GDPR-Ready with BUFFERZONE: Preventing PII Data Loss
By BUFFERZONE Team, 16/04/2018
The EU General Data Protection Regulation (GDPR) will take effect on 25 May 2018. “The EU General Data Protection Regulation replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy”, states the regulatory site.
While the regulation does not explicitly dictate the use of tools for secure browsing, it does require an infrastructure for protecting privacy, especially preventing the loss of personally identifiable information (PII). And privacy protection begins with safe browsing. Examining the root cause of most cyber attacks reveals that they start with browsing-related activity such as phishing attacks, email attachments, and malicious sites.
The United States Computer Emergency Readiness Team (US-CERT) wrote in a recent publication: “Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website”. According to Verizon’s 2018 Data Breach Investigations Report: “Attacks are typically financially motivated and often involve phishing”. The report also mentions ransomware as the cause of 39% of malware-related data breaches, more than double that of last year.
Preventing loss of PII
Using BUFFERZONE as a containment and isolation solution can reduce the browsing and email attack surface. By containing all files coming from outside the organization within a special virtual container, attacks on the organization’s databases can be prevented, effectively protecting PII and providing a regulatory advantage.
In addition, BUFFERZONE’s Upload Blocker can prevent uploading data from the endpoint except from a specified, contained file location, which can’t have accessed organizational internal locations. So, users can upload to the internet only content that came from there in the first place.
Another feature of BUFFERZONE that makes it suitable as an infrastructure for GDPR is its passport feature. With passport, organizational proxy servers can ensure that only traffic coming out of the container can access the Internet, while traffic coming out of the native endpointis blocked from internet access. On the one hand, this enforces containment of risky internet access, and additionally, if the organization is already infected with malware and gets from there to the endpoint, the malware cannot communicate with its operating center (C&C) to exfiltrate stolen data. This prevents leaking PII from the organization.
In addition to preventing malware from entering the organization and preventing data from being leaked out of the organization, BUFFERZONE provides protection for PII data from the insider threat. If an external USB device with malicious code is connected to a BUFFERZONE-protected laptop or desktop computer to steal its PII data, the malware is contained, and cannot access confidential locations on the endpoint.
Containment is the key to protecting privacy
The understanding that safe browsing is a key component of protecting customer privacy in general, and specifically GDPR, permeates government organizations. The UK government, for example, connects safe browsing with GDPR: “…isolation of personal and high risk web use in the workplace, specifically addressing GDPR concerns…”, states the government digitalmarketplace site. According to the publication, web isolation is a way to meet GDPR compliance for security monitoring, malware prevention and data breach prevention.
The German government sees secure browsing as an essential tool for protecting an organization. “In addition, the Federal Ministry of Food, Agriculture and Consumer Protection has long been actively supporting projects seeking to provide consumers with information about data protection online, particularly on secure surfing and data protection in social networks”, says the government bmi.bund.de site.
The US-CERT, while not addressing secure surfing directly, does recommend to be suspicious of unexpected emails. “Phishing emails are currently one of the most prevalent risks to the average user. The goal of a phishing email is to gain information about you, steal money from you, or to install malicious information on your device. Be suspicious of all unexpected emails.”
There is no doubt that although GDPR does not define safe browsing as a mandatory requirement, the general requirements for protecting the private data of the organization’s customers dictate this.
Using BUFFERZONE as a buffer between the organization’s PII storage infrastructure and the Internet can reduce the risk of damage to the data, and helps meet GDPR requirements.
Want to hear more? Come and visit us at RSA Conference on April 16-20, 2018 in San Francisco. We will be in the North Expo, booth #4902.