[BreachExchange] Protecting network availability for GDPR compliance
Audrey McNeil
audrey at riskbasedsecurity.com
Wed Jun 13 10:01:24 EDT 2018
https://www.itproportal.com/features/protecting-network-
availability-for-gdpr-compliance/
With GDPR now in force, organisations across Europe, including those
worldwide which do business in the region, have been working hard over the
past months to ensure they’re compliant. But with many column inches being
dedicated to the various nuances and implications of the new regulation,
the issue of data protection has been thrown into sharp, yet confused
focus. Given the size and complexity of today’s IT networks, however, it
has become almost impossible to detect when and how a security breach or
network failure might occur. It is now essential for businesses the world
over to have complete visibility of their networks. This is not only from
an operational perspective, but also to protect their customers, their
brand and reputation and, in light of the GDPR’s potential financial
penalties, their bottom line.
The security of a network, and the information held within it, are crucial
for GDPR compliance. Indeed, the regulation states that measures must be
put in place to avoid or minimise the impact of malicious code or
distributed denial of service (DDoS) attacks. Article 32 in particular is
concerned with the speed at which network availability and access to
personal data can be restored in the event of any downtime resulting from
an outage or, even worse, a breach.
Guaranteeing a network’s availability isn’t just a matter of regulatory
compliance, however; it’s probably one of the highest priorities of any
business today. All organisations, from banks and retailers to
manufacturers and utility providers, are reliant on consistent, always-on
connections to their customers, partners and suppliers without which they
could soon grind to a halt. The future of all businesses is now dependent
on the ongoing resilience and availability of their IT and communications
networks.
Keeping track
Regulations such as GDPR define the types of personal data that a business
may collect and record, and where that data can be sent, and it can apply
to everything from personal email addresses and phone numbers, to IP
addresses and credit card information and much more.
The GDPR itself also restricts what data can be transmitted outside of a
company, and across national borders. To ensure compliance, therefore, it’s
important that an organisation’s networking and security teams understand
which country any given record of data originated from, and how that data
will navigate through the corporate networks, remaining aware of which
paths it will take and where it will be stored.
To keep track of the flow of information, and to prevent it from being
compromised, new automated processes will need to be set up that will
regularly assess and evaluate how this personal data is being processed.
However, the sheer size and complexity of IT infrastructure will require
businesses to have full visibility across their networks, including data
centres and the cloud, to ensure they remain fully GDPR compliant.
Robust defence
Article 32 of the GDPR states that data protection measures need to be
rigorously assessed on an ongoing and regular basis, so it’s important that
businesses ensure all of their network defences are automatically and
regularly updated with the latest intelligence on threats and security
risks. To ensure compliance, frequent, end-to-end tests are recommended –
you never know what you may find.
In terms of security, DDoS attacks represent the biggest threat to personal
data and to disrupting network availability. There is a widely held
misconception, however, that standard security measures such as firewalls
and load balancers can mitigate against such attacks and help keep a
business GDPR-compliant. In the majority of cases, DDoS attacks will
systematically target these systems and weaknesses before overwhelming the
network and causing an outage. As firewalls and load balancers are stateful
devices, meaning they need to maintain session data over a series of
communication requests, they are far more at risk of simple DDoS attacks
overwhelming them, leaving the entirety of the network exposed. As a
result, compliance can potentially be far more complex than many initially
think.
To be sure that the security of its network complies with GDPR, a business
simply must know its IT infrastructure inside and out and understand the
risks it faces from external threats such as DDoS. Only then will
businesses be in a position to put the correct monitoring tool and security
measures in place to protect its data, network and IT assets.
Lock all the doors
While ensuring the safety of an organisation’s IT networks is crucial to
ensuring compliance with the new data protection regulations, the need for
physical safeguards shouldn’t be overlooked either. The application of
stringent security and controlled access to offices and facilities, for
example, can help prevent unwanted access to any personal data held within
an organisation, as can following simple procedures such as locking doors,
drawers, or filing cabinets.
As they find themselves under increasing pressure to adhere to new policies
and regulations, it has never been more important for businesses to seek
education on the importance of data protection and privacy. GDPR aside, it
should be standard practice for all organisations to have reasonable cyber
and physical safeguards in place to prevent security breaches, and
unauthorised access to or loss of any personal data they hold.
When it comes to procuring these safeguards, however, careful consideration
should be given as to whether the supplier offers ‘best in class’ network
monitoring and cyber security technology, particularly when it comes to
defending against DDoS attacks. They must also be GDPR-compliant
themselves, of course, with robust security and encryption procedures of
their own in place, and with the necessary due diligence carried out to
ensure the safety and security of their own systems and data centres.
Under GDPR, as we now know, any organisation that processes the personal
data of EU citizens, including tracking their online activities, is now
within the scope of the law, regardless of whether or not that organisation
has a physical presence in the EU. Any negligence of duty may be liable to
potentially crippling fines of up to €20 million or four percent of a
company’s annual turnover.
While data protection and privacy have always been important
considerations, there is more now at stake than ever before. With complete
network visibility and availability, and with robust protection measures in
place, businesses across the globe can be confident that, as far as their
network is concerned, they are meeting the stringent demands of this new
regulation.
Each day sees an increasing abundance of mobile services and applications
come to market, although not all of these are created equal. A connected
fridge, for example, will have significantly different bandwidth
requirements and traffic priority to an autonomous car or a “life line”
emergency service, both of which depend on ultra-low latency and extreme
high availability. The ability of operators to differentiate and prioritise
emergency data traffic for the eCall system, while simultaneously employing
greater visibility and actionable insight to support its demands on the
network, will be integral to its success, and to the safety of those who
require its potentially life-saving capability.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180613/ecc27c78/attachment.html>
More information about the BreachExchange
mailing list