The new ruling essentially lays down the minimum that businesses should be doing to protect their data, particularly the most sensitive and personal, from the threat of breaches and the associated financial and reputational consequences.
This kind of data protection can be complex and it’ often as much about putting in place the right working policies and procedures as it is about implementing a technological solution. That’s why preparing for it must be an organisation-wide undertaking and may involve changes to existing policies and procedures.
Technology vendors, solutions providers and consultants can all play key roles in this area - but no business should ever believe any organisation that tells them they can bring them fully into line with the new regulation. The regulation is too complex, and every organisation will have its own set of challenges that it will need to address, and its own policies and procedures to develop alongside any third party help it can tap into.
Delivering a Response
As consultants, Axial advises clients on what they should be looking for, how they should be getting there in terms of process and advising on the best technology solutions needed to achieve these goals. It recommends a six-pronged approach to establishing a data security best practice that will help bring any organisation closer into line with GDPR.
The starting point should be data centric security, which involves deciding what the data actually is, whether it is relevant to be business, where the data is located, who has access to it and how to ensure the data has the appropriate levels of protection. Businesses need to answer these questions before they are ready to develop a truly coherent response to GDPR. They should also have a robust network security approach in place, focused on putting up traditional barriers, including firewalls, intrusion prevention systems and proxies around the network to ensure it is protected.
Access and control covers the interaction between people, business systems and data. How can the organisation robustly authenticate people, how can they be securely connected? This area typically covers privileged access management and identity management – effectively, how can you ensure a person is who they say they are and only accesses what they should be accessing?
In this context, access credentials often present a major challenge for existing estates. These are often poorly managed, with old certificates and keys scattered across the estate and yet in widespread use. Best practice in this scenario is to remove these from stakeholders and instead create a central portal that gives back control of the process to the business.
Active monitoring focuses on achieving full visibility (and full packet capture where appropriate) to address a key problem facing many businesses: namely, they can’t fully control their network and their data, if they have not got full visibility into those areas. Endpoint security concentrates on protecting what are usually seen as the weakest links in any network. The latest approaches typically consider traditional anti-virus solutions but, increasingly, new network behaviour, machine learning and user behaviour analytics solutions are coming into play.
The final piece of the security systems jigsaw is intelligence. This typically includes professional services; full security monitoring and incident response, and stress intelligence to determine what is happening outside the network, as well as inside it. However, most businesses struggle to put the necessary resources in place to monitor, manage and respond to any alert that they might receive. A co-ordinated intelligence-based approach will help them access external analysts who can do all this for them.
An additional key aspect of intelligence focuses not on what is happening inside the user organisation’s network, even though this is still important, but what is occurring outside of it. So, what is happening in the wider web, or even the dark web, for example? Have business credentials leaked? Have any other incidents happened that the business needs to urgently address?
Incident response is a further area typically covered under the general heading of intelligence. If an ‘intruder’ manages to infiltrate the corporate network, what can the business do about it? What is their ‘break glass’ solution?
Beyond GDPR
The above covers the broad security approaches that businesses need to undertake to get themselves ready for GDPR. That’s only one element of the overall picture though. Organisations must also ensure that these approaches are woven into a broader strategic, policy-driven initiative targeted at GDPR preparedness.
However, it’s certainly true that adopting the security systems approaches outlined above will help organisations move closer to meeting the requirements of GDPR. Organisations should however, see this as the bare minimum. That’s why Axial focus not just on helping clients get ready for GDPR but also on enabling them to achieve a broad best practice data protection approach, effectively readying them for every regulation in this area that either exists today or likely to be developed in the future.