Skip to main content

Protecting network availability for GDPR compliance

(Image credit: Image Credit: Billion Photos / Shutterstock)

With GDPR now in force, organisations across Europe, including those worldwide which do business in the region, have been working hard over the past months to ensure they’re compliant. But with many column inches being dedicated to the various nuances and implications of the new regulation, the issue of data protection has been thrown into sharp, yet confused focus. Given the size and complexity of today’s IT networks, however, it has become almost impossible to detect when and how a security breach or network failure might occur. It is now essential for businesses the world over to have complete visibility of their networks. This is not only from an operational perspective, but also to protect their customers, their brand and reputation and, in light of the GDPR’s potential financial penalties, their bottom line.

The security of a network, and the information held within it, are crucial for GDPR compliance. Indeed, the regulation states that measures must be put in place to avoid or minimise the impact of malicious code or distributed denial of service (DDoS) attacks. Article 32 in particular is concerned with the speed at which network availability and access to personal data can be restored in the event of any downtime resulting from an outage or, even worse, a breach.

Guaranteeing a network’s availability isn’t just a matter of regulatory compliance, however; it’s probably one of the highest priorities of any business today. All organisations, from banks and retailers to manufacturers and utility providers, are reliant on consistent, always-on connections to their customers, partners and suppliers without which they could soon grind to a halt. The future of all businesses is now dependent on the ongoing resilience and availability of their IT and communications networks.   

Keeping track   

Regulations such as GDPR define the types of personal data that a business may collect and record, and where that data can be sent, and it can apply to everything from personal email addresses and phone numbers, to IP addresses and credit card information and much more.

The GDPR itself also restricts what data can be transmitted outside of a company, and across national borders. To ensure compliance, therefore, it’s important that an organisation’s networking and security teams understand which country any given record of data originated from, and how that data will navigate through the corporate networks, remaining aware of which paths it will take and where it will be stored. 

To keep track of the flow of information, and to prevent it from being compromised, new automated processes will need to be set up that will regularly assess and evaluate how this personal data is being processed. However, the sheer size and complexity of IT infrastructure will require businesses to have full visibility across their networks, including data centres and the cloud, to ensure they remain fully GDPR compliant.   

Robust defence 

Article 32 of the GDPR states that data protection measures need to be rigorously assessed on an ongoing and regular basis, so it’s important that businesses ensure all of their network defences are automatically and regularly updated with the latest intelligence on threats and security risks. To ensure compliance, frequent, end-to-end tests are recommended – you never know what you may find. 

In terms of security, DDoS attacks represent the biggest threat to personal data and to disrupting network availability. There is a widely held misconception, however, that standard security measures such as firewalls and load balancers can mitigate against such attacks and help keep a business GDPR-compliant. In the majority of cases, DDoS attacks will systematically target these systems and weaknesses before overwhelming the network and causing an outage. As firewalls and load balancers are stateful devices, meaning they need to maintain session data over a series of communication requests, they are far more at risk of simple DDoS attacks overwhelming them, leaving the entirety of the network exposed. As a result, compliance can potentially be far more complex than many initially think. 

To be sure that the security of its network complies with GDPR, a business simply must know its IT infrastructure inside and out and understand the risks it faces from external threats such as DDoS. Only then will businesses be in a position to put the correct monitoring tool and security measures in place to protect its data, network and IT assets.   

Lock all the doors 

While ensuring the safety of an organisation’s IT networks is crucial to ensuring compliance with the new data protection regulations, the need for physical safeguards shouldn’t be overlooked either. The application of stringent security and controlled access to offices and facilities, for example, can help prevent unwanted access to any personal data held within an organisation, as can following simple procedures such as locking doors, drawers, or filing cabinets.

As they find themselves under increasing pressure to adhere to new policies and regulations, it has never been more important for businesses to seek education on the importance of data protection and privacy. GDPR aside, it should be standard practice for all organisations to have reasonable cyber and physical safeguards in place to prevent security breaches, and unauthorised access to or loss of any personal data they hold.

When it comes to procuring these safeguards, however, careful consideration should be given as to whether the supplier offers ‘best in class’ network monitoring and cyber security technology, particularly when it comes to defending against DDoS attacks. They must also be GDPR-compliant themselves, of course, with robust security and encryption procedures of their own in place, and with the necessary due diligence carried out to ensure the safety and security of their own systems and data centres.

Under GDPR, as we now know, any organisation that processes the personal data of EU citizens, including tracking their online activities, is now within the scope of the law, regardless of whether or not that organisation has a physical presence in the EU. Any negligence of duty may be liable to potentially crippling fines of up to €20 million or four percent of a company’s annual turnover.

While data protection and privacy have always been important considerations, there is more now at stake than ever before. With complete network visibility and availability, and with robust protection measures in place, businesses across the globe can be confident that, as far as their network is concerned, they are meeting the stringent demands of this new regulation.   

Each day sees an increasing abundance of mobile services and applications come to market, although not all of these are created equal. A connected fridge, for example, will have significantly different bandwidth requirements and traffic priority to an autonomous car or a “life line” emergency service, both of which depend on ultra-low latency and extreme high availability. The ability of operators to differentiate and prioritise emergency data traffic for the eCall system, while simultaneously employing greater visibility and actionable insight to support its demands on the network, will be integral to its success, and to the safety of those who require its potentially life-saving capability.    

Theresa Abbamondi, Director Security Product Management at NETSCOUT (opens in new tab) 

Image Credit: Billion Photos / Shutterstock

Theresa Abbamondi is Director Security Product Management at NETSCOUT. She has been a strategist in the IT/Network security space for over 15 years, previously holding roles at Verizon and Symantec. Theresa has a Master’s degree from the London School of Economics and Political Science.