GDPR has brought in some tough new guidelines around data breaches involving personal data, that now leave businesses open to fines of up to €10 million, or 2 per cent of annual turnover, depending upon which is higher. This has been widely discussed across industry verticals, particularly regarding the ramifications for data businesses, but very little has been said about what this means for network operators who will be responsible for transporting and storing data at different points in its journey between the user and the data centre.
As of the end of May this year, under European data protection law, organisations that control personal data have had an obligation to take appropriate technical and organisational measures to prevent unauthorised access to it. The GDPR isn’t completely new, as it replaces the Data Protection Act 1998, but it now ensures data protection policies are equipped for 21st century security threats, notably the protection of personal information or any information that can identify an individual.
Crucially, with GDPR, the same law is being enforced across all European Union (EU) member states, streamlining compliance inside and outside the region for any organisation holding EU citizens’ data. It maintains that greater duties of care must be applied by all 'controllers' and 'processors' of data; and gives individuals more control over how their data is used. Companies now have a legal responsibility to notify the relevant authorities within 72 hours of discovering a personal data breach, and, in serious cases, the data subjects affected by the breach must also be notified.
The bottom line for operators
With the potential for such large fines, organisations across every vertical need a holistic, end-to-end network security strategy that embeds security consciousness across the fabric of an entire organisation. This is no mean feat, especially for operators, as it not only includes static data, but also data in-flight. Where stored data is often protected by four walls, (ideally) extensive cyber-security protocols, and hardware and software solutions, transmitted data is relatively easy to access. With simple equipment, attackers can syphon optical data directly out of active fibre cables to gain access to information travelling through or between networks.
To ensure effective security for data in any location and at any point during its journey to and from the datacentre, it’s therefore necessary for both businesses and operators to implement security strategies and solutions that minimise the attack surface of their networks.
Implementing a holistic security strategy
Large-scale data breaches can have devastating consequences for organisations and individuals involved. By implementing a multi-layered security approach that secures traffic from connected devices throughout the network, right through to the data centre, organisations can achieve a holistic network security strategy which fulfils three core aspects of effective protection:
Network confidentiality begins at the transport layer, where fibre tapping devices can be used to steal sensitive data. To combat this, networks should encrypt all in-flight data from end-to-end, making it undecipherable and, ultimately, useless to hackers. To enhance protection, organisations can also deploy next-generation, virtualised network security solutions, which will ensure protection against the latest threats, and control plane technologies to enhance data protection capabilities.
Network integrity combats cyberattacks by ensuring that data, confirmation, and flows are not compromised or altered by unauthorised methods. To achieve true network integrity, organisations must be sure that network providers and their associated networking vendors have secure, well-documented operational procedures in place for everything from component sourcing and manufacturing to network design, deployment, and operations.
Network availability requires that technical and organisational measures ensure the continuity of data transport and processing. This includes the ongoing availability and resilience of processing systems and services, even in the event of a cyberattack or natural disaster. The network should incorporate fully redundant infrastructure components and routes – from power and processors to switch fabrics and alternative paths through the network – to ensure traffic can be rerouted on an alternative infrastructure if required, and recovered when needed.
Harnessing encryption to increase data security
The potentially eye-watering fines under GDPR are bringing significant board-level focus to personal data breaches. Organisations including operators must show that they are taking appropriate technical and organisational measures to prevent such breaches and in the event of a successful attack, to minimise the impact. Given the increasing risk of in-flight data being compromised by fibre optic network intrusion, it is even more important to minimise the potential damage of a data breach by encrypting data as it traverses the network. This is equally relevant for both corporate data and personal data.
Where low-latency requirements exist, organisations should look to implement Layer 1 transport encryption solutions which maintain 100 per cent throughput with ultra-low-latency and with protocol agnostic solutions, including increased efficiency by encrypting multiple protocols carried on the same wavelength on the optical fibre. This high-performance transport encryption solution should also include end-customer encryption key management, allowing the network operator to manage the end to end service, while the customer manages the encryption keys. For lower bandwidth and latency requirements, for example connecting enterprise premises to local datacentres cloud service, a software based encryption virtual network function (VNF) can ensure effective data security with a smaller footprint.
Your network needs you!
With innovative connected technologies driving significant increases in device endpoints and data traffic, holistic data protection strategies, including in-flight encryption, will go a long way in helping to reduce the number of business-critical breaches – and ensure compliance with the latest European Data regulations. Businesses will need to work side-by-side with network operators to ensure that data assets remain secure, whether static or in transit between the user and data centre or cloud environments.
As the scope of the network continues to expand and security becomes more complex, data 'controllers' and 'processors' will increasingly require guidance around achieving compliance and ensuring effective security for private data. By identifying and working alongside the right network security partner, network operators and data businesses can ensure that all the people, processes, and technology touching networking operations are completely trustworthy and security-oriented.
Mervyn Kelly, EMEA Marketing Director at Ciena
Image Credit: Wright Studio / Shutterstock