I suspect that we all know by now that we need to be GDPR compliant by May 2018. You’re probably also aware that the regulation is going to affect any company or individual who deals with EU nationals, no matter where in the world the company or individual is based. Just to give you an idea, Computer Weekly recently estimated that 80 percent of US firms will be affected by GDPR fines. In this article, I want to concentrate on the security aspects of the new law and how this relates to network management.
Assessing Risks to Personal Data
If you store, transmit or otherwise process an EU national’s personal information you need to sit down and analyse the risks posed to that information. Risks should be assessed with respect to:
- Accidental destruction
- Unlawful destruction
- Unauthorised disclosure
- Unauthorised access
Implementing Changes to Reduce Risk
Once you’ve completed the risk assessment you need to look at your systems and business processes. Determine any changes necessary to reduce these risks to acceptable levels. My advice would be to look at current data processing standards. GDPR specifically mentions the following aspects that your system and processes should exhibit.
- Personal data should be Pseudonymised and encrypted.
- Systems and processes should provide ongoing confidentiality, integrity, availability and resilience.
- Mean Time to Repair should be as low as possible.
- Systems and Processes must be regularly tested and assessed.
Pseudonymisation means replacing clear text information that could be used to identify a person with an alias which could not. Since this is not something you’d expect the network to do, I’ll leave this point here.
How Can Network Management Help
So, what can the network manager do to help ensure that the network provides the best chance for their organisation to be GDPR compliant? Well, the short answer is, and this is one of those “well you would say that wouldn’t you” moments, deploy a competent network management solution.
The longer answer is that destruction, loss, alteration, unauthorised disclosure and access could all be consequences of someone gaining unauthorised access to your network. One can also argue that this is also true for loss of confidentiality and accuracy of information. So, let’s look at the things you can do to help keep unauthorised people out.
It’s a good idea to have written policies around how the network should be configured. This is essentially a formalisation of all the best practices that you and your team can put together. It might include which protocols you allow and which you don’t, such as minimum password lengths, deleting default communities or accounts, the list goes on. The point is that a good network management system will be able to regularly get the configuration from each of your network devices and check them against your policies. It should then alert you to any problems, or even better fix them for you. If you do this right, it’s going to close the loopholes that an attacker might use to gain access to your network and the data it transports. One nice little subtlety here is that as configuration changes are made and someone doesn’t follow policy, it will be highlighted.
Normally, inventory management includes listing all the kit that you have installed in the network. But it should really go deeper than this. Ideally, a network management system should discover all your devices and associated components. This might include modules, ports, CPUs and memory. It should then go on to get the hardware and software versions of these components, building a full picture of the device. This would allow you to check for known issues reported by vendors and take the appropriate action to further plug those loopholes by upgrading to more secure versions.
Network Encryption Devices
The next thing mentioned on the GDPR list is encryption. There are several network class devices that provide encryption at the network level, Cisco SSL for example. If you rely on these types of device you’re going to want to make sure that they are working correctly. A great network management solution will have native support for these devices.
Checking the availability of network components such as devices, ports, power supplies and plugin modules should be a staple of any good network management system. In more advanced systems, components can be organised into Services, allowing service availability to be analysed. Knowing quickly that a component has failed will allow you to reduce your repair times (MTTR) to a minimum.
Network Designs normally incorporate redundant components to provide resilience. This can occur on many levels, for example, backup devices, links, power supplies and uninterruptible power supplies. If a component fails, the network seamlessly switches over to a backup. There is no need for Captain Kirk to request that reserve power is switched to the forward shields. One of the problems here, if you’re just monitoring application availability, is that you may not notice the failure at all. The problem, of course, is that you’ve lost the resilience that you once had. Network Analytics can monitor everything including backup equipment and this is more difficult than you might think at first glance.
Following on from the discussion on resilience is application path monitoring. One telltale sign that something has gone wrong is when application data suddenly changes the path it is flowing along. To spot this kind of activity you need network analytics capable of real-time application path discovery – anything else and you could completely miss the problem. This gives much better visibility than availability testing alone.
Network Analytics will be continually testing your network and recording availability, configuration and inventory information, so it will form a valuable part of your regular testing and assessments.
How Can We Help
If you’d like some help implementing any of these ideas or you have ideas of your own you need help with, please get in touch. We’d love to talk to you about how we can solve your problems!
The information in this article is for general guidance on GDPR as it relates to network management and is not legal advice. If you need more detailed advice regarding GDPR, please contact a qualified adviser or solicitor.