What is GDPR?

General Data Protection Regulation (GDPR) is a mandated regulatory standard designed to unify data privacy and security requirements. This regulation affects companies that provide services within the European Union; however, any company that provide services over the internet can be subject to this regulation. With the ubiquity of internet based services, whether it is social media, streaming content, shopping or accessing your personal records online, personal data privacy and security practices will need to be regulated. Adoption is currently taking place in other regions around the world while using GDPR as a model to scrutinize privacy and security practices.

Why does it matter to my organization?

GDPR was implemented on May 25th 2018. Due to its regulatory nature, any company that does not comply to GDPR is subject to large fines: $23.3M USD (as of August 2018) or 4% of the total worldwide annual revenue of the preceding financial year, whichever is higher. Consequently, being non-compliant to GDPR can bring an organization to a negative light from the perspective of employees, business partners, customers and ultimately, the public. While applicable only to organizations providing services within the European Union, other regions around the world are using GDPR as a model to enforce regulations for the betterment of security and privacy. Due to the inevitable widespread adoption of GDPR, ensuring that your network and services are compliant will be mandatory. Preparing your organization early is key to avoiding trouble with GDPR or its regional variant. This regulation is designed to protect individuals that access and use your organization’s service from privacy breaches, identify theft, credit card fraud, ransoms, blackmailing and many others. Many online services typically handle sensitive personal information as a way of authentication.

What is the reason behind GDPR?

GDPR replaced the Data Protection Directive which was designed to regulate how companies handle and protect personal data. However, the Data Protection Directive served more as a “guidance/recommendation” to companies and was not enforceable enough to actually regulate as it was initially intended to do.

Before GDPR, organizations that were previously attacked and had their customers’ personal data being compromised took at least 4 months (in some cases 1-2 years) before disclosing the incident publicly or to a respective regulating body. GDPR enforces that organizations should disclose the incident at most 3 days after it happened and have the substantial amount of evidence to determine the root cause and the extent of that particular incident. If the organization fails to provide both, then the organization will be sanctioned.

Facebook, Under Armour and Orbitz – what do they have in common? All three organizations suffered incidents where millions of individuals are affected. Without a strong regulation in place, many of these data breaches can happen for months to years without the organization taking reasonable action. There are plenty of publicly disclosed high profile breaches between January to June 2018; with all of them having incidents starting 2017 and earlier but decided to disclose in 2018.

What does it take for my organization to be penalized for GDPR non-compliance?

There are many paths an organization can be sanctioned for being GDPR non-compliant:

Not properly taking measures of improving data handling and security per GDPR guidelines
Sharing (even unintentionally) private/personal information to third parties without disclosing to the subject end-user
Collecting private/personal information and not using it purposely within the nature of the service
Failing to disclose to the end-user, in practical detail, all the types of information being collected and how it is being used
Failing to provide the end-user an easy way of deleting and accessing their information
Not disclosing to the end-users and the regulating body that the services were compromised/hacked and what information is affected within 3 days from the date of the incident

The quickest way your organization can be fined for non-compliance possibly lose public trust is by leaking private/personal information as a result of a security breach by not implementing data handling and security practices within the GDPR standard.

For a majority of companies that are not yet GDPR compliant, it only takes a single successful breach to raise a “red flag” for the regulatory body to start scrutinizing on the organization which will lead to an eventual sanctioning.

Achieving GDPR compliance

How your organization can stay out from the headlines?

Besides changing or updating your organization’s privacy policy, GDPR compliance has two primary components: privacy and security. Ensuring privacy means assessing data subject rights to consent, access, correct, delete and transfer personal data. Readiness in security includes identifying vulnerability, recent/reoccurring breaches and validating the current strategy.

In terms of networking and security, here are the essential goals to becoming a GDPR compliant organization:

Attain Complete Visibility: Have widespread visibility and awareness of data transactional activities across the network.
Have Traffic Data Be Readily Available for Audit: Be able to provide incident data (in its entirety) and have it available for the internal or regulatory body.
Gain Network “Self-Awareness”: Routinely determine whether your organization has crossed the line when it comes to compliance. Have a method of performing a self-audit of personal (and private) data utility, transparency whether internally or externally to an authorized/unauthorized third party and purposeful usage of that said data.
Assess and Validate Current Strategy: Utilize the capabilities to get to the three goals above to determine whether your organization’s current security strategy is more than enough to deter recent and reoccurring data breaches.

One good point to consider is even when the organization is sanctioned, the regulating body can provide avenues of leniency given that the company has evidence that they are taking measures in good faith. This means an organization can minimize and mitigate against the potential consequences and sanctions that they could face with a genuine (and proven) commitment and effort to meeting their GDPR obligations.

Achieving compliance should not be a monumental undertaking; by utilizing Garland’s visibility solution and Quantea’s network monitoring solution, any organization will be a step ahead in attaining GDPR compliance.

Garland’s inline TAPs ensure the highest network visibility by providing data at line rate to a monitoring device, like Quantea’s and providing connectivity to an inline security device. Quantea provides trust and transparency by recording and indexing 100% of whole traffic data while providing the organization ease of accessibility of data for auditing and incident tracing. By utilizing the Quantea’s RESTful API, internal data auditing and assessment can be automated by creating advanced triggers to search and replay particular data types to determine whether there is a personal data loss during a breach incident. Having these capabilities at an arm’s reach is necessary in attaining GDPR compliance.

Capabilities:

Augmented network visibility at 1/10/40/100Gbps
Inline and bypass capabilities
Reliably monitor up to +100Gbps from devices, applications, users and servers
Harness days and months of traffic data for auditing and incident tracing
Built-in search engine filters data that is subject to GDPR
Re-evaluate incidents and assess current security strategy by using traffic replay
Generate reports based on the applications, devices and data that took place during a breach incident

[Compliance]

Network Assessment: Prevented Millions in Potential Government Fines

[Networking/Cybersecurity]

Decreasing Corporate Network Issue Remediation Time by 90%

[Cybersecurity]

DDoS Root Source Analysis: Reduced Downtime to Minutes Instead of Hours

[Network Performance]

Recording High Speed Networks: Saved Millions in Potential CAPEX

More Use Cases

PureInsight Software Suite

Visualize your Network and Pinpoint the Issue.

Analytics Software Suite

PureInsight

SaaS + Cloud

PureInsight.cloud

(Live Now)

Supports industry standard PCAP format. Can analyze data coming from other PCAP sources.

Interactive Search allows the user to explore their network and able to extract relevant data by date/time range as well as other search parameters.

Multi-User and Multi-Tenant Support with role assignment and administration.

Alerts with customizable filter settings. Alerts are aggregated in an interactive time based chart.

Built-in IDS Event Management Dashboard within PureInsight from different sources of events logs.

Available to be used in the public cloud via PureInsight.cloud as well as virtual and on-premise deployment options.

QP Series

QP4000

QP2000

QP1000

QP Virtual

QP600

QP500

Petabyte Scalability: Guarantees that the most possible traffic is recorded.

(Per unit performance) Highest throughput to catch up even with DDoS events.

Traffic replay at Full Rate guarantees that traffic can be played back exactly as it was recorded.

Whole Packet Recording: Unrivaled and infallible source of network data. The best source of network data are the network packets.

Virtual Capture provides flexibility into recording traffic from multiple deployment points.

PCAP compression rate in best case scenarios with DNS packets. 1GB can be compressed to less than 40MB.

Network Visibility is Greater with Quantea