Importance of infrastructure testing as a part of GDPR compliance
By this time swarm of emails related to GDPR (General Data Protection Regulation) has been slowing down as it went in effect on 25 May 2018. From this date, non-compliance may result in huge fines up to 4% of annual revenue or 20 million euro — whichever is greater. No surprise everyone became concerned about user privacy and right to be forgotten.
Main idea of GDPR is to make sure that personal data of EU residents is shielded according to proper level and standards. This mean that not only application and database should be protected, but the entire infrastructure must correspond to the designated level of security.
Why GDPR is so important?
Based on the security reports 94% of web applications are vulnerable. This is pretty typical landscape as testing and activities to maintain proper level of security result in significant costs, and many companies attempting to reach the market decide to put this away and address in future. Others think they are too small to be checked.
Besides, even if application itself is built according to latest security recommendations, user data still could be leaked due to infrastructure vulnerabilities.
Implementing desired level of security
GDPR requires that personal data must be collected, processed and stored securely using appropriate technical and organisational measures. The Regulation does not list set of actions and techniques which should be done but rather expects the company to take ‘appropriate’ action. Best way to do it is to manage the risk. This approach will depend on your circumstances as well as the data you are processing and therefore the risks posed.
The security measures must be designed into your systems at the outset (referred to as Privacy by Design) and maintained effective throughout the lifecycle of your application or platform.
The NCSC developed a set of GDPR Security Outcomes. This guidance provides an overview of what the GDPR says about security and describes a set of security-related outcomes that all organisations processing personal data should seek to achieve.
The approach is based on four top-level aims:
- manage security risk;
- protect personal data against cyber attack;
- detect security events;
- minimise the impact.
As a part of this approach we are providing Infrastructure assessment.
It results in detailed report with recommendations and best practices tailored for your project considering its particular business needs, expected loads and other metrics we need to take into account. The structure of assessment report results is usually the following:
Define all architecture elements and how they interact with each other.
Deliverable: architecture diagram, data flow diagram
Evaluate infrastructure components against currently known vulnerabilities
Deliverable: report on applied or not applied but published security updates and patches
Monitor traffic and data interaction between all components including internal and external-facing ports used and other network entities (such as VPC)
Deliverable: report on possibility to breach into the local network using some insecurely open ports or opportunities to flood / DDoS certain ports with corresponding traffic
Access administrative and monitoring tools used within current infrastructure
Deliverable: report on discovered vulnerabilities and ways to mitigate them including recommendations to use secure 3rd-party CDN / DNS proxies (such as CloudFlare) if this will be applicable
Evaluate authentication and user management security policies
Deliverable: report on possibility to exploit MiTM, phishing or other attacks resulting in losing access to the account or leaking user data
Infrastructure assessment could be the most valuable thing made for your project as nothing is more precious than privacy these days. Having those results in hand you’ll get a clear understanding of all the moving parts within existing infrastructure along with an view on most important pain points to address in order to improve overall security level.
As we all know, the whole system is secure as its most insecure component.
Example of infrastructure evaluation with load generation setup:
A good starting point for advice on implementing security measures for the GDPR is existing cybersecurity guidance. Bekitzur prepared GDPR checklist to ensure that all services and solutions we offer are fully compliant and allow clients to achieve desired outcomes for dealing with personal data.