In this series, we are setting aside the doom and gloom surrounding the GDPR regulations that take effect this May to provide a voice of reason. It is likely you have everything you need to comply with these regulations. The methods are not new; they are the foundations of information security.
In Part 1, we suggested that you leave panic at the door. In the next few posts, we’ll explore more tactical steps to achieving four of the GDPR measures impacting security teams in the EU and beyond.
The first of the GDPR measures suggests that we look at data protection with a ‘risk-based’ approach. GDPR mandates are making explicit what security professionals understand intuitively. But let’s indulge this for the moment and see what we find.
GDPR Mandate: Take a risk-based approach to data protection and security.
Translation: It’s not enough to only think about data warehousing and location. You need to analyze the environment and determine the right data protection to remove as much risk as possible.
But you already knew that. Understand your risks and base your protection on those risks. What we really need is guidance on how to assess risk in the light of GDPR.
To answer that question, we must take a detour and explore the best ways to identify risk. We can readily see the need for a risk-based approach, but many security teams are disoriented without specific knowledge of their network. To know our risk, we must first account for where we are now, otherwise, we will be unable to do the next, right thing.
Orientation begins with the awareness of your current network infrastructure paired with the hazards that could lead to GDPR compliance drift. Most notably, the data involved to properly orient us are:
- Network Assets, Topologies and Policy
- Threat Intelligence
These elements come together to demonstrate our current environment, orient us in our present reality and allow us to march toward GDPR compliance. Let’s look at them in-turn.
Network Assets, Topologies and Policy
First things first. By understanding your assets, you can quickly identify which things are under your control and their defining attributes. Each asset attribute helps to ensure that you’re looking at the right species of machine. This ‘taxonomy’ comes in handy with GDPR, because in order to have a risk-based approach, you must know the inherent risks for each independent asset. Secondly, network topologies reveal just how these assets can communicate and travel. This is the how does it relate portion of the program. Topologies show the relationships between systems, which signal transferable compromise and thereby cause a disturbance in our GDPR compliance mission.
By seeing what’s possible with network assets and topologies, we come to the final ingredient in our first point of orientation: network policy. Network policies are dedicated to what is allowed within your context and framework. With policy, we move beyond what do we have (Assets) and how does it relate (Topologies) to what is possible in my context.
One of the keystones to finding our current standing is vulnerabilities. These specified weak spots will serve us to know how our exposures could lead to GDPR compliance drift. Once we have a firm footing on our network assets, topologies and policies, it is essential to take stock of the current vulnerabilities that could destroy our efforts.
I know that I have vulnerable body parts. My limbs cannot withstand a confrontation with a live chainsaw. Knowing this about myself is my orientation. I know where I stand in reference to the threats I face each day. Our networks are the same.
Vulnerability awareness serves as the where could it happen variable of our orientation equation. We can play the what-if game and determine just how our orientation could harbor weaknesses that may interfere with our GDPR mandate. Vulnerabilities stand out to help us understand our current position in the context of threats, exposures, attackers and shoddy patches.
Orientation must include vulnerabilities if we are going to have an honest picture of our current state.
Knowing what could be exploited is a principle requirement for our orientation for GDPR. This kind of intelligence is the how could it happen portion and is our final stop in the orientation formula.
When you apply threat intelligence to your network assets, topologies, policies and vulnerabilities, you gain:
- Knowledge of similar assets compromised in the wild
- Knowledge of how compromise could spread
- Knowledge of which pathways are open to exploit
- Knowledge of the likeliest targets within the network
Orientation allows you to see current risks. With the first mandate from GDPR, you can be confident that your risk-based approach is informed with a truthful and honest account of your current environment.
Stick with us as we tackle the remaining three GDPR mandates that impact security teams in the EU and beyond.
- Establish technical measures to validate data is protected.
- Continuously monitor data protection measures.
- Correct any protection failures and notify the authorities when compromised.