GDPR Compliance: A Network Perspective

Ruvi Kitov

GDPR Compliance

Regulations can be a tricky thing. For the most part, they’re well thought out in terms of mandating actions that a company can or cannot take – they do a really good job of telling us what we must do. Unfortunately, in many cases, that’s where they stop: figuring out exactly how to comply is up to each company.

In May 2018, the new General Data Protection Regulation (GDPR) will take effect, and this one falls squarely into that category. The thing about regulations, though – especially ones that carry real financial consequences, like GDPR – is that lack of direction is no excuse for non-compliance. In the case of GDPR, a failure to proactively address the stringent data protection and privacy requirements involved would be incredibly costly. It’s critical for organizations to start looking at how they’re going to protect sensitive data related to European citizens, and they need to have a plan for doing so mapped out soon.

What does that mean from a network security perspective? There are several steps that organizations will need to take to ensure data protection as a default setting across the network.

Know Your Data, and Where It Goes

Big Data Gives Insight to Consumer Trends

The first step is a critical one – enterprises need to understand where sensitive information resides. Many organizations already know which specific networks, sub-networks, databases, and applications collect and store certain types of sensitive data such as health records or financial information. However, there is no longer any discretion in terms of what data is classified as “sensitive.”

Whatever your old definition of sensitive data – it has to be rethought entirely. Under the GDPR, more types of data – contact information, genetic data, biometric data, and IP addresses, just to name a few – are now classified as sensitive. In order to ensure compliance, enterprises must take a fresh look at the types of data they store and process, and apply a much broader standard of sensitivity.

Unfortunately, determining which areas of the organization are storing or collecting sensitive data can be difficult. To do so, security and IT teams need to work together to survey the organization so that they can identify and document which applications are using personal information. Doing so will give you a clearer understanding of where this data comes from, and will help facilitate the process of mapping the areas of the network where this data is stored. Keep in mind, enterprises will be responsible for ensuring the security of data regardless of whether it’s stored on premise on your physical network or in the public cloud – the GDPR does not discriminate in this area.

Another benefit to mapping out where data is stored and used is that this process will help enterprises understand the extent of their shadow IT problem. Gartner estimates that, by 2020, one third of successful attacks experienced by enterprises will be on their shadow IT resources. Mapping out the data path will help organizations understand the extent of, and put an end to, undocumented applications or servers accessing and storing data.

Segmentation and Policy-Based Automation

Once you understand the applications that store and collect sensitive data, the next step is to make sure that only the appropriate zones or user groups have access to one another. This is where things like network segmentation and access rule review come into play and can have a critical role. With regulations as broad as GDPR, it’s possible that you’ll need to look at further iterations of segmentation – namely, micro-segmentation or even nano-segmentation. By creating role-specific zones, or even user-specific zones, enterprises can better enforce who has access to sensitive information. A key element to ensure a state of continuous GDPR compliance is to document the segmentation internally as a living reference. Having this unified security policy in place enables organizations to simplify the management of this process.

As any security professional understands, it’s not enough to create a one-time snapshot of your network, processes, policies, and exposure. The network is constantly changing as business needs evolve, so policy enforcement must be dynamic. Enterprises must perform regular audits of rules and rule changes to ensure that changes to their network are not affecting GDPR compliance. With so many moving parts, the process of examining, creating, and provisioning rule changes that comply with GDPR regulations can be cumbersome. Policy-based automation reduces the effort needed for compliance and avoids the errors associated with manual processes.

Enterprise networks are undergoing a major change. The transition to software-defined networks, public cloud adoption and the rise of devops have created a larger attack surface for networks along with a similar rise in complexity, creating more opportunities for human error and misconfigurations that can expose sensitive data. At the same time, regulations like GDPR are being put in place to create real financial incentives to ensure the protection of sensitive client data. When these regulations go into effect early next year, organizations that have adopted an automated, policy-based network segmentation approach will be in the best position to succeed in ensuring the safety of the data they are tasked with securing.

By Ruvi Kitov

Ruvi is the CEO and Co-Founder of Tufin, the leading provider of Security Policy Orchestration solutions. Since Tufin’s founding in 2005, Ruvi has led the company through successful growth and product development, quickly gaining more than 2,000 customers among the world’s largest enterprises; Tufin is recognized as a market leader with consistent revenue growth, resulting in top rankings in the Deloitte Technology Fast 50 and other awards.

David Gevorkian

Website Accessibility: Compliancy, Laws and Best Practices

Key to Making Your Website Accessible The internet has changed the education sector in so many ways. With e-learning, more people around the globe are ...
Lauren Brunson

The Growing Need to Consolidate Multi-Tenant Environments

Consolidate Multi-Tenant Environments Over the past four months, countless businesses and universities have scrambled to the cloud to enable their employees and students to work ...
Jen Klostermann

Telemedicine to medical smartphone applications

Telemedicine to medical smartphone applications With the current and growing worldwide concerns regarding the Coronavirus (COVID 19). Telemedicine is more important now than ever. What ...
Sergey lypchenko 

The Top 7 Latest DevOps Trends to Follow

DevOps Trends to Follow Awareness of the latest DevOps trends is important for companies which consider the integration of DevOps into their development processes as ...
Ajay

Deep learning to avoid real time computation

Avoid real time computation “The underlying physical laws necessary for the mathematical theory of a large part of physics and the whole of chemistry are ...
Andrew Marsh Washington Frank

Why should SMEs embrace Cloud ERP solutions?

SMEs & ERP Solutions Remaining competitive in the market is the primary goal of every business. For SMEs, moving to the cloud can help that ...