GDPR readiness - time to prioritize what you have left to do
It seemed so far out there at one time—the May 25, 2018 effective date for the European Union’s General Data Protection Regulation (GDPR). But time waits for no one, as they say, and the day has finally arrived. If you’re one of those people who tend to do things at the last minute—it’s time to get busy. Colleagues traveling in Europe last week tell me GDPR was a hot topic as people were keen to know what others were doing to protect customer data and secure their networks.
Many organizations probably think their ongoing commitment to IT security has them in a good position as GDPR goes into effect. A couple months back, the Redlock Cyber Security Intelligence team decided to put that assumption to the test and evaluated the compliance of the public cloud environments they monitor against key industry standards—just to see how well-prepared organizations were. They found that, on average, organizations failed to comply with 55% of CIS Foundation best practices, 47% of PCI requirements, 44% of HIPAA requirements, and 32% of SOC 2 best practices (1).
Here at Ixia—now a Keysight business—we focus on the use of total network visibility to help ensure security over data and applications. This time last year, I posted a blog discussing common weaknesses in network visibility that could have implications for GDPR compliance. “What Does Network Visibility Have to Do with GDPR?”holds up pretty well and I encourage you to scan the list of weaknesses to see if you’ve addressed them in your environment.
One of the topics that was mentioned then, but not covered in detail, was how to achieve visibility in the cloud. With one more year in the rear-view mirror, this topic seems much more critical than it did then. Cloud continues to expand and is now the dominant IT model with many production workloads processed on public cloud infrastructure (2). While security researchers report none of the breaches to public cloud services in 2017 were caused by negligence on the part of cloud service providers (3), cloud users are another story. Attackers are quickly learning how to leverage vulnerabilities in the cloud such as risky configurations, weak access controls, and inadequate monitoring. It’s a good time for cloud users to focus on security hygiene and integrate security best practices more fully into cloud operations.
Even without the aggressive push we are getting from GDPR, cyber security is a serious and growing concern for every organization. As we noted in the 2018 Ixia Security Report, security practices have lagged the shift to cloud operations.
Many organizations are focused on increasing the speed of detection and recovery, to limit the damage of any breach or intrusion that does take place. Identifying anomalies and correlating independent events, which used to be done manually by skilled researchers, is now possible using new security analysis tools. This can take security to a higher level, but these powerful solutions need access to the granular detail from deep inside data packets to work effectively. Packet header and log data are not sufficient.
A cloud visibility platform can give your security solutions access to packet-level data. The ability to set filters remotely, from any location, can also improve the efficiency of these solutions, by limiting the amount of irrelevant data they need to process. If you’re not providing packet data to your security solutions, GDPR gives you additional incentive. Visit Ixia CloudLens, to discover the other benefits of a cloud-native visibility platform.
For more information on GDPR readiness, visit Ixia GDPR Solutions.
(1) Redlock: "Cloud Security Trends," Redlock Cyber Security Intelligence team, February 2018, accessed online.
(2) Rightscale: "2018 State of the Cloud Report," February 2018, accessed online
(3) Redlock, ibid.