Data Protection Compliance Checklist for Service Providers

Various data protection laws exist worldwide. The most notable include the EU General Data Protection Regulation (GDPR) and the U.S. California Consumer Protection Act (CCPA). These have become key compliance issues for service providers with a business presence in these locations, even if they do not have a physical presence there, and have created a major shift in how organizations collect, process, and protect customers’ personal data.

Regulations such as the GDPR and CCPA layout frameworks and standards organizations must meet regarding technical and organizational measures that ensure and maintain a certain level of security appropriate to the risk to personal data. Organizations must take into account the likelihood and severity of the risk to the rights and freedoms of natural persons, the costs of implementation, and the current state of the art. The following checklist details how service providers can use NETSCOUT Arbor solutions to help protect networks and applications against attacks targeting personal data and ensure service availability for customers.

GDPR Section 2, Article 32

Dealing with the security and processing of personal data, GDPR Section 2, Article 32 is considered the “heart of GDPR,” laying out the requirements for protecting personal data. Article 32 calls for three main facets:

1. “The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.” (Article 32: 1(b))
2. “The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.” (Article 32: 1(c))
3. “A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” (Article 32: 1(d))

Arbor DDoS solutions aid in many areas of data protection and availability. Within Article 32, there are eight key vulnerabilities with which Arbor can assist:

1. A lack of real-time information necessary to detect potential outages from distributed denial-of-service (DDoS) attacks, network misconfiguration, Border Gateway Protocol (BGP) hijacks, or network hotspots
   • Arbor DDoS protection solutions provide pervasive network visibility and the ability to automatically detect network anomalies and DDoS attacks in as little as one second.
2. The inability to perform root cause analysis to quickly diagnose and resolve issues
   • Arbor enables the protection of your networks’ integrity by quickly diagnosing and preventing misconfigurations, flash crowds, or malicious threats.
3. Too much reliance exclusively on stateful devices, such as firewalls, load balancers, and internet service providers  (ISPs), which are vulnerable to state exhaustion DDoS attacks
   • Arbor solutions include carrier-class threat management capabilities that automatically help identify and stop volumetric, Transmission Control Protocol (TCP) state exhaustion and application-layer DDoS attacks on your infrastructure or your customers’ networks.
4. The inability to protect peering/transit points or data center internet connections from saturation due to volumetric DDoS attacks
   • Arbor features a wide range of mitigation platforms and capacities, from 2U appliances (500Mbps–160Gbps) to 6U chassis (10–100Gbps) and virtual appliances.
5. Inability to detect stealthy “low and slow” application-layer and multivector DDoS attacks that crash servers
   • Arbor Cloud provides multiple Tbps of aggregate, centrally managed mitigation capacity per deployment for extra mitigation expertise and capacity.
6. Limitations on helping customers mitigate the effects of DDoS attacks due to time lost identifying illegitimate traffic and coordinating with customers
   • Arbor Cloud signaling intelligently and automatically connects local DDoS protection with Arbor Cloud for volumetric mitigation.
7. Delays in updating DDoS threat intelligence and DDoS policies
   • APIs, customizable user portals, and multitenancy service enablement features allow for the delivery of managed DDoS protection services.
8. A lack of global threat context to help prioritize security resources to respond to date breaches
   • Arbor offers in-box Secure Sockets Layer (SSL) decryption capabilities to identify threats hidden in encrypted traffic. It also offers the option for ATLAS Intelligence Feed (AIF), which is continuously updated with the latest global threat intelligence from Arbor’s Security Engineering and Response Team (ASERT) to provide unmatched DDoS protection.

GDPR Section 2, Article 33

Section 2, Article 33 of the GDPR deals with the notification of a personal data breach to the supervisory authority. This entails alerting regulatory bodies of a breach in a timely manner. Two main requirements of this article include:

1. “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. . .” (Article 33: 1)
2. The degree of compliance can affect the level of financial penalties. The supervisory authority takes “. . .into account technical and organisational measures implemented by them pursuant to Articles 25 and 32” (Article 83: 2(d)) and “the manner in which the infringement became known to the supervisory authority, in particular, whether, and if so to what extent, the controller or processor notified the infringement.” (Article 82: 2(h)).

This boils down to five key functionalities within Arbor solutions that help to shore up five major vulnerabilities:

1. Overreliance on perimeter protection in critical data centers to detect and block data breaches from complex or stealthy advanced threats
   • Arbor solutions provide streamlined security workflows to detect and investigate networkwide threat activity faster than traditional solutions.
2. The inability to detect a data breach in real time due to limitations on analyzing massive amounts of log data and getting sidetracked by “false positives”
   • Improve real-time visualizations of indicators of compromise (IoCs) and trends in new indicators in network activity with Arbor solutions.
3. No visibility into the full extent of a data breach
   • Arbor solutions help identify cyberthreats for all impacted hosts, and network connections help to provide visibility into the extent of a data breach.
4. Difficulty correlating past activity with a current breach
   • Leverage Arbor workflows for investigation of past breach activity.
     A lack of global threat context to help prioritize security resources to respond to breaches
     AIF-powered detection based on internet threat visibility and high-fidelity attack campaign indicators are applied to your internal network activity to recognize and mitigate known attack signatures.

GDPR Section 1, Article 25

Section 1 of the GDPR covers general obligations, and Article 25 specifically outlines data protection by design and by default. This article aims to enforce security planning from the ground up, which includes the preplanning of security systems and procedures. Service providers are required to “. . .implement appropriate technical and organisational measures. . .which are designed to implement data-protection principles. . .in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” (Article 25:1).

For Section 1, Article 25, there are four main vulnerabilities Arbor solutions are designed to protect against by default:

1. Reliance on using manual and event-specific security processes against DDoS and other attacks
   • With Arbor, service providers can get surgical, automated attack mitigation that only removes attack traffic, without interrupting the flow of nonattack business traffic.
2. Insufficient real-time, global network visibility and fragmented traffic engineering tools
   • Analyzing NetFlow, Simple Network Management Protocol (SNMP), and BGP routes with Arbor allows you to better plan and engineer network integrity and availability.
3. Lack of global threat context to help prioritize security resources for responding to breaches
   • Arbor provides automation of policies and processes, such that, by default, data protection against DDoS and advanced cyberthreats is built in, including automatic detection and mitigation of attacks, key incident response and security operations workflows, and integrated on-premises and cloud DDoS protection.
4. Inadequate network traffic data to optimize configuration for protecting network availability
   • Arbor combats network designs that are slow to scale or reconfigure so you can offer new DDoS protection services to your customers.

The final two capabilities are powered by embedded, continuously updated ATLAS global threat intelligence to provide the context needed for a proactive security posture against DDoS and other attacks.

Arbor DDoS for Compliance in Data Protection

The importance of data protection cannot be understated. Arbor DDoS protection solutions can help to ensure compliance with regulations that protect consumers. Service provider networks are complex and prime targets, making it imperative to have scalable protection that can handle their size and structure. Arbor has been the trusted service-provider DDoS protection solution for decades.

Learn more about NETSCOUT’s Arbor DDoS protection for service providers.