GDPR Compliance: A Network Perspective

GDPR Compliance

Regulations can be a tricky thing. For the most part, they’re well thought out in terms of mandating actions that a company can or cannot take – they do a really good job of telling us what we must do. Unfortunately, in many cases, that’s where they stop: figuring out exactly how to comply is up to each company.

In May 2018, the new General Data Protection Regulation (GDPR) will take effect, and this one falls squarely into that category. The thing about regulations, though – especially ones that carry real financial consequences, like GDPR – is that lack of direction is no excuse for non-compliance. In the case of GDPR, a failure to proactively address the stringent data protection and privacy requirements involved would be incredibly costly. It’s critical for organizations to start looking at how they’re going to protect sensitive data related to European citizens, and they need to have a plan for doing so mapped out soon.

What does that mean from a network security perspective? There are several steps that organizations will need to take to ensure data protection as a default setting across the network.

Know Your Data, and Where It Goes

Big Data Gives Insight to Consumer Trends

The first step is a critical one – enterprises need to understand where sensitive information resides. Many organizations already know which specific networks, sub-networks, databases, and applications collect and store certain types of sensitive data such as health records or financial information. However, there is no longer any discretion in terms of what data is classified as “sensitive.”

Whatever your old definition of sensitive data – it has to be rethought entirely. Under the GDPR, more types of data – contact information, genetic data, biometric data, and IP addresses, just to name a few – are now classified as sensitive. In order to ensure compliance, enterprises must take a fresh look at the types of data they store and process, and apply a much broader standard of sensitivity.

Unfortunately, determining which areas of the organization are storing or collecting sensitive data can be difficult. To do so, security and IT teams need to work together to survey the organization so that they can identify and document which applications are using personal information. Doing so will give you a clearer understanding of where this data comes from, and will help facilitate the process of mapping the areas of the network where this data is stored. Keep in mind, enterprises will be responsible for ensuring the security of data regardless of whether it’s stored on premise on your physical network or in the public cloud – the GDPR does not discriminate in this area.

Another benefit to mapping out where data is stored and used is that this process will help enterprises understand the extent of their shadow IT problem. Gartner estimates that, by 2020, one third of successful attacks experienced by enterprises will be on their shadow IT resources. Mapping out the data path will help organizations understand the extent of, and put an end to, undocumented applications or servers accessing and storing data.

Segmentation and Policy-Based Automation

Once you understand the applications that store and collect sensitive data, the next step is to make sure that only the appropriate zones or user groups have access to one another. This is where things like network segmentation and access rule review come into play and can have a critical role. With regulations as broad as GDPR, it’s possible that you’ll need to look at further iterations of segmentation – namely, micro-segmentation or even nano-segmentation. By creating role-specific zones, or even user-specific zones, enterprises can better enforce who has access to sensitive information. A key element to ensure a state of continuous GDPR compliance is to document the segmentation internally as a living reference. Having this unified security policy in place enables organizations to simplify the management of this process.

As any security professional understands, it’s not enough to create a one-time snapshot of your network, processes, policies, and exposure. The network is constantly changing as business needs evolve, so policy enforcement must be dynamic. Enterprises must perform regular audits of rules and rule changes to ensure that changes to their network are not affecting GDPR compliance. With so many moving parts, the process of examining, creating, and provisioning rule changes that comply with GDPR regulations can be cumbersome. Policy-based automation reduces the effort needed for compliance and avoids the errors associated with manual processes.

Enterprise networks are undergoing a major change. The transition to software-defined networks, public cloud adoption and the rise of devops have created a larger attack surface for networks along with a similar rise in complexity, creating more opportunities for human error and misconfigurations that can expose sensitive data. At the same time, regulations like GDPR are being put in place to create real financial incentives to ensure the protection of sensitive client data. When these regulations go into effect early next year, organizations that have adopted an automated, policy-based network segmentation approach will be in the best position to succeed in ensuring the safety of the data they are tasked with securing.

By Ruvi Kitov

Ruvi is the CEO and Co-Founder of Tufin, the leading provider of Security Policy Orchestration solutions. Since Tufin’s founding in 2005, Ruvi has led the company through successful growth and product development, quickly gaining more than 2,000 customers among the world’s largest enterprises; Tufin is recognized as a market leader with consistent revenue growth, resulting in top rankings in the Deloitte Technology Fast 50 and other awards.

Doug Hazelman Cloudberry

Managing an Increasingly Complex IT Environment

Managing Complex IT Environments The hybrid work model is here to stay—at least for the time being. That’s how things feel in these still uncertain times. This new way of work that has evolved from ...
Gamestop NFT

Could GameStop Issue An NFT Dividend?

NFT Dividends A Non-Fungible Token (NFT) is a piece of data that is stored on a blockchain that certifies a digital asset to be unique. An NFT can represent pictures, videos, GIFs, audio and other ...
Jim Fagan

The Geopolitics of Subsea Connectivity

Subsea Connectivity Digital transformation and the migration of data and applications to the cloud is a global phenomenon. While we may like to think that the cloud knows no borders, the reality is that geopolitics ...
Derrek Schutman

Providing Robust Digital Capabilities by Building a Digital Enablement Layer

Building a Digital Enablement Layer Most Digital Service Providers (DSPs) aim to provide digital capabilities to customers but struggle to transform with legacy O/BSS systems. According to McKinsey research, 70% of digital transformation projects don’t ...
James Crowley

Does Open-Source Software Hold the Key to Data Security?

Open-Source Software Data Security Whether you realize it or not, open-source software is everywhere in our everyday tech, from mobile phones to air travel, from streaming Netflix to space exploration. Open-source software has played a ...

CLOUD MONITORING

The CloudTweaks technology lists will include updated resources to leading services from around the globe. Examples include leading IT Monitoring Services, Bootcamps, VPNs, CDNs, Reseller Programs and much more...

  • Opsview

    Opsview

    Opsview is a global privately held IT Systems Management software company whose core product, Opsview Enterprise was released in 2009. The company has offices in the UK and USA, boasting some 35,000 corporate clients. Their prominent clients include Cisco, MIT, Allianz, NewVoiceMedia, Active Network, and University of Surrey.

  • Nagios

    Nagios

    Nagios is one of the leading vendors of IT monitoring and management tools offering cloud monitoring capabilities for AWS, EC2 (Elastic Compute Cloud) and S3 (Simple Storage Service). Their products include infrastructure, server, and network monitoring solutions like Nagios XI, Nagios Log Server, and Nagios Network Analyzer.

  • Datadog

    DataDog

    DataDog is a startup based out of New York which secured $31 Million in series C funding. They are quickly making a name for themselves and have a truly impressive client list with the likes of Adobe, Salesforce, HP, Facebook and many others.

  • Sematext Logo

    Sematext

    Sematext bridges the gap between performance monitoring, real user monitoring, transaction tracing, and logs. Sematext all-in-one monitoring platform gives businesses full-stack visibility by exposing logs, metrics, and traces through a single Cloud or On-Premise solution. Sematext helps smart DevOps teams move faster.