Security Meets Regulation – DNS and the GDPR

The newly announced GDPR (General Data Protection Regulation) is a European Union regulation which will further strengthen the protection of data within all the EU member states, replacing the Directive 95/46/EC of 1995. The regulation, in contrast to a directive, needs no authorizing legislation to be passed by governments. More importantly, it is not just limited to the European Union- all non-EU organizations which share EU citizens’ personal data are also covered by the new law. That includes almost every organization with customers, suppliers or employees in the EU.

Under the new law, adopted by the EU Council and Parliament on April 14th, 2016, European organizations will be required to apply new measures including data protection impact assessments, high security standards or implementation of proper privacy policies. Many will be obliged to appoint a Data Protection Officer under specific, and both ‘Data Processors’ and ‘Data Controllers’ will be required to keep record of all data processing activities in their companies.

Engineers involved in almost all technology projects within European Union will have to act according to a Privacy by Design approach. It entails ensuring data privacy is maintained at the highest standards. Now, data protection settings will need to be inserted into all business processes at a high level, and by default. Data security will play an even more critical role and must be included from the bottom-up. That includes the DNS layer in particular.

Network architectures will need to deter DNS hijacking and the use of DNS for exfiltration. The main challenges here are related not to the hacktivists and malware seeking to vandalize the systems, but to sophisticated attackers who know which specific sets of data they aim to exfiltrate.

GDPR imposes a general data breach notification rule, and organizations across all industries will have to follow specific steps when such an occurrence takes place. Data Controllers have just 72 hours as a maximum elapsed timeframe to inform appointed authorities about what has happened and how much data has been accessed. In worst case scenarios, organizations will also be required to inform the public of the data breach, with clearly negative effects on their reputation.

No one can afford to ignore the GDPR. It will come into force on May 25, 2018, meaning organizations (maybe yours!) now have less than two years to comply- a relatively short time for all the preparatory steps to follow. Tough sanctions and significant fines for data loss are expected, up to €20 million, or 4% of annual worldwide turnover.

Now is the time to start building a GDPR-compliant infrastructure, secured by design. Providing sufficient security at the DNS level can save companies huge amounts of money and help avoid unnecessary GDPR proceedings. But cost avoidance should not be the only driver for action. Customers, partners and employees’ confidence in a company’s brand is crucial to protect short and long term business.

DNS traffic has to be carefully monitored and analyzed to detect data exfiltration attempts, hidden in the network traffic. DNS filtration systems, working like web filtration, can check the reputation of links against a real-time blacklist, and automatically verify whether a DNS request originated from a trusted site or one which could instigate a costly data breach.

DNS security is a core tenet of Privacy by Design. Organizations wanting to be prepared for the upcoming GDPR should ask themselves if they have a compliant plan to protect their networks, data, customers… and reputation.