[Part 1/4] Practical Advice to Network and Security Operations Pros Regarding GDPR Compliance

Share On Facebook
Share On Twitter
Share On Linkedin

Part 1 – Introduction

The General Data Protection Regulation or GDPR is due to take effect on May 25, 2018. Although the regulation was designed by the European Parliament, the Council of the European Union and for the individuals within the European Union, the impact of the regulation will be global. What follows is a four-part series containing some practical advice to support the efforts in achieving GDPR compliance in the core of your network operations and security.

First, let’s be clear, Infoblox does not have a magic wand or solution that makes your organization GDPR compliant. This is because no one has a “solution” for GDPR because it involves a combination of people, process, and technology. There are of course tools to help with GDPR compliance to a greater or lesser extent and certainly, Infoblox technology can help in a network security context. But the suggestions presented here are applicable whether you are an Infoblox customer or not and are intended for network and security teams as you focus on supporting compliance.

It is important to view compliance as an opportunity rather than an overhead. It is a chance to improve things you have been putting off and acts as a driver to check you are adhering to standard or “best” practice.

You may remember implementing ISO 9000 accreditation (BS 5750 in the UK). One of the key principles was to document what you were actually doing and ensure there was documentation showing you did what you said you did.

The requirements of the GDPR are reminiscent of ISO 9000 accreditation, particularly the need to disclose any breach within 72 hours, along with the need for the details outlined in Article 33 of the GDPR. Working backward from the disclosure requirement, the assessment of any malicious activity becomes paramount. Processes around assessment will be critical in the context of GDPR, as will the evidence that they are being carried out.

There is a compliance element to network security, including services such as DNS, DHCP and IP Address Management (DDI). In some cases, these services, and the processes and security they facilitate involve data relating to an identified data subject (“personal data” as defined by the GDPR). Data gathered from these services is critical to security (and hence GDPR) and the positive news is that DDI data is not “sensitive data” as defined by GDPR, which is subject to additional protections and restrictions.

There are 3 topics that reside at the intersection of GDPR and DDI:

  • Architecture review – Identify and reduce risk, focusing on DNS as a point of control and visibility.
  • Support of security operations – Assess the impact of potential malicious network activity along with information sharing, enriching context and signaling between security tools.
  • Governance around DDI data – DDI data really helps in terms of network security but some of it will fall under the GDPR as some DDI data relates to a person.

Check out the blog for each topic for an in-depth analysis as well as for checklists to determine if you have achieved the identified objectives.

Labels:

Jim Mozley

Staff Threat Intelligence Analyst, DNS Security at Infoblox

Jim Mozley has worked for Infoblox since July 2006. He has safely migrated many large customers from their existing DNS and DHCP services to Infoblox. He also led the EMEA professional services team as it has grown up, mentoring new staff members along the way. Jim has worked as a consultant for Infoblox customers, bringing the best of breed design, architecture and integration to some of EMEA’s largest enterprises. He now works as a Threat Researcher within Infoblox’s Cyber Intelligence Unit. Prior to Infoblox Jim has spent of a lot of time being the “systems guy” in networking teams. This has included work with the type of network services found at ISPs such as DNS, mail transfer agents, RADIUS, etc. and extensive work on network management systems. He has also developed workflow tools and databases in the areas of fault management, network topology and gluing systems together. Jim has held both engineering and management roles, so has an appreciation of the challenges involved in both. He has come into the technology industry through a service desk and then systems administration route, but that was a long time ago when he had more hair.

View All Posts
×