The European Union’s General Data Protection Regulation (GDPR) has been the talk of the enterprise town since 2016.
Dubbed the world’s most stringent data protection law, it obliges organizations that collect, store, and process personal data of EU residents (or “data subjects”, as the legislation puts it) to be accountable for any form of misuse and exploitation and keep it safe from breaches.
Whereas the intactness of sensitive customer information has always been a priority for most businesses, the law turned non-compliance with such practices into a punishable blunder.
Faced with a combo of reputational risks and possible penalties of up to 4% of annual revenues, companies that provide services to people in the EU have been busy ramping up efforts to hone their data protection mechanisms.
When it comes to data security, GDPR prescribes the implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Thankfully, there is no need to reinvent the wheel, as plenty of security controls are readily available. Some of them are turnkey tools, some are organizational policies, and others are elements of a data protection philosophy every enterprise should master.
Without further ado, let’s dwell on these instruments.
Data Loss Prevention (DLP)
As its name would suggest, a Data Loss Prevention system is geared toward identifying and thwarting leaks and destruction of organizations’ proprietary data as well as customers’ personally identifiable information (PII).
It automatically detects security policy violations and unauthorized attempts to exfiltrate data out of a company’s boundaries, instantly notifying the security team about the risk.
DLP fends off insider threats, hacker attacks, and accidental leaks by pinpointing suspicious data transfers between corporate endpoints and at the network edge.
Such a solution also forms a solid layer of defense against ransomware raids that increasingly combine encryption and data theft to pressure victims.
Security Information and Event Management (SIEM)
With more than a decade of track record in the security industry, these mature solutions give IT professionals actionable insights into the state of a supervised digital infrastructure by aggregating data from multiple sources across the organization, including applications and network gear.
Most importantly, a tool like this establishes correlations between different events and extracts meaningful information out of random-looking logs.
When a red flag is spotted, SIEM lets security personnel know by displaying an alert in its dashboard or sending an email notification.
The ability to uncover foul play at its early stages makes such a system an incredibly effective instrument for compliance purposes, thereby helping companies fit the context of GDPR.
Intrusion Detection / Prevention System (IDS/IPS)
Because most data leaks occur in the aftermath of attacks from the outside, the role of an Intrusion Detection System in identifying such scenarios can be paramount.
It leverages a mix of signature-based and statistical anomaly detection to check all network traffic for dubious patterns and reports activity that deviates from the norm. An Intrusion Prevention System, in its turn, takes action by blocking malicious traffic.
When working in concert, these two solutions can forestall security incidents that would otherwise fly under the radar of a classic network firewall.
IDS/IPS can also be used to enforce in-house security policies. For instance, if only one VPN service is allowed within an enterprise network, the system will choke any other VPN connection attempts.
Zero Trust Network Access (ZTNA)
“Never trust, always verify” is the principle that underlies the functioning of a ZTNA solution. It creates a framework in which no employees and resources are privileged or trusted by default.
The system allows security staff to specify different access controls for different segments of the network, which is a great way to thwart an intruder’s lateral movement across the protected environment and harden the security of the most sensitive data assets.
Secure Access Service Edge (SASE)
The idea behind SASE gained momentum in light of the booming transition to telework during the coronavirus emergency.
The traditional protection model, which focuses on preventing outer threats from breaking through an organization’s perimeter, has become questionably effective under the new circumstances.
With more employees connecting to corporate resources remotely from different devices, SASE uses cloud services to deliver a synergy of wide-area networking (WAN) and security tools directly to the source of connection, such as an endpoint, a branch office, or an edge computing location.
This approach helps companies step up their access control practices and comply with regulations like GDPR.
Identity and Access Management (IdAM)
While the above-mentioned ZTNA and SASE solutions facilitate secure access to enterprise resources, IdAM takes it a step further. It spans a complete spectrum of policies and technologies to make sure that only verified users can access data assets.
The IdAM deployment cycle starts with assigning identities to specific individuals based on their positions in the corporate hierarchy. The next stage is to determine the authentication mode for different user roles.
The classic username and password combination, multi-factor authentication, biometrics, or single sign-on (SSO) are common methods to choose from. From there, network administrators use IdAM to specify what enterprise resources a person is authorized to access.
An important benefit of leveraging such a system is that it additionally provides a framework to create and maintain a central user repository, where identity information is synchronized across all systems to reflect password changes or the revocation of credentials when an employee leaves the organization.
Pseudonymization
Pseudonymization means stripping data of details that may allow a third party to attribute it to a specific individual.
In practical terms, this can be accomplished by substituting potentially verbose fragments of a data record with random identifiers.
This mechanism makes the information useless for malicious actors who may obtain it via breaches or other cyberattacks.
The original pieces of the “puzzle” are stored separately and can be used according to a predefined algorithm so that the organization can continue to process data and carry on with its customer services.
Whereas GDPR recommends this technique rather than strictly requiring it, it can be a game-changer if a security breach occurs.
Data encryption
Encrypting data at rest, in use, and in transit is one of the pillars of GDPR compliance. With this procedure in place, personal information is subject to scrambling with a cipher.
The only way to make it legible again is to use a secret decryption key, which is available to a very limited range of users in an organization.
The logic of this practice is as clear as crystal: if an adversary gets hold of sensitive data, they get absolutely no mileage out of it unless they have the right key. The same goes for double-dealing employees who may want to hand over customer records to a third party.
Even if there are weak links in a company’s cryptographic workflows, the use of encryption per se is a mitigating circumstance in the case of a leak.
It should have a positive effect on the authorities’ decision on whether or not to impose a fine.
Incident response plan (IRP)
An organization needs to outline clear-cut procedures that kick in if a personal data breach occurs. This is sort of a roadmap that walks you through an incident, from identifying the incursion as early as possible, all the way to complete recovery.
The classic IRP includes the following stages:
- preparation for a potential cyberattack;
- detection and analysis;
- containment and eradication of malware or another attack catalyst;
- recovery;
- and lessons learned.
To abide by GDPR provisions, an organization must complement this set of incident response steps with timely notification of the national Data Protection Authority (DPA) after discovering a personal data breach within 72 hours.
In certain situations, if it is likely that the breach would result in a high risk to individuals’ rights and freedoms, these individuals should also be notified without delay.
Final thought
In a paradigm where the cost of a slip-up can reach tens of millions of Euros, companies should spare no effort to secure personal data they store and analyze. When it comes to GDPR compliance, there is no such thing as a one-size-fits-all tool.
Every organization should align its choice of suitable security controls with the peculiarities and scope of its network architecture, the industry it represents, the budget it can allocate for these purposes, and the amount of sensitive customer information it handles.
Author
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.
