GDPR: Automating Compliance Measures with Automated Application Portfolio Analysis

While tech giants like Facebook and Google are taking a gamble on how they handle consumer data in Europe, the rest of the world is hustling to become GDPR compliant.

A few weeks ago, I wrote that GDPR places responsibility for data privacy squarely on businesses and that this will have a great impact on how businesses will have to focus on building security into their application from the ground-up in order to comply. Today, I’ll look at best practices for compliance and provide an example of how one platform for automated software analysis addresses GDPR requirements.

Assessing Legacy Applications

Using automated application portfolio analysis is particularly vital for companies running either legacy applications or applications built upon legacy apps. Often, the original application includes code so old that the average IT manager and most CIOs were in grade school when it was written. This means it’s highly unlikely that even the most senior members of the IT department will have had experience with the code used to write the legacy apps.

The problem this unfamiliarity goes beyond just trying to rewrite old code or untangle the system to transfer data to modern systems. Equally complex, if not nearly impossible, is figuring out where the old mistakes were – if nobody knows what’s right, how would they know what’s wrong? This makes finding fixes for old issues problematic at best.

Workarounds and just ignoring the issues, hoping they won’t pose a problem down the road, are the most frequent answers, but sidestepping the problem is no longer an option due to GDPR. Simply ignoring the problem or trying to get around it results in the poor structural quality that results in future breaches.

An automated assessment platform reviews hundreds of thousands of lines of code quicker and with a far better understanding of what it is looking for than a manual review. By automating the process of static analysis, companies can ferret out offending legacy code and give those responsible for the upgrade a solid structure upon which to build.

Employing this same platform of automated analysis and measurement to conduct continual architectural and code component reviews to find any new issues that arise ensures what is being build atop the legacy application interacts properly with the existing code.

Automated Application Portfolio Analysis in Practice

One example of how an automated application portfolio analysis platform works to uncover vulnerabilities, and therefore assist in GDPR compliance, is CAST’s Application Intelligence Platform (AIP), which creates a digital image of the internal composition of applications.

Unlike code testing, CAST applies system-level architectural assessments to examine how components interact, how they work across technology layers, data structures and end-to-end transactions -from user entry to data access. The result is a Data Protection Impact Assessment (DPIA) that provides a comprehensive understanding into complex software composition and unprecedented intelligence into its internal integrity.

The value of using a solution like CAST AIP in developing the DPIA is:

• Reduces application development and maintenance (ADM) Costs by reducing the need to have critical and numerous IT Resources to investigate issues manually.
• Reduces tooling costs by using a single solution to drive application security and privacy measures.
• Improves speed and scale of development by working on several applications in parallel with an Industrialized process.
• Makes the issues actionable for IT by having actionable reports for the IT managers to drive compliance among the development team.

A platform like CAST’s Application Intelligence Platform is also important to maintaining ongoing compliance with GDPR. CAST:

• Automates the reporting of GDPR Compliance to the IT of the data processing organization (DPO) by flagging the private data and accepted GDPR transactions in the CAST Knowledge Base and tracks:
  • The addition of new data columns/tables for DPO/IT Review
  • The addition/modification of transactions accessing private data
  • The addition of application security violations involving private data
• Develops a roadmap that provides a data visualization index with Impacts navigation and Data Privacy Index calculation

With these investigations and reports in place, CAST AIP provides a solution for a number of the articles in GDPR, including:

• Article 25 – Data protection by design and by default: Helps document current application design, identifies weaknesses, and remediation points, and then establishes an architecture governance mechanism to ensure continued data protection by design.

• Article 30 – Records of processing activities: Builds a data processing register for highly sensitive data, then maintains an active data protection register that is reverse engineered from software structure.

• Article 32 – Security of processing: Evaluates the current state of application security against benchmarks, and then focuses the tightest application security on the most sensitive data.

• Article 35 – DPIA: Supports consulting teams in achieving an initial impact assessment and establishes a basis that will make conducting DPIA easier in the future.

GDPR is now the law in Europe and it or something like it is sure to be implemented in the U.S. The best way to avoid running afoul of that law is by employing an automated application analysis platform like CAST’s AIP to locate vulnerabilities and create the reports required for your company to comply with GDPR.