t cht lk
security teams and the DPO can together
manage the inevitable exposure to the risk
of cyberattack.
Network Access Control (NAC)
Businesses today embrace the idea of
anywhere, anytime connectivity, but have
largely ignored the need for secure Network
Access Control (NAC).
Many employ a laid-back ‘connect now,
secure later’ NAC philosophy. Others simply
choose the same vendor for security that
they use for network infrastructure. Both of
these approaches give the illusion of security
– even compliance – but in reality, leave
extensive security gaps.
“
ORGANISATIONS
TODAY
UNDERSTAND
THE SERIOUS
REPERCUSSIONS
OF NON-
COMPLIANCE.
ultimately better protecting the personally
identifiable information?
There has been a lot of talk of GDPR over the
last year, so organisations today understand
the serious repercussions of non-compliance
and many have put basic frameworks in
place with a focus on two pillars – ‘people’
and ‘process’.
People – GDPR stipulates the appointment
of a Data Protection Officer (DPO) for any
organisation that is a public authority
that has a core activity involving the
monitoring of individuals on a large scale,
78
INTELLIGENTCIO
Rabih Itani, Regional Business Development
Manager, Security, Middle East and Turkey
at Aruba
or the processing of large volumes of
sensitive data. The DPO needs to have a
thorough knowledge of GDPR and have an
independent voice within the organisation.
Process – Many organisations’ GDPR
approach so far has been data mapping –
identifying where, why and how personal
data is being used, while also eliminating
any unnecessary data processing. Once this
is done, each organisation has a foundation
from which to ensure secure policies and
processes are in place.
While the two GDPR pillars – ‘people’
and ‘process’ have been looked at, there
has been a bit of lag in the use of the
third pillar – ‘technology’ – which plays
an important role in detecting attacks
and crucially, responding to attacks. Do
organisations need to rip and replace
existing cybersecurity tools?
Let’s now look at the technology aspects of
data protection and GDPR:
Technology: Security solutions to
the rescue
A GDPR security strategy should look at four
technology areas. By applying good quality
security solutions to each of these areas,
NAC offers, at a minimum, authentication
of a user or device. With mobile access now
the norm and Internet of Things devices
connecting to the network, the only way to
ensure proper access is maintained is to go
beyond simply validating credentials. The
next level beyond this is to tightly control
who and what is authorised to access IT
assets, including personal information.
With advanced NAC, the IT team knows
where personal data is located. They can
use NAC to stipulate who is entitled to
access that information and under what
circumstances. In an ideal world, NAC and
policy management solutions will provide
device discovery, role-based access to IT
assets and a closed-loop, policy-based
attack response.
For complete convenience, it should also
integrate seamlessly with existing network
infrastructure, perimeter security systems
and service and support offerings.
Assurance
The next level of protection relies on the
fundamental security of the underlying
network infrastructure. If data can be easily
tapped off the network in normal day-to-day
business flows and process, the chances of a
breach increase.
This is where technologies such as
equipment tamper-proofing, encryption,
key management and secure network
administration are critical to the overall
security strategy.
www.intelligentcio.com