VNS3 Network Platform

Don’t be caught off guard by GDPR requirements in 2018!

A recent study by KPMG of the boards of FTSE 350, few are prepared for the General Data Protection Regulation, or GDPR. All new data your organisation gathers should include more clear evidence of data collection consent and opt-out options. How should IT teams prepare for the upcoming changes? Which initiatives should be a part of your program to be compliant?

Penalties for not complying with GDPR will be steep. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). While this is the maximum amount an organisation will face, the requirements are rigid for all levels of infringements. GDPR has a tiered approach to fines so organisations might be liable for multiple offenses. Internal IT teams and legal depatrments should take note – the GDPR applies to any company that controls data or processes data — ‘clouds’ are not exempt.

Which initiatives should be a part of your program to be compliant with GDPR?
The first, major step to complying with GDPR is to understand the data the organisation holds. Multiple departments will likely hold lists of personal information, such as email lists for marketing, human resources’ personnel files, and so on. Understanding what you must protect is the first step to protecting it.

Takeaway: Any organisation that collects or processes data of an EU citizen should comply with GDPR.

At the core, the GDPR requires data protection by design. Organisations must design data security into business processes.

Another requirement is “pseudonymisation” or the process of transforming personal data in such a way that the end data cannot identify the specific data. An example is encryption. Additionally, the GDPR also requires the associated information, like the decryption keys, must be kept separately from identifying data.

Specifically, IT teams can ease into GDPR with better monitoring and management. Automating any part of network scanning, log analysis, and compliance tracking can speed up time to compliance.

Next, teams should re-evaluate access controls to sensitive data. With cloud-based systems, it should be easier to implement strong authentication programs to apply the rule of “least privilege” required for each application.

Finally, add encryption in-transit to any existing security best practices. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.

How can Cohesive Networks help you?

VNS3 helps meet data security measures for data privacy compliance:

• Encrypt data in transit using VNS3’s IPsec tunnels to connect to all data sources and applications
• Protect Personal Data by encrypting all data across open public networks
• Guard against Vulnerability with a VNS3 intrusion detection system (IDS)
• Maintain Strong Access Control by controlling access to data and encryption keys
• Enhance Data Portability with a VNS3 overlay network over the top of any cloud or virtual network

According to a study by KPMG of the boards of FTSE 350, few are prepared for the General Data Protection Regulation, or GDPR. Organisations are running out of time to get their IT systems and operations in order. Protecting and securing existing data is only half the battle, with the GDPR’s strong emphasis on security by design and data portability.

On May 25, 2018 the European Union’s new data protection and personal information laws will go into effect. The GDPR governs the privacy and security of personal data for practically every person and entity connected to the EU.

Don’t take the risk

Fines for non-compliance will be harsh. Companies that do not maintain information security best practices could be fined up to 4% of “total worldwide annual turnover of the preceding financial year.” If a US-based financial institution was found to have data on EU citizens, they could face a fine of 4% of total global revenues or up to 20 million Euros ( $22 million US).

VNS3 can help organisations meet data security measures for data privacy compliance. Even if your company is not located in the EU, your data might include information on a “data subject.” For organisations with large amounts of data and data that travels between networks the best options include adding encryption in-transit. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.

What type of data is covered?

For GDPR compliance, personal data is defined as “any information relating to an identified or identifiable natural person ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”

Plus, there are 2 new data categories: genetic and biometric data.

“Genetic and biometric data” means anything that may reveal an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life and sexual orientation. These 2 categories join existing sensitive and special personal data, such as home addresses, credit card details, and health care records.

VNS3 meets data security measures for your GDPR compliance by helping you:

1. Encrypt data in transit
2. Protect Personal Data
3. Guard against Vulnerability
4. Maintain Strong Access Control
5. Enhance Data Portability

1. Encrypt data in transit

Use VNS3’s secure IPsec tunnels to connect to all data sources and applications. With end-to-end encryption that only you control your organisation can guarantee GDPR compliance for your customer’s data, even if you collect it in one region and process it in another. Section 83 of GDPR event states “…the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.” VSN3 offers a superior level of encryption, with AES 256-bit encryption.

2. Protect Personal Data

VNS3 lets you encrypt all data across networks, regions, and cloud providers. This way you can add protection in shared environments like public clouds, partner networks, and across regions. This part of the critical GDPR tenant of “data protection by design.” In Article 25 , organizations must design data protection into business processes to protect personal data. GDPR leaves it up to companies to decide what security measures are needed to match the risks of a data breach. Encryption is a proactive approach to data security and can save organisations heavy fines.

3. Guard against Vulnerability

Section 83 states all organisations should consider “the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” Prevent unwanted access to your customers’ data with a VNS3 intrusion detection system (IDS). With VNS3, you can securely connect your network across multiple public and private clouds and use our plug-in system to add in monitoring for possible intrusions. By combining network functions, you can ensure data in motion security and privacy.

4. Maintain Strong Access Control

Control access to data and encryption keys with VNS3. Enforce security policies and multiple orthogonal layers for added security with VNS3. Not only does VNS3 provide layer 4-7 network security, but using the Docker container system allows you to create “in mesh” application plugins, including network intrusion detection (NIDS), proxy, and monitoring controls. Prepare with security, but plan for a data breach. Along with controls to detect any unwanted network access, your teams should also have a plan to control and shut down any malicious actors.

5. Enhance Data Portability

Data portability might seem unrelated to privacy interests, but it is another goal we’ve always championed at Cohesive Networks. Data portability will allow organisations to free themselves from any non-compliant vendors or partners, which could limit the risks for organisations just taking on GDPR compliance projects. The GDPR likely will only require data portability for data that were originally provided by the data subject (including as photos or documents stored in the cloud). Interoperable standards are encouraged, but not mandated by GDPR.

With a VNS3 overlay network over the top of any cloud or virtual network you can make your applications, and the data they use, more agile.

What is VNS3?

VNS3 is a software-only virtual machine that integrates with existing network equipment and can be delivered as part of the application deployment in most virtualized infrastructures.

With over 3,000 connected customers in more than 22 countries, VNS3 has provided more than 500 million devices hours of application networking for the cloud. VNS3 offers customers more dynamic network controls on top of cloud offerings, including multiple VLAN peering, end-to-end data in motion encryption, application layer firewall rules, multicast, and multi-region peering.

But, don’t just take our word for it! Use VNS3 in any cloud environment with our Free Edition. Try it today from the AWS Marketplace or Azure Marketplace.

Get in touch with our sales team for BYOL versions for other large clouds, custom pricing, or for a POC.