Importance of infrastructure testing as a part of GDPR compliance
By this time the swarm of emails related to GDPR (General Data Protection Regulation) has slowed down since it first went into effect on 25 May 2018. From this date, non-compliance with the regulation may result in huge fines up to 4% of annual revenue or 20 million euros — whichever proves greater. It was of no surprise that with the rise of public complaints about personal data collection, concern has grown in relation to user privacy and the right of online anonymity.
The main idea behind GDPR lies in the assurance to EU residents that their personal data is shielded by the proper regulations and standards. This mean that not only applications and databases should be protected, but that one’s entire infrastructure must correspond to the designated level of security.
Why is GDPR so important?
Based on security reports, 94% of web applications may be vulnerable to unwarranted breaches of security. This is pretty typical for those platforms which rely on the processing of personal user data as testing and activities to maintain the proper level of security often results in significant costs. Consequently, many companies attempting to reach the market in a timely fashion decide to cast less emphasis on this side of the development process, putting it off until a future date. Still, many others think the vulnerabilities are too insignificant to be checked. Regardless, even if the application itself is built according to the latest security recommendations, user data could still be leaked due to infrastructure vulnerabilities.
Implementing the desired level of security
GDPR requires that personal data be collected, processed and stored securely using the appropriate technical and organizational measures. The Regulation does not list a set of actions and techniques which should be done but rather expects the company to take ‘appropriate’ action. The best practice regarding this is to use the risk management procedures outlined by many national security centers and NGOs. This approach will depend on your individual circumstances as well as the data that you are processing, in other words – the risks posed.
The security measures must be built into your systems at the outset (referred to as Privacy by Design) and maintained effectively throughout the lifecycle of your application or platform.
The NCSC has developed a set of GDPR Security Outcomes outlining this. This guideline provides an overview of how the GDPR references security and describes a set of security-related outcomes that all organizations processing personal data should seek to achieve.
The approach is based on four top-level aims:
- Management of security risk;
- Protection of personal data against cyber attacks;
- Detection of security events;
- Minimization of impact.
As a part of this approach, we provide an Infrastructure assessment.
You can expect a detailed report complete with recommendations and best practices tailored for your project concerning its particular business needs, expected loads and other metrics. The structure of an assessment report is usually the following:
Define all architecture elements and how they interact with each other.
Deliverable: architecture diagram, data flow diagram
Evaluate infrastructure components against currently known vulnerabilities
Deliverable: report on applied or unapplied but published security updates and patches
Monitor traffic and data interaction between all components including internal and external-facing ports used and other network entities (such as VPC)
Deliverable: report on possibility to breach the local network using some insecure open ports or opportunities to flood / DDoS certain ports with corresponding traffic
Access administrative and monitoring tools used within current infrastructure
Deliverable: report on discovered vulnerabilities and ways to mitigate them including recommendations to use secure 3rd-party CDN / DNS proxies (such as CloudFlare) if applicable
Evaluate authentication and user management security policies
Deliverable: report on possibility of exploitation of MiTM, phishing or other attacks resulting in loss of access to the account or leaking of user data
An Infrastructure assessment is invaluable for your project as nothing is more precious than privacy nowadays. Having these results in hand, you’ll be able to get a clearer understanding of all the moving parts within the existing infrastructure as well as a view on the most important problem points to address in order to improve your overall security level.
As we all know, the whole system is only as secure as its most insecure component.
An example of an Infrastructure evaluation with load generation setup:
For starters, some good advice on implementing the necessary security measures required by the GDPR would be to seek cybersecurity guidance from a reputable consultant. Bekitzur has prepared a GDPR checklist to ensure that all services and solutions we offer are fully compliant and allow clients to achieve their desired outcomes in dealing with personal data.