Preparing for GDPR: Don’t Get Lost in Translation
The countdown is on. The General Data Protection Regulation (GDPR) will come into effect in May 2018, unifying data protection for all individuals within the European Union (EU) as well as EU citizens traveling abroad.
The transition to GDPR compliance is therefore well underway for most organizations – but that’s not to say that there isn’t plenty left to do. Light Reading, the leading networking and cloud tech portal, recently published an article by our VP of solutions marketing, Jeff Harris, looking at what organizations can expect when becoming GDPR compliant and how they can effectively navigate the new regulation in terms of network security and visibility.
Two key considerations
There are two major factors for organizations to be aware when it comes to the GDPR’s implications for security and visibility:
- Any EU-based company must ensure that its customers' personal data (at rest or in motion) complies with GDPR.
- No data may be transported outside of the EU, except by design.
And it gets even more complicated than that. If, for example, employees of an EU-based company are using non-EU based cloud services, GDPR requires visibility into the workings of the SaaS application, and the SaaS vendor must be transparent with its architecture. What’s more, the term ‘personal data’ as defined in the GDPR is very broad in scope – it even includes IP addresses.
The precise impact of the GDPR on an organization’s network visibility architecture depends on the specific network environment being deployed. In the transition to GDPR compliance, on-premises and private cloud architectures will probably be the easiest to handle. The public cloud is rather more complicated, thanks to its wide scope and the relative lack of control for organizations whose data the public cloud processes. As such, public cloud environments will still need regular audits and robust visibility.
In some ways, all this complexity utterly transforms traditional approaches to visibility. It’s no longer purely about opening up the network to more and more powerful analysis – it’s about balancing that opening up with restrictions on the flow of confidential data. With this in mind, how do you achieve widespread visibility and the necessary obfuscation of sensitive information in private, public and hybrid environments?
Striking the balance
Three key tools and methods that can make this process much easier are data masking, geo-location and encryption/decryption. Data masking enables any data pattern to be masked with a simple, effective GUI, while geolocation of user data can of course help identify traffic originating in the EU.
Encryption and decryption should never be stopped. SSL encryption protects, while decryption enables the identification of cyber-threats in malicious payloads that take advantage of SSL encryption's prevalence. When organizations do not want something encrypted, they can simply mask sensitive data instead of encrypting it - but the two techniques should not be seen as interchangeable.
Beyond the EU network
It’s important to remember that any organization even touching data that belongs to EU citizens must offer the same protection, even if it is outside the EU. This can get complicated if a system is used for both EU and US citizens, such as a bank’s ATM machine. The growth of hybrid cloud environments makes this even more complicated. If an organization processes data both on-premises and in the cloud, encryption between the two domains is mandatory.
Visibility can be difficult in these circumstances. But again, data masking can help. Extended into the cloud, it can ensure that those responsible for building visibility into a SaaS offering, or within a private cloud, will maintain GDPR compliance. Organizations cannot always control how others handle data, but they can control what they choose to deliver.
Read the full article by Jeff here to find out more about how your organization can start taking the right steps towards GDPR readiness across your network infrastructure.
Learn more at Ixia Solutions for GDPR.