GDPR: Automating Compliance Measures with Automated Application Portfolio Analysis

Jun 26, 2018 by Nicolas Derivery

While tech giants like Facebook and Google are taking a gamble on how they handle consumer data in Europe, the rest of the world is hustling to become GDPR compliant.

A few weeks ago, I wrote that GDPR places responsibility for data privacy squarely on businesses and that this will have a great impact on how businesses will have to focus on building security into their application from the ground-up in order to comply. Today, I’ll look at best practices for compliance and provide an example of how one platform for automated software analysis addresses GDPR requirements.

Assessing Legacy Applications

Using automated application portfolio analysis is particularly vital for companies running either legacy applications or applications built upon legacy apps. Often, the original application includes code so old that the average IT manager and most CIOs were in grade school when it was written. This means it’s highly unlikely that even the most senior members of the IT department will have had experience with the code used to write the legacy apps.

The problem this unfamiliarity goes beyond just trying to rewrite old code or untangle the system to transfer data to modern systems. Equally complex, if not nearly impossible, is figuring out where the old mistakes were – if nobody knows what’s right, how would they know what’s wrong? This makes finding fixes for old issues problematic at best.

Workarounds and just ignoring the issues, hoping they won’t pose a problem down the road, are the most frequent answers, but sidestepping the problem is no longer an option due to GDPR. Simply ignoring the problem or trying to get around it results in the poor structural quality that results in future breaches.

An automated assessment platform reviews hundreds of thousands of lines of code quicker and with a far better understanding of what it is looking for than a manual review. By automating the process of static analysis, companies can ferret out offending legacy code and give those responsible for the upgrade a solid structure upon which to build.

Employing this same platform of automated analysis and measurement to conduct continual architectural and code component reviews to find any new issues that arise ensures what is being build atop the legacy application interacts properly with the existing code.

Automated Application Portfolio Analysis in Practice

One example of how an automated application portfolio analysis platform works to uncover vulnerabilities, and therefore assist in GDPR compliance, is CAST’s Application Intelligence Platform (AIP), which creates a digital image of the internal composition of applications.

Unlike code testing, CAST applies system-level architectural assessments to examine how components interact, how they work across technology layers, data structures and end-to-end transactions -from user entry to data access. The result is a Data Protection Impact Assessment (DPIA) that provides a comprehensive understanding into complex software composition and unprecedented intelligence into its internal integrity.

The value of using a solution like CAST AIP in developing the DPIA is:

  • Reduces application development and maintenance (ADM) Costs by reducing the need to have critical and numerous IT Resources to investigate issues manually.
  • Reduces tooling costs by using a single solution to drive application security and privacy measures.
  • Improves speed and scale of development by working on several applications in parallel with an Industrialized process.
  • Makes the issues actionable for IT by having actionable reports for the IT managers to drive compliance among the development team.

A platform like CAST’s Application Intelligence Platform is also important to maintaining ongoing compliance with GDPR. CAST:

  • Automates the reporting of GDPR Compliance to the IT of the data processing organization (DPO) by flagging the private data and accepted GDPR transactions in the CAST Knowledge Base and tracks:
    • The addition of new data columns/tables for DPO/IT Review
    • The addition/modification of transactions accessing private data
    • The addition of application security violations involving private data
  • Develops a roadmap that provides a data visualization index with Impacts navigation and Data Privacy Index calculation

With these investigations and reports in place, CAST AIP provides a solution for a number of the articles in GDPR, including:

  • Article 25 – Data protection by design and by default: Helps document current application design, identifies weaknesses, and remediation points, and then establishes an architecture governance mechanism to ensure continued data protection by design.
  • Article 30 – Records of processing activities: Builds a data processing register for highly sensitive data, then maintains an active data protection register that is reverse engineered from software structure.
  • Article 32 – Security of processing: Evaluates the current state of application security against benchmarks, and then focuses the tightest application security on the most sensitive data.
  • Article 35 – DPIA: Supports consulting teams in achieving an initial impact assessment and establishes a basis that will make conducting DPIA easier in the future.

GDPR is now the law in Europe and it or something like it is sure to be implemented in the U.S. The best way to avoid running afoul of that law is by employing an automated application analysis platform like CAST’s AIP to locate vulnerabilities and create the reports required for your company to comply with GDPR.

Filed in: Application Security Modern Architecture Software Intelligence
Tagged: Application Portfolio Analysis GDPR GDPR compliance
Cloud Smart: How to Ensure an Efficient and Secure Journey
Cloud Smart: How to Ensure an Efficient and Secure Journey
Recorded Webinar
Software Intelligence at the core of M&A Advisory

Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services. 

Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the target’s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.

Video Interview
Eliminate vulnerabilities while improving performance
CAST AIP was implemented for a Federal Law Enforcement Agency in the US. CAST AIP helped identify and resolve several critical violations and flaws in the software leading to an immediate saving of ~ $250K in software maintenance.
Case Study
Nicolas Derivery
Nicolas Derivery Vice President, Cloud and GDPR
Nicolas Derivery is Vice President at CAST and has been with the company for 10 years. In this role, he leads CAST's go-to-market for cloud migration and GDPR offerings, helping organizations create compliant strategies for IT modernization that realize the benefits of cloud computing.
More Posts from Nicolas >>

Write a review Average rating:
()
Newest on top Oldest on top
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item
|
()