A Practical Guide to GDPR Compliance – Part 5: Orchestration

If you’re just joining us in this GDPR journey, we’ve been doling out concrete, practical steps to achieving compliance by the May 25 deadline. Here’s where we’ve been so far.

First, we urged you not to panic. You are likely already set up to succeed and just don’t know it yet. Next, we helped you orient yourself in your current network and used technical measure to validate that your data is protected as it should be. In the last installment, we covered how to maintain continuous compliance with real-time monitoring and reporting.

And now, we’re ready for the final piece of the puzzle. Orchestration.

The fourth guideline for GDPR technical preparation is, once again, another activity security professionals have been doing since their first day on the job.

GDPR Mandate: Correct any protection failures and notify the authorities when compromised.

Translation: Make network changes to restore compliance. Tell EU authorities if there’s been a breach.

Network security teams can often make changes in their sleep. Some do this in a very literal sense with midnight change windows providing the only opportunity to push policy and rule modifications to the network. But in the metaphorical sense of making changes “in your sleep,” you can detect the theme we have been repeating throughout this GDPR guide: you’ve done this before, you can do it again.

As we acknowledge our current-state (orientation), take note what could happen (analysis), monitor real-time network drift (continuous compliance), we put a bow on our GDPR preparation with change orchestration that enforces security at every corner of the global network. It is the only way to correct protection failures under the GDPR regime.

Orchestration gives you a central control over thousands of network devices to meet compliance requirements and keep your network resilient. By taking compliance standards and automating policy change, you can be confident that data is protected in perfect harmony with GDPR.

Security control, the essential nature of orchestration, is specifically voiced in Article 28: “Any data processor must have technical and organizational control to ensure data protection and documentation.” This can be a management burden, because you have to account for GDPR standards with every change and/or provision to the network.

With orchestration, you satisfy Articles 5, 28, 30 and 32 automatically. Orientation, analysis and continuous compliance are marked “done” without leaving your chair.

  • Orchestration combs through all your sources: assets, topologies, policies, vulnerabilities and threat data to make sure you are perfectly oriented in the current-state of your network.
  • Orchestration analyzes your risks before a change is made, automates the review process and swiftly implements network policies that adhere to your risk-based approach.
  • Orchestration latches on to the real-time monitor, pulls petabytes of information and customizes your reporting in seconds rather than weeks to ensure continuous compliance.

In cybersecurity, orchestration is one of the most well-suited names for a technology: you are the conductor playing the orchestra. There are hundreds of security devices and firewalls, thousands of policies and hundreds of thousands of rules across the global network. Orchestration gives you the baton to have total control over every last one of them.

Final Thoughts

We humans have a natural inclination to fear what we do not understand. GDPR provides us with a specific example of how countless security professionals can be led to anxiety and dread with a looming stack of regulations on fast approach.

To be sure, there are penalties and costs for non-compliance. A single complaint or raised eyebrow can put you in the throes of an audit. Added to these costs are the damages to brand reputation and lost revenue from reports of an organization’s guilt.

Here, we have made the case that security professionals must not fear these outcomes. With the deliberate steps of orientation, analysis, continuous compliance and orchestration, you can equip yourself in the same way you have in previous regulatory battles. You know how to use the armories; you’ve used them countless times before.

Many vendors will encourage your base instincts toward fear and worry. But rarely are their claims backed with evidence that accounts for your security programs. We can dismiss the fear-mongering as irrelevant, because leading organizations have spent years perfecting their security programs. They consistently examine their networks for weaknesses, they honestly assess their own blind spots, they comb the data with real-time monitoring and they orchestrate changes with absolute precision.

We can view GDPR regulations in the light of this kind of security program. These are the stock-and-trade of the experienced, professional and confident security leader.

There is nothing to fear. Nothing.

Want a consolidated guide to fear-free GDPR compliance? Download our eBook here >>