Fortanix helps organizations address privacy rights and meet GDPR requirements

Jan. 18, 2018
Fortanix SDKMS delivers encryption-based data protection and access controls that address GDPR Privacy Rights Requirements

MOUNTAIN VIEW, Calif., Jan. 18, 2018 – Fortanix Inc., a leader in Runtime Encryption, has announced it is helping organizations as they prepare for the upcoming General Data Protection Regulation (GDPR) by enhancing its Self-Defending Key Management Service™ (SDKMS) next-generation Hardware Security Module (HSM) solution with data protection features and location-based access controls to help organizations meet GDPR requirements.

GDPR is designed to provide better privacy and security to European citizens and comes into effect May 25. It applies to any data that can be used to directly or indirectly identify a person, including private, professional, or public financial data, photos, home addresses, medical information, social media, and IP addresses. Although GDPR is a European regulation, it affects customers and organizations worldwide, which must adhere to GDPR if they process European customers’ data. GDPR is a binding legislative act, and organizations can be fined up to 4 percent of their global revenue, or €20M, whichever is more.

According to Gartner, “The European General Data Protection Regulation has an impact far beyond the EU alone…Security and risk management (SRM) leaders should prepare for the European Union’s General Data Protection Regulation…On 25 May 2018, less than 50 percent of all organizations impacted will fully comply with the GDPR.” 1

Organizations need to categorize their data and create a set of rules to follow while processing their customers’ personal data. Once the data access rules have been defined, organizations can encrypt the personal data with keys managed by Fortanix’s SDKMS next-generation HSM solution.

SDKMS creates a control layer between the data controller and the data processors to help meet GDPR requirements around data audit, control, and erasure. The data processor is an entity that processes the personal data according to rules set by the data controller. Specific requirements of GDPR where Fortanix’s runtime encryption helps organizations include:

  •  Fine-grained access controls for users and data – With SDKMS, only the authorized processor gets access to the encryption keys protecting the needed data, and only for the duration for which a business case exists as required by GDPR.
  • The right to be forgotten – If a customer requests data erasure, SDKMS can delete the decryption key. Such a deletion is irreversible and is logged into the central audit log. Organizations can be assured that data cannot be used once the key has been deleted.
  • Data-masking – SDKMS masks sensitive data before it is processed in a test cluster, greatly reducing the GDPR compliance surface.
  • Tokenization – Customers can use SDKMS to tokenize primary account numbers (PAN), date of birth, addresses, etc., to reduce the possibility of wrongful exposure.
  • Global logging – All access to personal data is automatically logged in a centrally viewable tamper-proof global audit trail by Fortanix. There is never any dispute about who accessed which data and when.
  • Key destruction – Once a key is destroyed, no one (not even the organization, Fortanix, or the user) can restore it. Thus, organizations can easily remove access to certain data.
  • Geo-fencing – Organizations can use Fortanix to adopt policies based on the location of data.

Secured with Intel® Software Guard Extensions (SGX), Fortanix’s SDKMS is HSM, key management, and encryption, all integrated as one product and offered as a service. SDKMS is cloud-agnostic, built to scale, and provides software flexibility with HSM-grade security. Organizations use SDKMS to secure their sensitive cloud and traditional applications, PKI systems, IoT applications, silicon manufacturing, and remote TLS terminations – all while drastically reducing integration complexities and expenses. Fortanix delivers complete and deterministic privacy, as data and keys remain completely protected from cloud providers, system administrators, insiders, government subpoena, and network hackers.

“Meeting GDPR takes more than just technology; corporations first need to adopt a new culture, organizational awareness, and privacy-first mindset,” said Ambuj Kumar, Fortanix CEO and co-founder. “However, when it comes to technology, once organizations have digitized their personal data inventory and have identified appropriate access controls based on their legal needs, Fortanix can help them with GDPR. With SDKMS, the keys cannot be used without proper authorization and without creating an immutable audit trail. This strong assurance reduces compliance risk.”

For more information, see https://www.fortanix.com/solutions/gdpr.

Note 1 – Gartner, Inc. “GDPR Clarity: 19 Frequently Asked Questions Answered,” by Bart Willemsen. Aug. 29, 2017.

About Fortanix

Fortanix delivers provable deterministic security to organizations by offering the industry’s only Runtime Encryption. While today’s encryption technologies protect only data at rest and data in motion, Runtime Encryption keeps keys, data and applications completely protected while in use from external and internal threats, including insiders, cloud providers, government subpoena, OS-level hacks and network intruders. Headquartered in Mountain View, Calif., the company is backed by Foundation Capital and NeoTribe. For more information, see https://fortanix.com/