General Data Protection Regulation (GDPR) takes effect in the European Union (EU) on May 25, 2018. Since GDPR expands the privacy rights granted to EU individuals and it places many new obligations on organizations that serve customers and individuals in the European Union, irrespective of their geographical location. Such organizations around the world will be required to put in place security policies to address different risks and effectively enforce these policies with technical controls or potentially face fines of up to 20 Million USD or 4% of Global turnover whichever higher.
Furthermore, in event of data breaches, it is imperative for the organization to follow a schedule and provide comprehensive information regarding the breach to the Data Protection Officer as mandated by GDPR. In light of the tough timelines for reporting a breach – in addition to securing the IT infrastructure, it is also important to have robust breach detection, investigation and internal reporting procedures in place.
While GDPR readiness and compliance poses a significant challenge for many organizations, many of its technical requirements align closely with the security and compliance best practices already supported by eScan’s range of products.
eScan simplifies security and compliance by enabling enterprises to create a software-defined perimeter that combines secure access to apps and data with contextual control, visibility and behavior analytics across devices and networks. Enterprises can proactively secure, detect, and mitigate risk with intelligence applied to each unique scenario.
This white paper discusses the requirements of GDPR and how eScan’s range of products address them for access, network security, application security, data security, and analytics.
What does GDPR mean to your organization
Applying to all organizations within the EU or organizations that control or process the personal data of the citizens of EU, the GDPR strengthens and harmonizes data protection laws across EU nations.
The regulation mandates a high level of responsibility and accountability for these organizations while giving the citizens greater control over their data through measures including anonymization and controls around storage, and accessibility.
Under the GDPR, citizens will have rights including the ability to access their personal data; rectify inaccuracies or omissions; request deletion or removal of data once it is no longer required; restrict the processing of their data, and object to the use of their data. The scope of the data to which the GDPR applies is broad and comprehensive, encompassing any information relating to an identified or identifiable natural person, whether the data has been provided by the individual, observed by systems such as web browsers and social media platforms, derived through straightforward processes such as transactional history, or inferred through complex processing.
How do eScan’s range of products comply with GDPR guidelines
eScan’s security solutions can facilitate GDPR readiness for any organization by providing a foundation of confidentiality, integrity, and availability of all types of on-premises and cloud IT environments. The approach to security and compliance is based on the following principles:
- eScan’s containerization feature separates applications and data on the devices so that enterprise users are able to segregate their personal and corporate data.
- Control the use of application and software across the entire Enterprise IT Landscape thus ensuring a secure IT environment.
- Control access to resources with context-aware policies based on user, device, location, application and data sensitivity.
- Unifying IT Environment for delivery of application and data-specific security achieved through enhanced capabilities for managing the infrastructure.
eScan products are built on these very principles for contextual access, network security, application security, data security and analytics to support GDPR compliance across the following areas:
- Records of Processing Activities
Maintaining complete records of the processing of personal data is one of the crucial requirements under Article 30 of the GDPR for all organizations. eScan’s wide range of products provides auditing capabilities for enterprises to track exactly how and by whom the data has been accessed. By reporting on the movement of data to and fro from endpoints across various devices, organizations can better meet GDPR guidelines.
- Access to Personal Data
The GDPR requires that organizations control and restrict access to personal data. With eScan, organizations can control access to applications, devices, and their data by way of Application/ Device white-listing. Group-based and user-based access policies are complemented with contextual controls that adapt access privileges based on the device, its location, and network.
- Data Isolation and Protection
So as to strengthen data protection and mitigate the risk of breaches as required by the GDPR, eScan provides comprehensive measures for application and data security including containerization and centralization. Centralization enhances data protection by enabling more efficient management of patches, policies, and updates. This helps organizations keep up to date with the latest protection against ransomware and other threats. eBackup assists data recovery in case of data loss. For mobile devices such as smartphones and tablets, containerization keeps business and personal data separate from any of the user’s own data that the device may contain. Modules such as TSPM helps organizations deter attacks against critical services and prevent data leakage.
- Data Encryption at Rest
Protecting customers from unintended disclosure of their data, either by insiders or third party, eScan’s Enterprise Mobility Management assist in enabling organizations to protect and encrypt.
Enterprises can prevent data from residing on the mobile devices, including bring-your-own-device (BYOD); containerization makes it possible to separate personal and business apps and their locally stored associated data. Enterprise data on mobile devices is encrypted and controlled by IT to prevent it from being leaked when a smartphone or tablet is lost or stolen.
Maintaining GDPR compliance with eScan solutions
For more than a quarter-century, eScan has been trusted by organizations across industry verticals, including the most highly regulated sectors, to protect sensitive business information without compromising workforce productivity. Various Government offices across the globe, too have entrusted eScan to protect their IT infrastructure, as eScan provides a secure platform for IT to control applications and data access across any device or network. eScan can help support GDPR guidelines through the following security technologies.
- End-Point Protection (EPP)
eScan’s EPP solution helps in monitoring and securing critical data to prevent any kind of data leak or data theft from managed endpoints in the network. It allows the administrator to whitelist or blacklist USB and other storage devices, allow or block access to devices such as webcams, CD-ROMs, Composite devices, Bluetooth devices, SD Cards or Imaging devices. Authorized access to such devices can be provided using One Time Password without violating policy deployed to the group.
Enforcing certain settings in order for a device to connect to the network at all – such as local encryption, password complexity, security software, and the removal of the local administrator account – will be an essential part of protecting the organization within the GDPR framework.
- Enterprise Mobility Management (EMM)
Enterprise data and applications can be containerized on mobile devices, including BYOD and wiped remotely to protect Enterprise data in the event that the device is lost or stolen. Any user content a device may contain is kept separate from business content and is unaffected by the remote wipe capability.
- Perimeter Security and Advanced Threat Protection
Establishing defenses to keep malicious actors out, is essential even in the age of cloud when other than the computing resources, Enterprises have to protect their user network from malicious attacks.
More serious concern under GDPR is the potential for malware to harvest credentials for user and administrator accounts. Preventing infections requires a multi-faceted technological response. Traditionally, hackers have relied on targeting the email gateways by way of sending spear phishing emails or emails laced with malicious content.
Advanced threat protection mitigates threats by analyzing every URL to ensure that it does not contain malware payload and furthermore protects against email attachments being used as an attack vector.
Blocking of hacking attempts and malware through technological means is essential for any organization wanting to become GDPR complaint and reduce the likelihood of data breaches along with other implications such as data loss amongst other likely scenarios.
Mailscan at the gateway, with its heuristic engine weeds out spam, and malicious emails. Furthermore, with the rise of Ransomware and the usage of exploits for lateral movement, PBAE along with TSPM provides an additional layer of security for the end-points and for the Internet-facing servers.
Although GDPR is a significant challenge for security solution providers operating in EU and having customers in EU region, it emphasizes the need to adopt a comprehensive data protection practice at all levels. eScan helps to meet the internal and regulatory requirements for security and data protection, without impeding productivity.