On May 25, 2018, the General Data Protection Regulation (GDPR) will be put into effect. The intent of GDPR is to provide a legal framework to strengthen and unify data protection, and distribution for individuals within the European Union (EU).
Individual data privacy includes identity information (e.g., name, address, ID numbers), web data (e.g., location, IP address, cookie data and RFID tags), health and genetic data, biometric data, racial/ethnic data, political opinions and sexual orientation. While the regulation protects individuals within the EU, it impacts organizations throughout the world, and they will be held responsible and accountable as to how they process, store and protect personal data.
GDPR suggestions for security actions to be considered against appropriate risk include:
· Pseudonymization and encryption of personal data
· Ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services
· Ability to restore availability and access to personal data in a timely manner in the event of an incident
· Ensure processes are in place for recurring testing, to assess and evaluate the effectiveness of technical and organizational measures to ensure security
GDPR will require many organizations to employ comprehensive systems, policies and procedures to meet its wide-ranging requirements. Compliance with GDPR will entail governance measures to protect personal data and defend against breaches. Fortunately, a number of GDPR security and compliance capabilities are already enabled within many software-defined WAN (SD-WAN) solutions.
There are two primary areas where personal data can be at risk. The first is data transferred between users and cloud/data centers over untrusted WAN Internet links. The second is in cloud and corporate data center storage devices, servers, and backup and recovery systems.
Protecting user data over the WAN
Advanced SD-WAN solutions add a layer of data protection at the network edge. An SD-WAN that supports multiple data security capabilities, will provide enterprise IT with network-edge security supported by real-time visibility, policy controls and enforcement mechanisms.
Creating hybrid WANs that connect remote offices and users to enterprise and cloud data centers, SD-WANs combine MPLS circuits and inexpensive broadband Internet links. This implementation allows IT to create different security zones for trusted and untrusted WAN links. While MPLS and IPsec VPNs are already secure, broadband Internet links, such as DSL, cable and other connections are untrusted. SD-WANs can mitigate risk by encrypting untrusted networks to protect against unauthorized access and data breaches.
Encryption to prevent data from being compromised
The GDPR advises pseudonymizing personal data when it is transferred. This is a term GDPR uses to define a process that transforms personal data, so that the resulting data can’t be attributed to a specific data subject without adding additional information. Encryption is a good example, because it makes the original data unintelligible, and the process can’t be reversed without access to a specific decryption key. To prevent data from being compromised as it travels over WANs, advanced SD-WANs will encrypt every packet with 128b or 256b AES across all aggregated WAN paths.
Safeguarding data by leveraging the cloud
Protecting data from various forms of intrusion like viruses, worms, Trojan horses, ransomware, spyware, adware and other malicious programs, is vital. SD-WANs, with integrated app-centric cloud security services, provide Internet breakouts to secure-cloud gateways. This approach enables organizations to extend their security outside of the corporate data center
Reducing data in transit
Some SD-WANs include deduplication as part of their WAN optimization features. Deduplication eliminates the transfer of redundant data across the WAN, by sending references instead of the actual data. While this is considered an effective method for reducing bandwidth and storage overhead, reducing data also makes it more difficult for hackers to access the data. Deduplication ensures that only one, unique instance of data is retained at the requesting site. Redundant data blocks are replaced with a reference to the unique data copy, so only data that have changed since the previous backup are transmitted over the WAN.
Reliable, cost-effective data protection over the WAN
SD-WANs that combine multiple functions within a single physical or virtual edge appliance per location not only lowers IT support and costs, it also simplifies complex security processes. A unified SD-WAN orchestration platform will service-chain diverse security functions, like firewall, NAT, routing, VRFs, VPN concentrator, DHCP and IPsec termination, to ensure security policies flow contiguously through the network edge. In the past, building a service chain to support a new application took a great deal of time and manual effort. It required individually configuring all the network devices, and connecting each device together in the required services sequence.
The network edge can be a potential on-ramp for hackers to infiltrate. Applying security policies can be complicated and time consuming with legacy networks. SD-WAN easily secures WAN traffic, by encrypting data with 128-bit or 256-bit keys. To further protect data privacy, other security capabilities can be employed, such as cipher-block chaining, using per-protocol sequence numbers, and enabling per-session symmetric encryption.
An SD-WAN with virtual routing and forwarding (VRF) can automatically segregate traffic using multiple, distinct routing tables on a single SD-WAN edge appliance. On that same edge appliance, zone-based security with policy-based filtering can be applied across applications and services, ensuring only valid traffic is permitted into the trusted network.
If you can see it, you can secure it
By monitoring the network edges, organizations can better meet GDPR guidelines. SD-WANs provide various levels of visibility and auditability of network events and access. This capability allows IT to track how data has been accessed, and identify who retrieved it. Monitoring traffic within the SD-WAN, data are captured to provide a granular and accurate view of network and application usage. By collecting event data, IT staff can identify, capture and report on the state of the network and any anomalies that may have occurred.
Aligning IT initiatives with GDPR requirements
While GDPR will protect individual data within the EU, it will also impact organizations everywhere, as they align their data privacy and protection policies, procedures and practices with GDPR requirements. Yet, it also brings an opportunity for organizations to leverage technology solutions, like SD-WAN to help them protect user data and privacy, save IT CapEx and OpEx costs, simplify network connectivity, and use WANs to their advantage – as a business enabler for the digital transformation journey.