Now that organisations are a little more savvy about the General Data Protection Regulation (GDPR) and the legalities surrounding the exchange of personal information, it is time to really shine a light on the networks and cybersecurity policies that protect this data, especially as cloud computing and internet of things (IoT) devices provide a constantly changing array of entry points for hackers to attack GDPR-relevant data.
GDPR has had had a big impact on businesses as a result of the assessments, planning, changes and execution required for security and IT teams. Despite GDPR’s legal roots, information security technology and processes are at the core of protecting customer data, and security teams must look to assess their existing posture, harden their systems and augment their network, endpoint and cloud threat detection programs to minimise breach risks. GDPR is encouraging businesses to be proactive about data protection, but breach and incident response planning and execution is vital to prevent hackers gaining access to networks connecting that data.
GDPR, as it relates to IT security for ensuring data privacy, really is based on a foundation of situational awareness: understanding where data lives and how attackers might be able to compromise it. Acting on this situational awareness to comply with GDPR requires an approach built on three pillars: Data processing and storage assessment; breach prevention program implementation; and monitoring detection and response execution. Each pillar is integral to the success of the others, and all require ongoing refinement.
Pillar 1: Data processing and assessment
Data discovery is a major challenge for most organisations. Prior to GDPR, the typical organisation had little, if any, understanding of where all of the personal data under its care was located. To date, GDPR enforcement and penalties have been tempered by the concept of “good faith” – that is, if organisations are making a good-faith effort to comply, they can avoid penalties in these early months of the regulation. However, good faith will not last forever and, as such, is not a strategy for compliance, so significant work should have already gone into understanding the location of all data that is relevant to GDPR governance.
As part of this, access rights must also be re-evaluated along with the security controls protecting the data. Fundamental to all of this is to evaluate the potential risk to the data, so that networks, zones and security rules can be properly implemented to limit those risks.
Pillar 2: Breach prevention program implementation
The key to breach prevention is understanding the complete enterprise “attack surface” – that is, all of the potential adversary entry points onto a network and into sensitive data stores. Similar to data discovery, organisations traditionally do not have a good understanding of where all the servers, endpoints, network connectivity and other potential entry-points into the enterprise network are located. This problem has been inflamed by cloud computing, where new systems can be “spun up” in a matter of seconds, and where end-users can expand the attack surface at any moment by subscribing to cloud services. Likewise, IoT devices open a new world of vulnerability for personally identifiable information (PII). Understanding how these devices could be exploited to provide access to data is a critical step to defining the attack surface.
But, the attack surface you define today will likely be obsolete tomorrow, as new cloud assets and IoT devices are added to the network. Implementing technology that provides continuous visibility into all IT assets, across hybrid cloud/on premise environments, is critical to keeping pace with the dynamically shifting attack surface. Only then can the organisations implement the appropriate security rules, network segmentation and controls, access rights, and continuous compliance monitoring to prevent breaches of GDPR-relevant data.
Once organisations can assess and monitor their critical assets through real-time network visibility across their entire connected infrastructure, then data can be fully protected. It is likely that the GDPR will cause data to be more centralised as opposed to dispersed. Once centralised, ongoing, real-time network segmentation analysis of the “GDPR privacy” zones and networks will need to be examined continuously in real-time. This will enable compliance and real-time protection.
Pillar 3: Monitoring, detection and response execution
Now that GDPR-relevant data has been discovered and the attack surface defined and defended, identifying breaches and executing the incident response plan is the ongoing objective.
The GDPR stipulates that a breach must be reported within 72 hours to a local data privacy regulator. Historically, companies have been slow to detect whether a breach has taken place – often months or even years after the fact. To reduce attacker “dwell time” and avoid some extremely uncomfortable conversations with regulators, threat intelligence and detection strategies are vital.
The ability to consume and operationalise data is the key to reducing dwell times – both the data generated by security infrastructure, and open source and commercial threat intelligence. This capability to correlate and analyse this data will enable the discovery of compromised computers; the discovery of connectivity to command-and-control infrastructure on the Internet, as well as whether there are Dark Web exit nodes accessible from the network edge; the identification of nefarious TCP/UDP port usage by known malware exploits, or changes to the TCP/UDP port that are indicators of compromise; discovery of newly active networks, or networks that have become non-responsive; and more. Fundamentally, these capabilities expose adversaries who have penetrated the network, and enables rapid breach response and remediation.
GDPR compliance in a constantly changing world
With attack surfaces constantly shifting and attackers becoming ever-more effective, cyber situational awareness is key to GDPR compliance. Understanding the location of GDPR-relevant data, the risks to that data, and gaining visibility into network assets across hybrid environments will go a long way toward being able to protect that data, and to identify security compromises and breaches in a timely manner.
GDPR will become an increasingly heated boardroom topic as enforcement moves from the “good faith” stage to the “letter of the law” stage. Having the three pillars of GDPR compliance in place before that day will deliver tremendous benefits to organisations – not only in avoiding GDPR penalties, but also in reducing the risk of data breaches. And that will put cyber security not just at the heart of GDPR compliance, but at the heart of business success.
By Reggie Best, President, Lumeta
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.