It seems almost every week in cybersecurity and IAM we read of a large company buying a smaller one. Many times, it is a big stack vendor adding something that may be missing to their catalog, or buying a regional competitor. Sometimes it’s a medium-sized technology vendor picking up a promising start-up. In the olden days (15+ years ago), start-ups hoped for going IPO. IPOs are far less common today. Why? Mostly because it’s an expensive, time-consuming process that doesn’t achieve the returns it once did. Many times, going IPO was an interim step to getting acquired by a large vendor, so why not just skip ahead? 

Mergers are not common for a few reasons. Merger implies a coming together of near-equals, and executives and boards of directors don’t usually see it this way. So even when mergers happen, they’re often spun as simply acquisitions, and one brand survives while the other fades away. Mergers also mean de-duplication of products, services, and downsizing of the workforces. Mergers can be difficult for customers of both former brands to endure as well.

In the last few years, we’ve increasingly seen equity firms purchase mature start-ups and assemble portfolios of tech vendors. I say “mature start-up” because, instead of the “3 years and out” that occasionally worked in the early 2000s, now vendors are often taking investment (Series A, B, C, D, etc.) 5-7 years or more after founding. When equity firms pick up such companies, the purchased vendor generally retains their brand in the marketplace. The equity firms typically have 3-5 year plans to streamline the operations of the components in their portfolios, make each company profitable, build value, and then sell again.

Other times large companies spin off divisions that are “not part of their core competencies”.  Maybe those divisions are not doing well under current management and might fare better in the market where they can have some brand separation and autonomy.

What motivates acquisitions? There are four major reasons companies merge with or buy others:

1. To acquire technology
2. To acquire customers
3. To acquire territory
4. Unknown

Getting a new technology to integrate into an existing suite is very straightforward. Picking up a smaller competitor to access their customer base is also a common strategy, provided it doesn’t run afoul of anti-trust laws. Large regional vendors will sometimes buy or merge with similar companies in other regions to gain overall market share. These can often be smart strategies toward building a global footprint in the market.  

Every now and then, however, we read about deals that don’t make sense in the industry. This is the unknown category. Sometimes big companies do acquire smaller competition, but do not integrate, extend, or service the purchased product. Dissatisfied customers leave. Overall brand reputation suffers. These deals turn out to be mistakes in the long run, only benefitting the owners of the purchased company. A better plan is to out-compete rather than buy-out the competition.  

Customers of vendors that are being bought or divested have questions: what will happen to the product I use? Will it be supported? Will it go away? Will I have to migrate to combined offering? If so, is now the time to do an RFP to replace it?

IT executives in end-user organizations may hold conflicting views about M&A activities. On the one hand, consolidation in the market can make vendor and service management easier: fewer products to support and fewer support contracts to administer. On the other hand, innovation in large companies tends to be slower than in smaller companies. It’s a momentum thing. As an IT manager, you need your vendor to support your use cases. Use cases evolve. New technical capabilities are needed. Depending on your business requirements and risk tolerance, you may occasionally have to look for new vendors to meet those needs, which means more products to support and more contracts to manage. Beware the shiny, bright thing!

Recommendation: executives in companies that are acquiring others or are being divested need to 

1. Quickly develop, or at least sketch, roadmaps of the product/services that are being acquired or divested. Sometimes plans change months or years after the event. When they do, let customers know.
2. Communicate those roadmaps as well as known at the time of acquisition or divestiture. Explain the expected benefits of the M&A activity and the new value proposition. This will help reduce uncertainty in the market and perhaps prevent premature customer attrition.

In summary: there will always be mergers, acquisitions, and divestitures in the security and identity market. Consolidation happens, but new startups emerge every quarter in every year with new products and services to address unmet business requirements. IT managers and personnel in end-user organizations need to be aware of the changes in the market and how it may impact their businesses.  

Likewise, executives in vendor companies, investors, VCs, and equity firms need to be cognizant of current market trends as well as make predictions about the impact and success of proposed ventures. This can help to avoid those deals that leave everyone scratching their heads wondering why did they do that? At KuppingerCole, we understand the cyber and IAM markets, and know the products and services in those fields. Stay on top of the latest security and identity product evaluations at www.kuppingercole.com.

Digital Transformation is one of those buzzwords (technically a buzzphrase, but buzzphrase isn’t a buzzword yet) that gets used a lot in all sorts of contexts. You hear it from IT vendors, at conferences, and in the general media. But Digital Transformation, or DT as we like to abbreviate it, is much more than that. DT is commonly regarded as a step or process that businesses go through to make better use of technology to deliver products and services to customers, consumers, and citizens. This is true for established businesses, but DT is enabling and creating entirely new businesses as well.

When we hear about DT, we think of smart home products, wearable technologies, connected cars, autonomous vehicles, etc. These are of course mostly consumer products, and most have digital device identity of some type built in. Manufacturers use device identity for a variety of reasons, to track deployed devices and utilization, to push firmware and software updates, and to associate devices with consumers.

To facilitate secure, privacy-respecting, and useful interactions with consumer of DT technologies, many companies have turned to Consumer Identity and Access Management (CIAM) solutions. CIAM solutions can provide standards-based mechanisms for registering, authenticating, authorizing, and storing consumer identities. CIAM solutions usually offer identity and marketing analytics or APIs to extract more value from consumer business. CIAM is foundational and an absolutely necessary component of the DT.  

CIAM solutions differ from traditional IAM solutions in that they take an “outside-in” as opposed to the “inside-out” approach. IAM stacks were designed from the point of view that an enterprise provisions and manages all the identities of employees. HR is responsible for populating most basic attributes and then managers add other attributes for employee access controls. This model was extended to business partners and B2B customers throughout the 1990s and early 2000s, and in some cases, to consumers. Traditional IAM was often found lacking by consumer-driven businesses in terms of managing their end-user identities. HR and company management doesn’t provision and manage consumer identities. Moreover, the types of attributes and data about consumers needed by businesses today was not well-suited to be serviced by enterprise IAM systems.  

Thus, CIAM systems began appearing in the 2010s. CIAM solutions are built to allow consumers to register with their email addresses, phone numbers, or social network credentials. CIAM solutions progressively profile consumers so as not to overburden users at registration time. Most CIAM services provide user dashboards for data usage consent, review, and revocation, which aids in compliance with regulations such as EU GDPR and CCPA.

CIAM services generally accept a variety of authenticators that can be used to match identity and authentication assurance levels with risk levels.  CIAM solutions can provide better – more usable and more secure – authentication methods than old password-based systems. Consumers are tired of the seemingly endless trap of creating new usernames and passwords, answering “security questions” that are inherently insecure, and getting notified when their passwords and personal data are breached and published on the dark web. Companies with poor implementations of consumer identity miss out on marketing opportunities and sales revenue; they also can lose business altogether when they inconvenience users with registration and password authentication, and they suffer reputation damage after PII and payment card breaches.

In addition to common features, such as registration and authentication options, consider the following functional selection criterion from our newly published Buyer’s Guide to CIAM. Compromised credential intelligence can lower the risks of fraud. Millions of username/password combinations, illegally acquired through data breaches, are available on the dark web for use by fraudsters and other malefactors. Compromised credentials intelligence services alert subscribers to the attempted use of known bad credentials.  All organizations deploying CIAM should require and use this feature. Some CIAM solutions, primarily the SaaS vendors, detect and aggregate compromised credential intelligence from across all tenants on their networks.  The effectiveness of this approach depends on the size of their combined customer base.  On-premises CIAM products should allow for consumption of third-party compromised credential intelligence.

Lastly, CIAM solutions can scale much better than traditional IAM systems. Whereas IAM stacks were architected to handle hundreds of thousands of users with often complex access control use cases, some CIAM services can store billions of consumer identities and process millions to hundreds of millions of login events and transactions.  

Over the last few years, enterprise IAM vendors have gotten in on the CIAM market. In many cases they have extended or modified their “inside-out” model to be more accommodating of the “outside-in” reality of consumer use cases. Additionally, though traditional IAM was usually run on-premises, pure-play CIAM started out in the cloud as SaaS. Today almost all CIAM, including those with an enterprise IAM history, offer CIAM as SaaS.

Thus, CIAM is a real differentiator that can help businesses grow through the process of DT by providing better consumer experiences, enhanced privacy, and more security. Without CIAM, in the age of DT, businesses face stagnation, lost revenues, and declining customer bases. To learn more about CIAM, see the newly updated KuppingerCole Buyer’s Guide to CIAM.

#RSAC2019 is in the history books, and thanks to the expansion of the Moscone Center, there was ample space in the expo halls to house vendor booths more comfortably. In fact, there seemed to be a record number of exhibitors this year. As always, new IAM and cybersecurity products and services make their debut at RSAC.

Despite the extra room, it can be difficult for the security practitioner and executive to navigate the show floor. Some plan ahead and make maps of which booths to visit, others walk from aisle 100 to the end. It can take a good deal of time to peruse and discover what’s new. But most difficult of all it is digesting what we’ve seen and heard, considering it in a business context, and prioritizing possible improvement projects.

Security practitioners tend to hit the booths of vendors they have worked with, those with competing products, and others in their areas of specialty, including startups. For example, an identity architect will likely keep on walking past the “next gen” anti-malware and firewall booths but will stop at the booth offering a new identity proofing service. If a product does something novel or perhaps better than their current vendor’s product, they’ll know it and be open to it, even if it’s a small vendor and it means managing another product or service.

Executives gravitate toward the stack vendors in the front and middle, ignoring the startups on the sides and back. [It’s also increasingly likely execs will have meetings with specific vendors in the hotels surrounding Moscone, and not even set foot in the halls.] Why? IT execs and particularly CISOs are concerned with reducing complexity as well as securing the enterprise. A few stack vendors with consolidated functionality are easier to manage than dozens of point solutions.

Who is right? Well, it depends. Sometimes both, sometimes neither. It depends on knowing your cyber risk in relation to your business and understanding which technology enhancements will decrease your cyber risk and by approximately how much. Oftentimes practitioners and executives disagree on the cyber risk analysis and priorities set as a result.

Risk is conjunction of consequence and likelihood. At RSAC and other conferences we hear anecdotes of consequences and see products that reduce the likelihood and severity of those consequences. Executives and practitioners alike have to ask, “are the threats addressed by product X something we realistically face?”. If not, implementing it won’t reduce your cyber risk. Or, if there are two or more similar products, which one offers the most possible risk reduction?

The biggest risk is that the decision-makers don’t truly understand the threats and risks they face. There are cases where SMBs have built defenses against zero-day APTs that will never come their way yet have neglected to automate patch management or user de-provisioning. In other cases, a few big enterprises have naively dismissed the possibility that they could be the target of corporate or foreign state espionage and failed to protect against such attacks.

The riskiest time for organizations is the period when executive leadership changes and for 12-18 months afterward, or even longer. If an organization brings in a CIO or CISO from a different industry, it takes time for the person to learn the lay of the land and the unique challenges in which that organization operates. Long-held strategies and roadmaps get re-evaluated and changed. Mid-level managers and practitioners may leave during this time. That org’s overall cybersecurity posture is weakened during the transition time. Adversaries know this too.

Risk is a difficult subject for humans to grasp. No one gets it right all the time. Risk involves processing probabilities, and our brains didn’t really evolve to do that well. For an excellent in-depth look at that subject, read Leonard Mlodinow’s book The Drunkard’s Walk.

External risk assessments and benchmarks can be good mechanisms to overcome these circumstances; such as when tech teams and management disagree on priorities, when one or more parties is unsure of the likelihood of threats and risks, and when executive leadership changes. Having an objective view from advisors experienced in your particular industry can facilitate the re-alignment of tactics and strategies that can reduce cyber and overall risk. For information on the types of assessments and benchmarking KuppingerCole offers, see our advisory offerings.

2018 was a year of sweeping changes in Consumer Identity Management products and services. CIAM continues to be a fast-growing market. Research indicates that about half of all CIAM deals are still originating outside the tent of the CISO and IAM support organizations. More vendors entered the market and there were some noteworthy acquisitions. Lastly, many innovative improvements occurred across most all solutions, due in part to GDPR.

What is driving CIAM growth? Businesses are realizing that efficient and effective digital identity solutions lead to more consumer engagement and a better consumer experience, which in turn generates additional revenue. CIAM deployments will continue to outpace IAM deployments in 2019.

GDPR took effect on May 25th this year. The response by CIAM vendors in the run-up to GDPR was mixed. Some were proactive, seeing it as a competitive advantage. Others played catch-up. However, by the end of 2018, most vendors offer consent management features that can allow industrious customers to comply with GDPR in terms of consent collection, data export, and data deletion. There is still a wide variety in the approaches taken, and some CIAM services are more advanced and easier to administer in this regard. Meanwhile, the world waits to see if and how GDPR will be enforced.

Consumer identities are a top target for cyber criminals. Consumers are phished for their credentials. Banking trojans are a leading form of malware. Account takeover fraud is growing and is eating into bank profits. Fraud of all types is a growing concern, and not just for the financial sector. Customer loyalty programs (one of the many drivers for deploying CIAM) are increasingly under attack. The recent Marriott/Starwood breach netted 500M accounts for the perpetrators. Airlines’ frequent flyer programs are also regularly stolen. In short, any online asset that is convertible to cash or cryptocurrency is a target. Fortunately, some CIAM vendors put an emphasis on fraud risk reduction by including user behavioral analytics and by real-time processing of compromised credential and other threat intelligence sources. The need to reduce fraud spurred innovation in CIAM in 2018. Biometrics, mobile apps/SDKs, and risk adaptive authentication are “must have” functions within CIAM solutions for 2019.

The need to associate IoT device identities with consumer identities is an expanding and evolving use case within CIAM. Not enough has been standardized in this field, so there is a lot of variation in IoT device identity support still. Look for additional growth and perhaps standardization in the years ahead.

From a market perspective, the year started out with a major acquisition of Gigya by SAP. As an independent company, Gigya was a leader in CIAM. The acquisition was beneficial for SAP, which was missing a fully functional CIAM capability. SAP, now powered by a rapidly-integrated Gigya, has become a major player in the consumer identity market. Later in the year Exostar acquired Pirean. This transaction will give Exostar, a secure business collaboration service provider, stronger IAM and CIAM features. The move also serves to increase the reach of both companies. More companies entered the CIAM market as well, and gained prominence in the field. No doubt there will be more acquisitions and entrants in 2019. For the latest information on this market, including technical details on how the solutions differ, see our just-published Leadership Compass.

This month we launched our Cybersecurity Leadership Summit in Berlin. A pre-conference workshop entitled “Focusing Your Cybersecurity Investments: What Do You Really Need for Mitigating Your Cyber-risks?” was held on Monday. The workshop was both business-oriented and technical in nature. Contemporary CISOs and CIOs must apply risk management strategies, and it can be difficult to determine which cybersecurity projects should be prioritized. Leaders in attendance heard the latest applied research from Martin Kuppinger, Matthias Reinwarth, and Paul Simmonds.

Tuesday’s opening keynote was delivered by Martin Kuppinger on the topic of User Behavioral Analytics (UBA). UBA has become both the successor and adjunct to SIEMs, and as such are link between traditional network-centric cybersecurity and identity management. Torsten George of Centrify pitched the importance of zero-trust concepts. Zero-trust can be seen as improving security by requiring risk-adaptive and continuous authentication. But trust is also a key component of things like federation architecture, so it won’t be going away altogether.

Innovation Night was held on Tuesday. In this event, a number of different speakers competed by describing how their products successfully incorporated Artificial Intelligence / Machine Learning techniques. The winner was Frederic Stallaert, Machine Learning Engineer/ Data Scientist at ML6. His topic was the adversarial uses of AI, and how to defend against them.

Here are some of the highlights. In the social engineering track, Enrico Frumento discussed the DOGANA project. This is the Advanced Social Engineering and Vulnerability Analysis Framework. They have been performing Social Driven Vulnerability Assessments and have interesting but discouraging results. In a recent study, 59% of users tested in an energy sector organization fell prey to a phishing training email. Malicious actors use every bit of information about targets available to them, regardless of legality. Organizations providing anti-phishing training are encumbered by GDPR.

In Threat intelligence, we had a number of good speakers and panelists. Ammi Virk presented on Contextualizing Threat Intelligence. One of his excellent points was recognizing the “con in context”, or guarding against bias, assumptions, and omissions. Context is essential in turning information into intelligence. This point was also made strongly by John Bryk in his session.

JC Gaillard posed a controversial question in his session, “Is the role of CISO outdated?”. He looked at some of the common problems CISOs face, such as being buried in an org chart, inadequate funding, and lack of authority to solve problems. His recommendations were to 1) elevate the CISO role and give it political power, 2) move the purely technical IT Security functions under the CIO or CTO, and 3) put CISOs on the level with newer positions such as CDOs and DPOs.

Internet Balkanization was a topic in the GDPR and Cybersecurity session. Daniel Schnok gave a thought-provoking presentation on the various political, economic, and technological factors that are putting up barriers and fragmenting the Internet today. For example, we know that countries such as China, Iran, and Russia have politically imposed barriers and content restrictions. GDPR is limiting the flow of personal information in Europe, and in some cases, overreaction to GDPR is impairing the flow of other types of data as well. The increasing consolidation of data under the large, US-based tech firms is also another example of balkanization.

In my final keynote I described the role that AI and ML are playing in cybersecurity today. These technologies are not merely nice-to-haves but are essential components, particularly for anti-malware, EDR/MDR, traffic analysis, etc. Nascent work on using ML techniques to facilitate understanding of access control patterns is underway by some vendors. These techniques may lead to a breakthrough in data governance in the mid-term. AI and ML based solutions are subject to attack (or “gaming”). Determined attackers can fool ML enhanced tools into missing detection of malware, for example. Lastly, Generative Adversarial Networks (GANs) serve as an example of how bad actors can use AI technologies as a means to advance attacks. GAN-based tools exist for password-cracking, steganography, and creating fake fingerprints for fooling biometric readers. In short, ML can help, but it can also be attacked and used to create more powerful cyber attacks.

We would like to thank our sponsors: iC Consult, Centrify, Cisco, One Identity, Palo Alto Networks, Airlock, Axiomatics, BigID, ForgeRock, Nexis, Ping Identity, SailPoint, MinerEye, PlainID, FireEye, Varonis, Thycotic, and Kaspersky Lab.

We will return to Berlin for CSLS 2019 on 12-14 November of next year.

Fall is Consumer Identity Season at KuppingerCole, just in time for holiday shopping. Last week we kicked off our 2018 tour in Seattle. The number of attendees and sponsors was well up over last year, indicating the significant increase in interest in the Consumer Identity and Access Management (CIAM) subject. CIAM is one of the fastest growing market segments under IAM, and with good reason. Companies that deploy CIAM solutions find that they can connect with their consumers better, delivering a more positive experience, and generating additional revenue. CIAM can also aid with regulatory compliance, such as those for privacy (GDPR, CCPA, etc.) and finance (AML, KYC, PSD2, etc.).

Some of the big topics last week were authentication methods for CIAM, particularly biometrics, GDPR and privacy regulations around the world, consumer preferences for identity, and blockchain identity. 

CIAM requires thinking “outside-in” about authentication. The FIDO Alliance held a workshop on Wednesday. FIDO was a particularly relevant topic for CIW, as there were many discussions on the latest authentication methods and techniques. The turnout was excellent, and attendees heard from some of the leaders and active members of the organization.  I believe that FIDO will play a key role in modernizing authentication technology, especially for consumer-facing applications. FIDO specifications have been maturing rapidly. Version 2.0, and the W3C WebAuthN and CTAP protocols are exactly what has been needed to speed adoption. Expect to see FIDO deployments increasing as the major browsers fully support the standard. We can also expect to see higher consumer satisfaction as FIDO rolls out widely, due to ease of use, and better security and privacy. For an overview of how FIDO works, see Alex Takakuwa’s presentation.

Mobile biometric solutions are enjoying popularity, many companies want to find out how to reduce friction for consumers in the authentication process. We considered risk-adaptive and continuous authentication as means to right-size authentication to specific use cases, such as finance and health care. 

I noted that the “C” in CIAM can also apply to “citizens” as well as customers and consumers. State and local government agencies are exploring Government-to-Citizen (G2C) identity paradigms, and in some cases CIAM solutions are a good fit.

Privacy is an ever-present concern for consumer-facing systems. GDPR is in effect in Europe, and companies around the world must now abide by it when processing personal data of European persons. Tim Maiorino gave an update on the state of GDPR. The subject of California’s upcoming privacy law arose in some panels. Will the California model be adopted across the US? Probably not at the federal level, at least not in the foreseeable future. However, other states are likely to enact similar privacy laws, leading to discrepancies and possible difficulties in complying with similar but different regulations. We learned from Marisa Rogers that there is a call for participation for an ISO group on privacy by design for consumer services.

There were several speakers and panels addressing consumer wants and preferences with regard to CIAM.  We had a few sessions on blockchain and identity. Didier Collin de Causabon gave a good example of how blockchain may be able to aid with KYC.  Sarah Squire, co-founder and vice-chair of IDPro, gave a great talk on role of identity professionals in business. Her keynote also contains a lot of practical advice on IAM/CIAM implementations and where we as an industry can go from here.

Our European CIW event will take place on October 29-31 in Amsterdam, followed by our Asia-Pacific CIW in Singapore on November 20-22.

We are already actively planning on CIW for 2019. Join us at the Motif Hotel in Seattle next September 25-27 for the next edition.

Thanks to all of our speakers and panelists for sharing their knowledge. Also thanks to our event sponsors Gigya – SAP Customer Data Cloud, WSO2, Radiant Logic, Nok Nok Labs, Trusted Key, iWelcome, Auth0 and Uniken. 

Why does it seem to be getting harder to delete information online? GDPR will take effect in just a few days. GDPR empowers EU people to take control of their personal information. When in force, GDPR will mandate that companies and other organizations which control or process personal information must comply with delete requests. Users around the world are more cognizant of the data they create and leave online. Even outside the EU, people want to be able to delete data which they deem is no longer useful.

Enter the “archive” button. On some social media sites and other popular applications, the archive button appears to have replaced the old familiar “delete” button. Why? It is ostensibly to make it easier for users to retrieve information that they want out of sight. App makers reason that you don’t always want to delete something once you hit delete. Sometimes, they’re right. But most of the time, “delete” should mean delete. If one searches hard enough, one can usually find ways to actually delete data, even though the top-level UIs only show options to archive.

Another reason “archive” has replaced “delete” is that all information has some value, or at least that is the guiding principle in Big Data circles. Just because a user wants data removed doesn’t mean that it doesn’t have value for others. Social network operators make money off user data, so they believe it must be retained for historical analysis.

Turbulence in the markets and bad press for social media companies may be a leading indicator as to the importance of personal data control for an increasing number of users worldwide. In advance of GDPR, and for the benefit of all users, we urge app makers to bring back the delete button.

As the May 25th, 2018 GDPR enforcement date approaches, more and more companies are actively taking steps to find, evaluate, and protect the personally identifiable information (Personal Data) of EU persons. Organizations that do business with EU persons are conducting data protection impact assessments (DPIAs) to find Personal Data under their control. Many are also asking “do we need to keep the data?” and putting into practice data minimization principles. These are good measures to take.

IT and privacy professionals are inventorying HR, CRM, CIAM, and IAM systems, which is reasonable since these likely contain Personal Data. Administrators should also consider performing DPIAs on security solutions.

Security solutions such as SIEMs, EMMs, and Endpoint Security/EDR tools collect lots of data, including Personal Data, for analysis. Many of the following types of Personal Data (as defined by GDPR) are routinely harvested for ongoing security and risk analysis:

• Username
• Email address
• User attributes, including organizational affiliations, citizenship, group membership
• IP address
• Geo-location
• User-created data files

Most security solutions allow options for on-premise analysis or cloud-based analysis. As an example, most anti-malware products "scoop up" files for deep inspection at the vendor's cloud, which may be outside of EU. Some vendor solutions are configurable in terms of what attributes can be collected and/or sent elsewhere for analysis; some are not.

Any processing of Personal Data is controlled under GDPR. The definition of processing is so wide that it likely includes these forms of scanning and analysis

In light of GDPR, one question administrators should ask “Is this information collected with user consent?” In some cases, user consent will be required. However, according to GDPR Article 6, personal information collection may proceed for the following purposes:

• for the performance of a contract or legal obligation;
• to protect the vital interests of the data subject;
• for a task in the public interest;
• or where processing is necessary for the legitimate interests of the controller.

Moreover, there will be situations in which Personal Data may be processed by more than one Data Processor. In these joint-processor scenarios, all entities involved in processing share responsibility for ensuring that the use of Personal Data is authorized under one of the GDPR-specified purposes above.

Security administrators should work with their DPOs and legal team to address the following additional points:

• Determine which of your deployed security solutions collect which kinds of data; in effect, do DPIAs on security solutions.
• Ascertain where this data goes: local storage? Telemetry transmitted to the cloud? If so, does it stay in the EU? Could it go outside the EU? GDPR defines the notion of data protection adequacy with regard to countries and organizations outside the EU. The Official Journal of the EU will publish and maintain a list of locations for which no additional data transfer agreements will be required.
• If the security scanning or analysis is performed by a third party or cloud provider, irrespective of wherever this is done there must be a written legal agreement as set out in Article 28 (3).
• Do your security solutions permit Personal Data anonymization? GDPR Recital 26 states that data which is sufficiently masked to prevent the identification of the user will not be subject to the data protection mandates. However, SIEMs and forensic tools sometimes need to be able to pinpoint users. Specifically, IP addresses and user credentials are almost always necessary and serve as “primary keys” on which security analyses are based. Within your security solutions, is it possible to mask user data at a high level for external analysis, but leave details encrypted locally, so that they can be unmasked by authorized security analysts during investigations? This is a difficult technical challenge, which is not supported yet by many security vendors. Regardless, even local processing of data elements such as IP address falls under the jurisdiction of GDPR.

In summary, don’t forget your security solutions when running DPIAs. Check with vendors about what information they collect and how it is treated. Work closely with your DPOs and legal counsel to plan the best course of action if you find that remediation or some re-design is needed.