Trending / June 13, 2017

INFOSEC Europe 2017: GDPR, GDPR and More GDPR

INFOSEC Europe 2017, one of the world’s leading security conventions, was held last week at the 131-year-old Olympia London Centre. Some 330 vendor stands packed this beautiful Victorian building and, although final numbers are yet to be confirmed, organizers acknowledged that attendance was well up from last year’s 13,481 visitors.

Infosec Europe Hall

In my experience, every conference has a theme—one not decided by conference organizers, but rather one set informally by the attendees. The themes represent the concerns and focuses of INFOSEC professionals and are usually a true representation of their current priorities.

So, the Theme of INFOSEC Europe 2017? Four Letters: GDPR.

Any European INFOSEC professional knows that GDPR stands for the EU’s General Data Protection Regulation. More formally, it is regulation (EU) 2016/679 of the European Parliament, which was passed into law on 27 April 2016 and comes into effect on 25 May 2018—a date that adorned many a conference stand and billboard, and the date for all companies to be GDPR-compliant.

GDPR replaces the existing 95/46/EC Data Protection Directive (DPD) and is far stricter and more proscriptive than the original regime. Indeed, many commentators believe it to be the strictest compliance regime ever and a model that many other countries may seek to follow.

Infosec Europe Bus Ad

In building this regulation, Europe looked to the many privacy regulatory and legislative regimes currently in place to judge their efficacy and approach. GDPR takes a very hard line with non-compliant companies. The UK’s Information Commissioner’s Office has an extensive 12 point preparedness plan for companies to meet before 25 May 2018, with one specific aspect stating that every organization must build “Privacy by Design” into their business processes and architectures.

GDPR Compliance and Gigamon

Some people may assume that Gigamon, whose business is in monitoring network traffic, would have no play in GDPR. On the contrary, the Gigamon Security Delivery Platform forms the basis for detecting GDPR-protected data in motion and preventing its misuse, mishandling, and leakage.

For example, article 32 of the GDPR recommends technical measures for meeting and maintaining GDPR compliance:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the process

So how would Gigamon help you meet these requirements?

  • Many organizations respond to these requirements by migrating business infrastructure to using encryption, typically TLS/SSL. But this blinds business tools (e.g., application monitoring tools) to the contents of that data and, thus, prevents them from doing their job. Gigamon’s Inline SSL Decryption for inline and out-of-band monitoring and security tools can help meet both requirements: It allows data in motion to be decrypted, but gives visibility into that data so tools can see what they need to see.
  • Data Loss Prevention (DLP) tools may have fallen out of favor in the 2011-2012 timeframe, but the reality is that they are an invaluable tool for detecting data misuse. The challenge is that they’re slow: very slow. Gigamon can help by allowing the connection of these slow tools to fast networks, not just at the edge, but in the core of the network.
  • One of the least discussed Gigamon use cases is the value we bring when disaster strikes, the network is down, and every vendor is pointing fingers at every other vendor. Our ability to take traffic from anywhere in the network and feed it to any diagnostic tool is an incredible asset in troubleshooting major outages.
  • As with (b), Gigamon is a core part of the solution to meet this requirement by giving you unprecedented access to your own data in motion.

The Price of Non-Compliance

So, what’s the cost of non-compliance? And if you’re not in the EU, why should you care?

Sanctions and penalties are where GDPR differs heavily from most existing privacy regimes, where fines are often seen as just a cost of business. The EU deemed that unacceptable and, thus, made the penalties for non-compliance severe.

Firstly, Article 82 establishes that victims of a privacy breach can seek compensatory damages. But it’s Article 83, which establishes fines and sanctions, that has received the most attention. This excerpt should make any business pay attention; it represents the highest tier of penalty under the GDPR and would apply to an egregious leak:

Article 83 Paragraph 5:

5.   Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Let me repeat: a fine of up to 20 million EUR, or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Now take that paragraph, get a list of major breaches of PII data for the past couple of years, and start to work out how much each company would have been fined had the GDPR been in effect. (To note: That 20M EU figure also featured heavily around the stands at INFOSEC Europe.)

But if you’re reading this and thinking, “So what? I’m not a European business, this doesn’t apply to me,” you need to understand one more fact. If you hold any data on EU citizens, the GDPR applies to you. It has, by design, extraterritorial jurisdiction.

Exactly how this will be enforced remains unclear, but penalties do include public notifications, with potential brand damage (or at least significant bad press and embarrassment). For companies with operations and assets in the EU, direct legal action is obviously an option. Companies with no assets in the EU may avoid the fine, but could bear embarrassment. By the same token, one could argue that their chances of expanding business into the EU before paying the fine would be questionable. It seems unlikely that this might escalate to an attempt to extradite responsible company officers who refuse to comply from non-EU locations, as some were suggesting at INFOSEC, but who really knows?

This is a very complex area, and I’d refer those interested to refer to this briefing paper from UK Law Firm Slaughter and May: “And if you’re not in the EU, why should you care?” How the EU will respond to the first overseas enforcement was a much-discussed subject at INFOSEC Europe, with the general consensus being that they would seek to make an example of the company to show the efficacy of the regime.

If you want to understand how Gigamon can help you achieve GDPR compliance, contact your local Gigamon sales team.

Back to top