Part 1 – Introduction
The General Data Protection Regulation or GDPR is due to take effect on May 25, 2018. Although the regulation was designed by the European Parliament, the Council of the European Union and for the individuals within the European Union, the impact of the regulation will be global. What follows is a four-part series containing some practical advice to support the efforts in achieving GDPR compliance in the core of your network operations and security.
First, let’s be clear, Infoblox does not have a magic wand or solution that makes your organization GDPR compliant. This is because no one has a “solution” for GDPR because it involves a combination of people, process, and technology. There are of course tools to help with GDPR compliance to a greater or lesser extent and certainly, Infoblox technology can help in a network security context. But the suggestions presented here are applicable whether you are an Infoblox customer or not and are intended for network and security teams as you focus on supporting compliance.
It is important to view compliance as an opportunity rather than an overhead. It is a chance to improve things you have been putting off and acts as a driver to check you are adhering to standard or “best” practice.
You may remember implementing ISO 9000 accreditation (BS 5750 in the UK). One of the key principles was to document what you were actually doing and ensure there was documentation showing you did what you said you did.
The requirements of the GDPR are reminiscent of ISO 9000 accreditation, particularly the need to disclose any breach within 72 hours, along with the need for the details outlined in Article 33 of the GDPR. Working backward from the disclosure requirement, the assessment of any malicious activity becomes paramount. Processes around assessment will be critical in the context of GDPR, as will the evidence that they are being carried out.
There is a compliance element to network security, including services such as DNS, DHCP and IP Address Management (DDI). In some cases, these services, and the processes and security they facilitate involve data relating to an identified data subject (“personal data” as defined by the GDPR). Data gathered from these services is critical to security (and hence GDPR) and the positive news is that DDI data is not “sensitive data” as defined by GDPR, which is subject to additional protections and restrictions.
There are 3 topics that reside at the intersection of GDPR and DDI:
- Architecture review – Identify and reduce risk, focusing on DNS as a point of control and visibility.
- Support of security operations – Assess the impact of potential malicious network activity along with information sharing, enriching context and signaling between security tools.
- Governance around DDI data – DDI data really helps in terms of network security but some of it will fall under the GDPR as some DDI data relates to a person.
Check out the blog for each topic for an in-depth analysis as well as for checklists to determine if you have achieved the identified objectives.