The General Data Protection Regulation (GDPR) is the EU’s upcoming new personal data protection law. On the 25th of May 2018, the GDPR becomes enforceable and will replace the Data Protection Directive that was introduced in 1995. This will significantly change the rules surrounding the protection of personal data of EU residents.
The GDPR is much stricter and has a greater scope of coverage than the Data Protection Directive. The GDPR now also includes companies outside the EU and introduces new data breach notification requirements and administrative fines. The vast majority of GDPR requirements are centered around data management and data security. In essence, the law requires and enforces the security of data processing. This includes access, rectification and erasure of personal data held on individuals, and the right of data portability.
SecureLink elaborated extensively on the GDPR subject in the following other blog posts:
GDPR is about privacy. When talking about security versus privacy, two principles of ‘Privacy by Design’ are very important:
Technologies like Palo Alto Networks and F5 Networks play a key role in the support of these two principles. This blog post will elaborate on specific features of these two technologies in your journey towards GDPR readiness.
Palo Alto Networks’ Next-Generation Firewalls are a basic security technology when it comes to the protection of your perimeter and internal network. Next-Generation Firewalls focus on Applications, Users and Content. These focus points are very useful for data protection as well. SecureLink’s primary focus with Palo Alto Networks is on the outgoing network connections and on the protection of the endpoints as these are very important vectors for data exfiltration or voluntary/involuntary data leakage.
The following Palo Alto Networks features are very interesting to look at in the context of GDPR:
A crucial GDPR-related aspect is data breach prevention. Data breaches can be the result of hacking but data leakage can also happen accidentally.
The Palo Alto Networks platform approach employs a series of prevention techniques relevant to data security. Combined, these techniques make a large contribution towards GDPR:
The Palo Alto Networks’ security platform can prevent data leakage and exfiltration in several ways to maintain the appropriate security controls for GDPR. Data leakage can happen for many reasons, ranging from attackers trying to gain access to the perimeter to accidental personal data leakage due to untrained or unaware employees.
If and when a data breach would happen, the GDPR requires that this event is reported to the authorities. This report must contain the data that was impacted and the measures that were taken to prevent it.
In order to comply with these notification requirements and to remediate the problem you must know who the impacted user was, what the threat was and what the risk level was. The SecureLink SecureDetect service offers an added value to actively monitor your Next-Generation Firewall and notifies your Security Incident Response teams on what the impact of the data breach is.
The Palo Alto Firewall can also be used to educate users by showing custom notification pages whenever an accidental data leak is prevented. This message could include a link to corporate data policies for example.
Palo Alto Networks’ Next-Generation Firewall is also a part of a Data Register & Data Protection Impact Assessment. Transparency is one of the key principles of Privacy by Design. Transparency is related to the principles of concerning openness and it is a prerequisite for accountability. Technical mechanisms for achieving or supporting transparency comprise logging and reporting.
The ENISA Privacy and Data Protection by Design – from policy to engineering documentation dedicates a section to “Communications anonymity and pseudonymity”.
“End-to-end encryption may be used to protect the content of communications, but leaves meta-data exposed to third-parties. Meta-data is information “about” the communication, such as who is talking to whom, the time and volume of messages, the duration of sessions or calls, the location and possible identity of the network end-points.
The exposure of meta-data may have a devastating impact on privacy. Uncovering the fact that a journalist is talking to someone within an organization or government department may compromise them as a journalistic source, even if the details of the message contents are not recoverable. Similarly, observing someone persistently browsing for information on some form of cancer may be indicative of a health concern or condition. Meta-data may also uncover lifestyle information that is not immediately obvious to communicating parties. For example persistent collocation of two mobile devices at out of office hours and on weekends is indicative of a close personal relationship. Meta-data analysis of mobile phone location logs, or WiFi / IP addresses, can uncover those relations even when the individuals concerned have not exchanged any messages.”
The same applies to Palo Alto Networks’ log information that correlates a user and a visited URL. For this purpose, the ENISA paper proposes a solution: “Third-party anonymity ensures meta-data is not revealed to third-parties, while both partners know, with high certainty, each other’s identity”. In this use case, the anonymity of your end-users should be protected against a system administrator as the third-party. While the Data Protection Officer (DPO) together with HR (four eyes principle) can reveal the identity of the end-users when it is required. Palo Alto Networks NGFWs have an out-of-the-box feature for this purpose: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/firewall-administration/reference-web-interface-administrator-access/web-interface-access-privileges/define-user-privacy-settings-in-the-admin-role-profile.
GDPR is about privacy and privacy requires security. It is crystal clear that Palo Alto Networks’ Security Platform is important to provide prevention and detection capabilities to put security into practice. The built-in features, such as prevention of data breaches and data leakage/exfiltration offer a tremendous added value when it comes to GDPR. A Palo Alto Networks’ NGFW is one of the key perimeter security controls that help you with the notification of the data breaches.