New: ESG Technical Validation: One-Click Segmentation. Download now!
 
 

Implementing GDPR-Aware Security Control

The General Data Protection Regulation (GDPR) for the European Union has operational impacts on every company doing business in and interacting with residents of the European Union (EU). There are many facets of this regulation, from the requirement to gain consumers’ explicit consent for use and storage of their personal data to more-stringent data breach notification rules. While data privacy is the intended focus of GDPR, one could easily argue that information security has been strengthened through this regulation, as stricter requirements for the protection of personal data are now part and parcel of the law. At the same time, GDPR has complicated cybersecurity governance based on its definition of “personal data.” Nonetheless, any company that collects, stores, or processes the personal data of EU citizens must develop strategies and adopt tools that accomplish both privacy protection and data security while meeting compliance mandates.

Like other regulations before it, GDPR presents conflicting goals. On the one hand, protecting citizens’ data requires reliable, proveable security controls. On the other hand, many pervasive commercial security and networking technologies rely on the consumption of data that is now defined as “personal data” to function properly and accomplish the goals of privacy and security. Firewalls, for instance, are a “must have” technology for every company. That said, firewalls use IP addresses to make access decisions for users, hosts, devices, and processes on a network. Under the new law, IP addresses are categorized as personal data. Similarly, data loss prevention (DLP) tools leverage network information to find abuses of data, plus they now buck up against GDPR rules that prohibit employee monitoring. Endpoint protection technologies can also be problematic since they generally collect location and device data—defined as personal data under GDPR—to validate whether a particular user is permitted to access systems. These are only a few examples of how complicated the balance between security, privacy, and compliance has become.

All of this puts companies in a very tight spot: What is the best way to use the tools and processes that have proven worthy over the years while aligning with GDPR requirements?


Edgewise will be at the Gartner Security & Risk Management Summit.   Come visit us at booth 925! <https://www.edgewise.net/events>


Separating the control plane from the data plane

Running a security-free network is not an option, yet most network-based tools have not yet caught up to the GDPR. Innovation is often born from necessity, thus attributes like IP addresses, device identifiers, geographic location, and user credentials form the basis for many current technologies’ security policies and enforcement decisions. It could be years before product makers change how they address security control in the face of EU mandates.

Rather than wait for your vendors to catch up or pay hefty sums of money to lawyers and/or data protection officers to advise on the best strategies to protect (and identify, audit, or remove) personal data in your systems, Edgewise has already leveled the playing field, allowing companies to balance privacy, security, and GDPR requirements. Edgewise does not rely on IP addresses, ports, or protocols—potential personally identifying information—to make access control decisions and prevent adversaries from accessing private data. We’ve moved the control plane away from the network layer and onto networked assets themselves—applications, hosts, and services. Cryptographic properties of network resources constitute the resources’ “identities,” which means that attributes like IP address don’t necessarily need to be used as an identifier.

This method allows Edgewise to move control decisions closer to the assets targeted for breach or likely to leak information—for instance, applications and databases containing consumer or employee information—without infringing upon the personal data of the user requesting access to the resource. Further, as a microsegmentation technology that isn’t dependent on network information or user data, Edgewise security is ever-present in ephemeral environments like cloud, serverless, or container architectures. This means that organizations can be confident that the data they’re storing or processing on EU citizens is protected from unauthorized access, tampering, or improper use, even when the network changes.

Reducing cybersecurity regulatory burden

Cybersecurity and data privacy regulations like GDPR place a data governance burden on organizations. Even if your company is not subject to GDPR (e.g., the company does not do any business in the EU, any information collected by an EU citizen visiting your site is immediately deleted or destroyed), it’s likely that similar regulations in your region already exist or are on the near horizon. Consequently, it’s advisable to implement technologies and processes that do not encroach upon the very regulations they’re trying to enforce.

Contact Edgewise today to learn more about how our technology protects your networks and applications without relying on personally identifiable information.

 

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.