The Three Faces of IT
The “IT” function has been alive and well for over more than half a century. In fact, if you trace Information Technologies all the way back to the earliest IBM...
May 10, 2018
The new European General Data Protection Regulation (GDPR) requires that your IT network meets strict standards for IT and data security. The regulations can be difficult to understand and ensuring GDPR compliance can be a nightmare if you’re tasked with managing a large enterprise network. Where do you begin?
It’s not enough to be in compliance with GDPR – you have to prove it with documentation. And trying to document an enterprise network manually is playing with fire.
In this article we’ll discuss how to address the GDPR regulations related to your network. You’ll learn how network automation can help you visualize and document your IT network, take appropriate measures and put automated processes in place for your network environment, and ensure ongoing security and compliance with the GDPR statutory standards.
Common questions related to GDPR for IT and data security teams include:
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a new regulation on data protection and privacy for all individuals within the European Union as well as the export of personal data outside the EU. The GDPR requirements begin on May 25, 2018.
The goal of the GDPR is to unify the statutory standards within the EU and increase data protection in the countries of the EU. EU citizens must give their express consent to the processing of their personal data. In addition, they have the right to have this information deleted if it is no longer needed for the purpose for which it was collected, or if the consent is withdrawn. The type of the data and the duration of time for which it is stored must be clearly understandable for individuals. Furthermore, companies that record and use personal data must be able to prove that they have consent for the data to be processed.
Among other things, companies must also report breaches of data protection to the supervisory authorities within 72 hours.
It should also be noted that although the GDPR is a regulation for the countries of the EU, it also applies to all companies worldwide that offer goods or services in the EU as well as to those who have European employees and therefore record, process, and store the data of EU citizens.
“44 percent of companies surveyed are not yet sufficiently prepared for the GDPR and have taken no specific technological or organizational measures to prepare for it.”
– IDC Research
The new GDPR regulations have substantial effects on how your company manages data in a network environment. Penalties for non-compliance are very stiff – fines of up to four percent of the company’s annual turnover or up to 20 million euros – in addition to the affected person’s right to damage compensation.
To avoid these penalties, you’ll need to be able to ensure that your network is compliant – and be able to prove it.
The GDPR ascribes very high importance to IT security. One of the most important regulations in the GDPR in this regard is Article 32. This article describes which criteria are to be applied to technical and organizational measures in order to achieve a suitable level of security:
[su_box title=”Article 32 of the GDPR (excerpt)” box_color=”#279dd8″]
With due regard to the state of the art, the costs of implementation and the type, scope, context and purposes of processing, as well as the varying probability of occurrence and severity of the risk to the rights and freedoms of natural persons, the controller and the processor shall take suitable technical and organizational measures to ensure a level of protection that is appropriate to the risk; these measures include, but are not limited to, the following:
In particular, the risks that are associated with processing – especially through destruction, loss or modification, whether unintentional or unlawful, or unauthorized disclosure of and/or unauthorized access to, personal data that was transmitted, stored or otherwise processed – must be considered when the appropriate level of protection is assessed.[/su_box]
If you’re just getting started planning GDPR for your IT network, it can be hard to know where to begin.
Network automation can help you simplify the planning and implementing of GDPR in a network environment — as well as to help you prove ongoing compliance. Network Automation can help you:
Below we outline the six most important steps to achieve a GDPR-compliant network — and discuss how network automation can ensure your organization stays in compliance.
The first step to address GDPR compliance is to review a current, end-to-end overview of your network to understand the data streams which can contain security risks.
Comprehensive documentation is one of the most important steps needed to be able to prove compliance with GDPR statutory standards. But manual documentation of existing network infrastructure is time-consuming and costly, and this documentation is outdated almost as soon as it is completed.
Thanks to in-depth network discovery and Dynamic Maps, NetBrain allows you to get a comprehensive overview of your entire network infrastructure at any time on demand in seconds – even in multi-vendor and hybrid environments (physically/virtually/software-defined). It can even update automatically each time a network change occurs.
This allows you to ensure 100% accuracy of your network documentation — providing total transparency while saving time and money — to confidently address risks related to GDPR compliance requirements.
If information on your network infrastructure is distributed across different tools it is difficult to get insights to recognize, document, and immediately respond to network problems, attacks, and security breaches. This is very dangerous because GDPR requires you to maintain (and prove!) compliance across your entire network at any time.
NetBrain offers a RESTful API framework that integrates other network-management solutions such as monitoring, security, ticketing, and logging systems. Information from these tools can be visualized in a single location to be used for comprehensive analyses regardless of data source, quantity, or format.
For example, if an incident occurs in a ticketing or monitoring system, a NetBrain diagnosis can be initiated automatically so that the data can be visualized and immediately analyzed. IT staff can also incorporate security diagnoses (IDS/SIEM) via API in order to identify the affected network segment in the network map to depict the threat from an attack on the company network.
“60 percent of companies do not think that their data is sufficiently protected, and 63 percent must modernize their security architecture to comply with GDPR.”
– The Ponemon Institute
NetBrain’s adaptive network automation examines each network configuration on the basis of a range of pre-defined compliance rules for each device:
If a device is not performing in compliance with the law, our software will alert you.
Fixing security vulnerabilities is also often still a manual — and very slow — process. NetBrain automates this process quickly and reliably. The required changes can be implemented in an ITIL-compliant manner with an additional change-management module.
Implementing guidelines and defined security precautions can be a challenge.
Most companies make continuous changes to their networks but often do not document these changes sufficiently or do not observe the security guidelines in the process – and they diverge further and further from the statutory standards.
IT staff can prevent this by using executable runbooks from NetBrain to implement recurring tasks and rules and running these repeatedly at defined times. These runbooks may also contain design guides and best practices in order to be able to carry through established procedures for a secure IT infrastructure.
For example, after a change in the network infrastructure, the administrators can execute a runbook to evaluate vulnerabilities to ensure that these correspond to the pre-defined security standards.
In order for companies to be able to prove at any time that their infrastructure is secure and their data management practices comply with GDPR, they must use tools that require the least possible amount of manual operations and instead provide the desired information and documentation at the touch of a button.
Increasing the degree of automation for network analyses, data visualizations, diagnoses, and audit documentation will ensure that the results are more efficient, accurate, and consistent.
Modern IT infrastructures are no longer static — they often change continuously. This also applies to the threat situation.
In order to be able to ensure sustained compliance and guarantee IT security, companies must view compliance with standards as an ongoing process and not a one-time procedure. The cooperation of various teams (security, network, organization, etc.) is also necessary for these processes to run smoothly.
With NetBrain, these teams can collaborate on the same network plan during triage and forensics to prevent attacks. This ensures that the procedures for compliance with GDPR statutory standards are implemented consistently and that all IT teams follow the defined security practices in unison, even if they are distributed over various locations.