GDPR Regulations Are Essential for Security Everywhere
The “wild, wild west” era of the digital marketplace is gone. Today, we understand the harm that can come from unauthorized disclosure of financial, personal identification, and medical information. There are four key security areas in GDPR legislation that should resonate across nations and jurisdictions and be no-brainers for organizations that want to protect their bottom line, preserve their reputation, build customer loyalty, and limit their exposure to security-related fines.
1. Pseudonymization and encryption of personal data
GDPR explicitly mentions two techniques for strengthening security over personal data. The first is pseudonymization and the idea is to replace personally identifiable information with random characters to hide an individual’s true identity. GDPR further defines the concept as the manipulation of data so it can no longer be attributable to a specific subject without the use of additional information that is kept separately and securely. As a provider of network visibility solutions, Ixia offers a feature like this called ‘data masking’ in its network packet processing engines (Vision ONE and CloudLens). Ixia’s data masking feature can be easily programmed to mask any data that appears in specified patterns whenever they are encountered. Multiple masks can even be applied in the same packet. The purpose is to protect the actual data while still having a functional substitute when the data is required.
The second technique is encryption and until fairly recently, many people believed data encryption would impede business and be too expensive for organizations to use in day-to-day transactions. That perception has changed as the cost of data breaches continues to rise and put reputation and customer loyalty at risk. The trend toward a totally encrypted Internet continues and many companies now believe that encryption is a necessary cost of operation. Under GDPR, data encryption is explicitly mentioned as a legitimate way to address security of personal data and offers some protection from prosecution in the event of a data breach.
The sometimes-hidden cost of encryption is that traditional security appliances and application and network monitoring solutions are not equipped to process encrypted traffic. This inspired Ixia to introduce a new feature in our network packet broker: active SSL decryption (and encryption). With this feature, our customers can decrypt packets once and provide the plain text data needed by their security and monitoring solutions, and then re-encrypt the data before forwarding it into their networks.
2. Confidentiality, integrity, availability, and resilience of data processing
GDPR obliges both data controllers (owners) and data processors to use appropriate technology to ensure “a level of security appropriate to the risk” of theft or accidental exposure during the processing and transfer of digital data. That is not a new concept, but GDPR takes it to a new level by requiring organizations to consider the impact of a breach on individuals and consumers, not just the organization itself. Significant economic fines are specified for failure to live up to this requirement. There are no specific security recommendations within the GDPR. However, a comprehensive security strategy and fully-executed implementation plan is considered to be the best defense in the event of a breach.
Defending an enterprise against increasingly advanced cyber security attacks is the main purpose of a network visibility platform. Unless an organization has complete visibility to all of the traffic crossing their networks, cybercriminals can take advantage of encrypted packets, overlooked network ports, overloaded security tools that drop packets, or applications running outside the data center in the public cloud. Ixia says, “Our solutions shrink your security attack surface,” meaning that we help you shut down the most-abused routes criminals use to get around your security systems.
Security resilience is also key to GDPR and an important aspect of Ixia’s visibility platform. Ixia uses a modular platform of network taps, bypass switches, and packet processors to collect data from across the entire organization, filter as needed, and deliver it efficiently to all of your security solutions, whether they are located in the data center or in the cloud. Ixia’s micro-second failover keeps traffic flowing to your security solutions, so you never have to allow uninspected data into your network, just to stay online.
3. Recovery processes in the event of a data breach
The third area of security required under GDPR concerns how an organization is set up to respond to a potential security attack. Sadly, no matter how well prepared we are and how strong how our prevention solutions, an attack is still possible. This means detection and forensic solutions are just as important to your security as your inline security appliances. Again, full visibility is key to being able to quickly identify and spot anomalies or unexpected behavior. Ixia’s total visibility platform serves both inline and out-of-band security solutions to accelerate your response to any breach.
4. Regular testing, assessing, and evaluating of security
The last security requirement mentioned in GDPR should really be the starting point—security testing. Whether you’re deploying new infrastructure or updating existing solutions, validating security processes helps ensure your solutions are configured properly and performing optimally. Out-of-date software has led to many highly-damaging recent breaches and is frequently exploited by opportunistic attackers. Testing the strength of your network and security architecture under realistic conditions—including both high-volume traffic and known malicious packets—is necessary to ensuring an appropriate defense. Ixia has a long history of offering robust testing solutions to bullet-proof network operation and security. You can find out more about how to stress test your security environment using our flagship product, BreakingPoint, in advance of the GDPR enforcement date on May 25, 2018.
Finally, here’s a nifty little site that can tell you exactly how long you still have to prepare for GDPR: https://days.to/25-may/2018.