Compliance | GDPR should serve as a wakeup call for companies to review ALL of their security and compliance measures, not just customer communications
There can be few people in Europe who haven’t heard of GDPR and the requirement to meet tough new standards when it comes to managing compliance and personal data or risk penalties that can be up to four per cent of turnover not least because of the deluge of emails and texts sent asking customers to give explicit consent to the collection, storage and use of their data, as required by the EU legislation.
However, while the spirit of the regulation may be to empower individuals in terms of how their personal data is collected, stored and used, it’s down to the businesses they interact with to protect that information and keep it safe. As such, the recent implementation of GDPR should be seen as, not so much a chore, but as an opportunity to review compliance procedures, safeguards, technologies, and processes employed to keep personal data safe. It should also be taken as a wakeup call to explore new ways of ensuring compliance going forward, as businesses across the board strive for digital transformation and turn to the cloud as a platform for business-critical applications.
It’s never going to be a simple task, but companies reviewing their compliance with GDPR and other data security laws could do worse than consider these three short questions:-
What security tools do enterprises really need?
Over time, most organisations will have invested in a number of security measures, such as firewalls, for example, which are still very necessary. These, however, can no longer be the only line of defence, not least because they work mainly at the transport layer to protect the perimeter instead of the applications or data itself.
Firewalls just don’t have the visibility required to prevent modern, sophisticated web application attacks which is critical as for most organisations web applications are how they do business. This is a fact that hasn’t gone unnoticed with web application attacks more than tripling since 2014, to become the leading cause of data breaches.
The tool of choice to counter this threat is the specialist Web Application Firewall (WAF) applied to the application itself instead of the underlying infrastructure to protect against the growing number of attacks seeking to steal data. If not already deployed, a WAF should be added to the security arsenal as soon as possible.
Are our Web Application Firewalls up to the job?
Although still essential, Web Application Firewalls were first introduced long before the advent of the cloud and the many technologies, such as microservices and containers that go with it. IT managers would, therefore, do well to take this opportunity to ensure that any WAFs already in place remain fit for purpose.
One issue is that WAFs are typically built into Application Delivery Controller (ADC) appliances used to balance traffic and smooth out demand across multiple application instances. Using an ADC appliance for both load balancing and WAF cannibalises performance leading to enterprises having to significantly over-provision to address load balancing and security demand during peak traffic. This, in turn, makes traditional WAFs expensive and difficult to configure. They can also be very specific in terms of the infrastructure they will work with, especially when it comes to the public cloud, calling for multiple implementations to provide full coverage.
Because it has more than one job to do, the traditional WAF may also have to trade security off against load balancing performance and vice versa. Companies should, therefore, look at software-based alternatives that can be deployed across the component parts of a hybrid infrastructure to provide more complete, scalable, and easily managed protection.
Do we really know what’s going on?
A common complaint with security tools, in general, is the need for specialist interfaces and expert knowledge to configure and manage them. This is especially true of the traditional WAF which like other, mainly appliance-based solutions, requires custom configuration and setup work unique to each application as well as each on-prem or cloud environment.
Additionally, most security solutions do little to provide visibility into application traffic or the applications themselves. As a result, while IT teams may be able to manage security policies well enough, it can be difficult to view logs and analytics to see how effective those policies are and how they might be optimised. This lack of visibility limits how quickly an enterprise can respond to an attack and cripples its ability to apply automation to coordinate rapid countermeasures across all environments and all points of vulnerability at the same time.
Again, GDPR provides a real opportunity for companies to re-evaluate their security measures through the lens of the application and customer data. Enterprises need to be able to trust in their existing measures to ensure security and compliance, but how can they be sure about what they can’t see?
The online world is becoming ever more diverse and complex, leading to the need for legislative measures, like GDPR, to make sure that data security isn’t weakened as a result. Stricter rules are inevitable, but they shouldn’t be just a box-ticking exercise. The smart enterprise is one that sees their introduction as an opportunity to build a comprehensive and responsive armoury of security measures. Measures able to deliver compliance, regardless of infrastructure or how applications are deployed, both now and into the future.