November 7, 2017

GDPR Compliance: A Network Perspective

By Ruvi Kitov

GDPR Compliance

Regulations can be a tricky thing. For the most part, they’re well thought out in terms of mandating actions that a company can or cannot take – they do a really good job of telling us what we must do. Unfortunately, in many cases, that’s where they stop: figuring out exactly how to comply is up to each company.

In May 2018, the new General Data Protection Regulation (GDPR) will take effect, and this one falls squarely into that category. The thing about regulations, though – especially ones that carry real financial consequences, like GDPR – is that lack of direction is no excuse for non-compliance. In the case of GDPR, a failure to proactively address the stringent data protection and privacy requirements involved would be incredibly costly. It’s critical for organizations to start looking at how they’re going to protect sensitive data related to European citizens, and they need to have a plan for doing so mapped out soon.

What does that mean from a network security perspective? There are several steps that organizations will need to take to ensure data protection as a default setting across the network.

Know Your Data, and Where It Goes

Big Data Gives Insight to Consumer Trends

The first step is a critical one – enterprises need to understand where sensitive information resides. Many organizations already know which specific networks, sub-networks, databases, and applications collect and store certain types of sensitive data such as health records or financial information. However, there is no longer any discretion in terms of what data is classified as “sensitive.”

Whatever your old definition of sensitive data – it has to be rethought entirely. Under the GDPR, more types of data – contact information, genetic data, biometric data, and IP addresses, just to name a few – are now classified as sensitive. In order to ensure compliance, enterprises must take a fresh look at the types of data they store and process, and apply a much broader standard of sensitivity.

Unfortunately, determining which areas of the organization are storing or collecting sensitive data can be difficult. To do so, security and IT teams need to work together to survey the organization so that they can identify and document which applications are using personal information. Doing so will give you a clearer understanding of where this data comes from, and will help facilitate the process of mapping the areas of the network where this data is stored. Keep in mind, enterprises will be responsible for ensuring the security of data regardless of whether it’s stored on premise on your physical network or in the public cloud – the GDPR does not discriminate in this area.

Another benefit to mapping out where data is stored and used is that this process will help enterprises understand the extent of their shadow IT problem. Gartner estimates that, by 2020, one third of successful attacks experienced by enterprises will be on their shadow IT resources. Mapping out the data path will help organizations understand the extent of, and put an end to, undocumented applications or servers accessing and storing data.

Segmentation and Policy-Based Automation

Once you understand the applications that store and collect sensitive data, the next step is to make sure that only the appropriate zones or user groups have access to one another. This is where things like network segmentation and access rule review come into play and can have a critical role. With regulations as broad as GDPR, it’s possible that you’ll need to look at further iterations of segmentation – namely, micro-segmentation or even nano-segmentation. By creating role-specific zones, or even user-specific zones, enterprises can better enforce who has access to sensitive information. A key element to ensure a state of continuous GDPR compliance is to document the segmentation internally as a living reference. Having this unified security policy in place enables organizations to simplify the management of this process.

As any security professional understands, it’s not enough to create a one-time snapshot of your network, processes, policies, and exposure. The network is constantly changing as business needs evolve, so policy enforcement must be dynamic. Enterprises must perform regular audits of rules and rule changes to ensure that changes to their network are not affecting GDPR compliance. With so many moving parts, the process of examining, creating, and provisioning rule changes that comply with GDPR regulations can be cumbersome. Policy-based automation reduces the effort needed for compliance and avoids the errors associated with manual processes.

Enterprise networks are undergoing a major change. The transition to software-defined networks, public cloud adoption and the rise of devops have created a larger attack surface for networks along with a similar rise in complexity, creating more opportunities for human error and misconfigurations that can expose sensitive data. At the same time, regulations like GDPR are being put in place to create real financial incentives to ensure the protection of sensitive client data. When these regulations go into effect early next year, organizations that have adopted an automated, policy-based network segmentation approach will be in the best position to succeed in ensuring the safety of the data they are tasked with securing.

By Ruvi Kitov

Ruvi is the CEO and Co-Founder of Tufin, the leading provider of Security Policy Orchestration solutions. Since Tufin’s founding in 2005, Ruvi has led the company through successful growth and product development, quickly gaining more than 2,000 customers among the world’s largest enterprises; Tufin is recognized as a market leader with consistent revenue growth, resulting in top rankings in the Deloitte Technology Fast 50 and other awards.

Ruvi Kitov

Randy

Gain Critical AI Insights: The Oxford Artificial Intelligence Programme

Acquire Essential Skills for Success in the AI Industry The expansion of online learning within [...]
Read more
Gary Bernstein

The AI Vanguard: MixMode’s 2024 Insight into Cybersecurity’s New Era

Insight into Cybersecurity’s New Era As we enter into 2024, the adoption of AI in [...]
Read more
Steve Prentice

Episode 21: Building a better backup – getting the whole organization to play better in the sandbox

Building a better backup – getting the whole organization to play better in the sandbox [...]
Read more
Jeremy Smillie

Securing the Future: Insights from DevSecOps Expert, Jeremy Smillie

Welcome to another insightful discussion on CloudTweaks. Today, we have the privilege of delving into [...]
Read more
Randy

AI Learning and Career Paths: Preparing for the Jobs of Tomorrow

AI Learning and Career Paths The Massachusetts Institute of Technology (MIT) has long been at [...]
Read more
David Cantor

Impact of AI in Storytelling and Creativity 

These are monumental topics that command volumes of diligent research, backed by empirical evidence and [...]
Read more

SPONSOR PARTNER

Explore top-tier education with exclusive savings on online courses from MIT, Oxford, and Harvard through our e-learning sponsor. Elevate your career with world-class knowledge. Start now!
© 2024 CloudTweaks. All rights reserved.