Last updated Feb 15th, 2020 by Dan Rheault

While industry regulations mandate what we must do, they typically fall short on how to do it.  The new GDPR regulation that takes effect next May is no different in this regard. However, failing to proactively address GDPR’s upcoming data security and access requirements can carry significant financial penalties.  Thus, companies must start identifying how to sufficiently protect any sensitive data that they retain on EU citizens.  And they need to start now.

This is the first of four posts discussing GDPR from a network security perspective, which we hope you will find helpful as you begin your enterprise’s network security planning efforts.

For those that are just starting their research, we also recommend that you review our on-demand recording of The ABCs of GDPR: Here’s what you need to know, featuring guest panelist Jonathan Armstrong, Compliance and Technology Lawyer, Partner at Cordery.

Data Protection by Default and Design

In your organization, you may have already determined specific networks, sub-networks, applications, and databases that collect or store sensitive information such as financial or health records. You must be careful to update these records since, under GDPR, the traditional definition of “sensitive” data has been expanded to include additional types of information, including IP addresses, contact information, genetic data, and biometric data (to name a few). We recommend that companies apply a broad interpretation of sensitive data to avoid any potential GDPR policy violations and associated penalties for misidentifying this data.

To determine which parts of the network may be collecting or storing sensitive data, IT and security teams should first survey the organization to identify and document which applications are using personal information. This will provide a better understanding of where this data originates and help map where sensitive data is ultimately stored. Whether the data resides in your physical network or the public cloud, your organization holds responsibility for ensuring its security. While your organization likely already has a strong understanding of many of their internal business applications, it’s critical to ensure that undocumented applications don’t put your sensitive data at risk. By mapping out where the data exists and where it’s used, companies can shine a light on any Shadow IT that may exist and ultimately prepare to adhere to GDPR’s impending mandates.

Once a full understanding of the network’s sensitive data aggregation and storage zones are documented, ensuring that only the appropriate network zones or user groups have access to one another is critical. Network segmentation and access rule review play a major role here. Further iterations of segmentation can be taken with an eye to micro-segmentation – even nano-segmentation – as appropriate to meet the security policy compliance requirements of GDPR. The continuous refinement of segments into smaller documented zones goes to the heart of a zero-trust model. Role-specific – or even user-specific – zones provide the ability to limit only critical connectivity between zones, which once constructed can offer a Unified Security Policy. You can document this internally as a living reference document and network security policy management solutions can help you deploy this model actively in your network to enforce security policies and ensure a state of continuous compliance with GDPR.

Apart from segmentation, organizations must perform consistent reviews of rules and rule changes to ensure that they comply with GDPR.  The process of analyzing, designing, and provisioning specific rule changes to align with the policy requirements of GDPR can be complicated and time-consuming, especially for organizations that include hybrid cloud environments as part of the network.  An automated, policy-based approach to rule analysis can eliminate the burden of manually maintaining compliance. Not only can this approach help to meet the requirements of GDPR, it will design new rules that are the least permissive while still ensuring necessary connectivity.

Aside from effectively designing new rules with security policy as the guide, regular reviews of existing rule sets should be conducted to identify unused or risky rules and eliminate them to reduce the overall risk that they pose. However, manual review of rules is tedious and prone to errors. An automated policy-based rule analysis can identify unused rules in a fraction of the time it takes some to manually identify the same and leaves it to the discretion of the security professional when to decommission the rule.

Additionally, as organizations continue to place an emphasis on control over their data – more so now with the inevitability of GDPR – accurately and efficiently defining network security rules for greenfield software-defined environments is paramount. Using a policy-based approach, you can ensure that any new rules will comply with regulations such as GDPR and continue to protect your sensitive data.

The network is now more dynamic than ever with the shift from physical to software-defined networks and the adoption of the public cloud by DevOps.  With this change comes an expansion of the organization’s network attack surface and a higher risk of breach due to manual misconfigurations. An automated policy-based network security approach enables organizations to proactively identify and address risky rules, decommission legacy objects, and provide organizations full visibility across their hybrid network – all of which helps companies comply with the new regulations mandated in GDPR.