The GDPR is coming, The GDPR is coming!!!
Well all know that the GDPR goes into effect in May. As I was listening to the Defensive Security Podcast this week, they started talking a bit about how the privacy laws can affect security and security posture. It is odd to think that something like privacy which we are in favor of, can have a negative effect on security, but it can. If you think long and hard about it, not being able to access logs, to be able to see where people have been on their corporate computers, how secure can we make them? One of the first steps in corporate security is knowing what is on the network, and knowing what data you have. Now you have an employee using their work computer for personal business say online banking, or logging into a patient portal. Now lets say those are phishing sites that look very much like the real site and not only that but after the first login attempt, redirect to the real site. At what point do we have to stop in an investigation of say malware on the machine? At what point are they breaking maybe corporate rules. The corporation cannot compel the individual to opt into being monitored according to the GDP. Maybe the corporation has a policy of no personal stuff being done on the work computer. How do we know without being able to have the insight?
What we seem to be getting into is a sticky situation that really has not been thought through to logical conclusions, or at least most except the best case scenarios were not granted viability. In the end there is a balance required to get best security and privacy at the same time. Right now though, everything tend to be out of balance.