It’s go-time for GDPR. The EU’s sweeping new General Data Protection Regulation is set to take effect May 25. Any business that controls or processes the personal data of customers in the European Union has less than a month to comply.
You might say people are feeling a sense of urgency.
No one knows that better than Avi Solution Architect Matt Karnowski. He’s been busy working with customers to explain the implications of GDPR and how Avi can play a critical role in achieving compliance.
For those looking for a quick primer, we asked Karnowski to explain what GDPR has to do with application delivery—and how a load balancer is like Batman’s utility belt.
What are the steps to become GDPR compliant?
There is nothing prescriptive in the regulation that says you must do X, Y and Z. GDPR is a law and not a standard. It doesn’t tell you exactly what to do. But GDPR is coming, and companies are going to be held responsible. That’s why everyone is scrambling to figure out how to be compliant and avoid being fined.
GDPR requires companies to be transparent about how they use and secure customer data. From a technical perspective, they want to know what they need to do to be GDPR-compliant. But the first questions they need to ask are, “How do we prevent a security breach? How do we prevent data leakage?” The load balancer is the best place to start.
Why is a load balancer important for GDPR?
Since most public-facing applications pass through a load balancer, it’s an ideal place to gather data about privacy and security. Avi’s analytics can provide unmatched visibility into what users are accessing and what they’re attempting to do. It lets you see everything you need in one place.
What implications does GDPR have for IT teams?
If you get breached, GDPR has new requirements. You have 72 hours to announce the breach. It also imposes significant fines, up to 4% of annual revenue or $20 million Euros (whichever is higher). With that kind of financial stake, IT teams will feel extra stress around security. Where it used to be a give-and-take between security and ease-of-use, there is going to be a lot more rigor around security. If an IT organization’s security is not up to par, it will need to refresh and enhance its systems to add capabilities. The regulation says you must have reasonable security controls for the type of data you have. The good news is that if you do get breached, you aren’t immediately subject to a fine. But if you aren’t meeting the controls, or if haven’t implemented them correctly, you will be fined. As an organization, you’re going to be responsible for deploying technical security solutions, ongoing auditing, and remediation. You have to make sure you’re meeting requirements and standards as well as monitoring and detecting attacks.
What are the risks for application delivery teams?
As load balancers pass data between point A and B, the risk is maintaining administrative control of your devices — making sure someone isn’t logging in who shouldn’t be. You need to limit roles and access to the ADC infrastructure itself so not everybody in your company can log into your load balancer and look around and browse. Whoever needs to manage that service should be the only one able to access your load balancer.
What are best practices to be compliant in data centers?
You need appropriate technical controls around roles and responsibilities. You need to audit who has access to what and why, and do this on a continual basis. You need to audit your infrastructure to look for configuration drift. You need to build in an automated auditing system. Run tests every day to make sure what’s configured is what you expected to be configured. Monitoring, alerting, and auditing — turn those into a centralized environment.
What about the public cloud?
Best practices in the data center are relevant for the public cloud as well. But your security needs to be more rigorous in the public cloud because you don’t own and are most likely sharing the underlying infrastructure. Encryption of traffic becomes vital. Internal communications between applications that at one time may have been in the clear, now needs to be encrypted. You need more key rotation. You must change passwords continuously. Most companies have a password change policy of every 90 days, but you want to lower that in the public cloud. You want to have stricter controls.
Is there any part of the cloud infrastructure that is more impacted by GDPR?
Within a data center, you own the infrastructure. It’s isolated. Your storage is not exposed to the Internet. But in the cloud, all these services have public entry points. If the access controls are misconfigured, anyone can access your storage. In the public cloud you have to be overly concerned with public security controls to make sure your services aren’t inadvertently exposed.
Any other benefits of GDPR beyond being compliant?
From an end-user perspective, the company will be seen in a good light, and people will have a favorable opinion of the company.
Is GDPR compliance more difficult on-premises or in the cloud?
In a public cloud, you have limited visibility into what’s going on within the network. If you’re trying to track a bad player accessing multiple web servers, you can only get that information from the end host. Knowing who is accessing what resources is normally very difficult in the cloud. But Avi provides that visibility with a full client log and analytics in both on-premises and cloud environments.
Will strict regulation like GDPR impede innovation?
As an end user, I like the idea of the regulation. I like the idea of being able to remove my data from a company if I don’t want them to have it or share it. Do I think it will stifle innovation? No.
Companies will still migrate to the cloud. This regulation will, however, stop reckless innovation that’s being done at the cost of security.
What does Avi Networks solve?
Avi can can help companies meet GDPR requirements but we don’t solve GDPR. We provide visibility, transparency, and an centralized audit trail for all data that passes through the load balancer. We are lights in your house so you can find vulnerabilities. We are security cameras so you can see if you are being breached. And we have good locks for doors and windows to prevent many attacks. But that alone doesn’t make you GDPR compliant. While we do have some of the strongest security features, our customers find tremendous value in the analytics and information we surface to demonstrate compliance. Avi can show you what is going on in your environment through our load balancer. Customers want our help with GDPR because we offer easy-to-use logs and visibility — that’s the value Avi adds in GDPR. We’re not Batman, you are. And Avi is your utility belt.
