides information about the people who have registered any domain name.
Primarily, the WHOIS data is highly useful for the business houses and institutions who can track the information and its distribution pattern to identify any malware or potential threat. On the other hand, the open availability of sites and their critical information is a good treat for the hackers and spammers.
This has brought in a debate between the Internet Corporation for Assigned Names and Numbers (ICANN) – the organization that controls the domain names across the world, and the domain registrars, post the GDPR announcement.
Before we start discussing the debate, let’s get a quick history of GDPR:
What is GDPR compliance?
The GDPR is a kind of regulation that will require companies to protect the information and data of EU subjects and those who are dealing in any goods or services with the EU citizens.
The GDPR compliance was first approved and adopted by the parliament of EU in April 2016. The compliance after the two-year transition will be in force in May 2018.
What is the purpose of implementing GDPR?
GDPR has replaced the Data Protection Directive of EU which was implemented in 1995. It was much before the internet turned into an online hub for businesses like it is today. This has made the directives incapable of answering various issues regarding how data is collected, stored and processed by various websites. Hence, the GDPR will now set a standard for data protection to be followed by the companies to safeguard customer’s private data. The GDPR will protect:
Personal information like the name, IP, contact, and address.
Web data like cookies, forms, locations, RFID (Radio-frequency identification) tags.
Racial or ethnic data.
The GDPR has defined various roles who will be taking care of compliance in their organization like data controller, data protection officer, and the data processor. The GDPR compliance will require the companies to assign a DPO who will be overseeing the data strategy of the organization and ensure compliance across all departments.
ICANN and WHOIS conflict post GPDR
Coming back to our main topic, the GDPR compliance has impacted nearly every organization doing business in the EU, and it has caused a policy meltdown at the internet overseer – ICANN.
The WHOIS protocol of ICANN requires the domain registrars to publicly make available the data related to the people or organizations who have registered any domain name. This is stark opposite to the GDPR law. The present WHOIS system displays the name, phone number, and address of the registrants. While ICANN being a US entity has managed to ignore this fact for quite long, the registrars located in the EU region has raised this issue.
With the deadline drawing closer, ICANN recently issued three interim models for domain registrars which will allow them to comply with both – ICANN’s rules and the implementation of GDRP in EU until it comes up with a permanent solution for the issue.
ICANN – Proposed Interim GDPR Compliance Models
The three interim models slightly differ from each other with respect to some parameters depending upon the status of the registrants, location registry, registrant or the DPO. Here’s a brief of the three models:
Overview: The first model will permit the display of thick registration data excluding or except for registrants’ contact details, email, address, name and postal address. To gain information regarding the excluded details, the third parties will need to first issue a self-certification stating clearly the objective behind accessing the data.
The model 1 will apply only to the personal data included in the registration data pertaining to some natural person, where:
The registrar or registry are located in the EEA (European Economic Area).
The registrar or registry is located outside the EEA but process data of the registrants located in the EEA.
The registrar or registry are located outside the EEA and process non-EEA data included in registrations but engage a processor who is located within the EEA to process such information or data.
Under the model 1, unless the registrant explicitly states, the registries or registrars need to display the following minimum information in public WHOIS:
The details related to the primary and secondary nameserver(s) for the Registered Name.
The details about the registrar.
The original date when the registration was created.
The date of expiry.
The name and the postal address of registrant (except telephone and email address)
The available details of the administrative contact – email address, fax number, telephone number. (Thus, no name and postal address of the administrative contact).
The available details of the technical contact for the Registered name – email address, fax and telephone number. (Thus, no name and postal address of the technical contact).
Overview: The model 2 is available in two variants – Model 2A and Model 2B and will permit the publishing of thin registration data which will also include the data pertaining to the technical and administrative email and contact IDs. The registries and registrars will need to provide access to the non-public information only for a definitive set of third-party accessors on the issue of accredited certification.
The Model 2A will apply to the personal data in the registration data without regard to whether the registrant is some natural or legal person, where:
The registrar/registry is located within the EEA and process data included in the registration data.
The registrar/registry is established outside the EEA and processes data included in the registration data of registrants located within the EEA.
The registry/registrar is established outside the EEA and process non-EEA personal data, but engage data processors located within the EEA to process the personal data.
The expiry date of Registration.
Administrative contact’s email address for the Registration Name. (Thus, no name, telephone, postal address or fax of the contact).
Technical contact’s email address for the Registration Name. (Thus, no name, telephone, postal address or fax of the contact).
The Model 2B will apply to all registrars without regard to the location of the registry, registrar, registrant or the data processor. Apart from this, there’s no other difference in Model 2A and Model 2B.
Under this model, unless the registrants otherwise permit, the registries and registrars would display the following data in public WHOIS:
Details related to the primary and secondary nameserver(s) of the Registered Name.
Details about the registrar.
The original date when the registration was created.
Please note that this model will not be displaying the name of the registrant whether a legal or natural person, until and unless the registrant opts-in.
Overview: The third model will allow the publication of thin registration data and other non-personal data. Here, if the requestor needs to access non-public information, he will need to provide a subpoena or equivalent court order/judicial tribunal.
The model 3 will apply to all registrations globally, without any regards to the location of the registry, registrar, registrant, and processor of the data.
Here, unless the registrant states otherwise, the registries and registrars would need to provide the following information:
Complete details of the primary and secondary nameserver(s).
The original date when the registration was created.
No publication of the personal data.
Amongst the entire conflict, the major question is whether ICANN could come up with a permanent solution to comply with GDPR, without restricting global internet users’ access to the public data of WHOIS?
The organization is seeking community suggestions and feedback on the three interim models. It is very important that ICANN is able to save WHOIS data from being completely restricted.
Microsoft announced a number of new information protection capabilities and updates to its Microsoft 365, in response to GDPR which will come into effect after 25th May.
The GDPR (General Data Protection Regulation) is aimed at protecting and empowering the data privacy of all the citizens of Europe, as well as reshaping the way organizations in Europe approach data privacy. The organizations found to be non-compliant after May 25th may face heavy fines.
It is the responsibility of an organization to meet all regulatory requirements when the data is on-premises. However, when the data is moved to cloud, it becomes the responsibility of Cloud Service Provider as well.
The updates in Microsoft 365 include general availability of Compliance Manager for Azure, Dynamics 365, and Office 365 Business and Enterprise subscribers. Compliance Manager, available for Preview since November 2017, enables organizations to perform on-going risk assessments, and makes it transparent to customers how Microsoft protects their data.
Compliance Manager includes Compliance Score feature, which allows organizations to gain visibility into compliance stature of organization with a risk-based score reference. It is available for Office 365 users.
Microsoft also announced general availability of Azure Information Protection scanner, which enables users to automatically discover, classify, label, and protect documents in on-premises repositories like File servers and on-premises SharePoint servers.
The new intelligent compliance solutions in Microsoft 365 will help organizations to protect sensitive data, support data protection in apps and across all cloud services. Organizations can use it to scan hybrid and on-premises repositories by periodically configuring it.
Additionally, Microsoft is previewing Consistent labeling schema experience, which will be used to eliminate the need to create labels in two different places across information protection solutions in Microsoft 365.
Microsoft’s biggest partner event – Inspire 2017, came to an end yesterday.
The event was a great success with a count of over 17,000 attendees, some major product announcements and partner led digital transformation goals.
The day 1 keynote session focused on empowering organizations through new and advanced technology products like Microsoft 365.
Microsoft’s corporate VP, One Commercial Partner – Ron Huddleston, emphasized the immense opportunity available to the partners through the new partner program.
He said that the new One Commercial Partner Program will work with the partners in three important areas:
Build With – The Microsoft partner development experts will work with those partners who need any help around building their own IP, practice or any other capability.
Go-to-Market – The Partner experts’ team will help the partners bring their product into the market through offers.
Sell With – The channel managers will work hand in hand with the Microsoft sales team to ensure that the right partner solution is available to the right customer at the right time.
While Day 1 keynote focused on new products, programs and partner opportunities, the Day 2 keynote covered the implementation part.
Judson Althoff, Executive VP, Worldwide Commercial Business, talked about the four important pillars of digital transformation at Microsoft – Engage Customers, Empower Employees, Optimize Operations and Transform Products.
By providing some real-world examples, he explained how partners can play an important role in empowering end customers to ride the digital wave.
The examples that covered wide range of industries from healthcare to retail to manufacturing and mining, helped the partners understand how they can understand customer needs more quickly and act even faster.
He further added that to better the bonding between Microsoft and its partners they would focus on two important areas of selling solutions. One is Azure Co-sell that will assist the partners who create any solution with Microsoft Azure; second are the channel managers who will help partners build and sell powerful solutions within Azure.
The final vision keynote of Day 3 focused on some new efforts by the company in regards with privacy, new sales team reorganization and overall policies they would be using to have an impact on the world.
It included announcements around GDPR policy compliance that will be in effect next year, and that Microsoft is ready to help partners comply with the new rules.
Microsoft also discussed its AI for Earth program, originally announced at AI event in London. Under this, it will provide access to cloud and other AI computing resources, lighthouse projects and technology trainings which is a $2million commitment in the next fiscal year.
Overall, the event brought new inspiration for the partners and strengthened their belief that Microsoft is a partner led company who makes partners stand at the forefront of the digital transformation.