Recently, a customer asked us about the EU’s General Data Protection Regulation (GDPR) in the context of his netTerrain documentation. Is netTerrain compliant, and can netTerrain help European Union (EU) organizations get/stay compliant?
GDPR and Compliance
GDPR is a new regulation that, among other things, expects an organization to meet certain standards for your network security: IT documentation is paramount to ensure these standards get met. Though GDPR is now over a year old and by now has certainly been adopted in many large organizations across Europe (side note: Europe is home to almost 50% of our customers), many organizations in Europe still have yet to get properly prepared for a GDPR audit.
How does netTerrain help? When it comes to network documentation and netTerrain, here are actually two key aspects to consider for GDPR. The first involves the tool itself and the data it houses, to ensure privacy-related mandates are met; the other has to do with how netTerrain can help you with your broader GDPR compliance within the organization.
As you may already know, netTerrain provides a way to document your IT network graphically (which is very well suited for many compliance mandates). Many of our customers use netTerrain for PCI compliance, NERC and other government or state mandates.
So…what about our friends in Europe and GDPR?
How does netTerrain help organizations stay GDPR compliant?
Let’s start with the first aspect, which is netTerrain as a tool for staying GDPR compliant. According to the GDPR text, it is of utmost importance to ensure that European citizens give explicit consent to store their personal data. In a software package, there should also be a way to delete any personal data, should the individual in question request it.
When it comes to netTerrain itself being GDPR compliant, many of our customers in Europe have netTerrain installed on premise, so most of the responsibility related to safeguarding personal data and ensuring data protection falls on the shoulders of the customers in making sure they follow the proper processes for personal data storage consent and deletion requests. netTerrain itself is well suited for this right out-of-the-box: the catalog definitions and business rules provide the means to make sure users understand if and when personal data is stored, as well as the duration of that storage. All personal data can be deleted upon request, including the netTerrain logs.
How can organizations improve GDPR compliance using netTerrain network documentation?
As I mentioned above, netTerrain can also help you in your GDPR compliance mandates for your organization as a whole (my claim is supported by how many of our customers use netTerrain for this exact purpose and for other compliance mandates).
a) Create a complete picture of the network
With netTerrain, you get to discover the network, which is probably job #1 in getting a handle on GDPR. netTerrain is different, however, from other solutions as it is uniquely able to assist with compliance mandates such as GDPR: not only can you discover the network, you can get a complete picture of the network.
When it comes to discovering the network, most network discovery tools do just that: they discover the network but do not give you the means to enhance that documentation with important elements of the network that are non-discoverable (read more about what network documentation is not here).
Traditional network documentation tools, on the other hand, may offer the visualization features so you can add anything to the network diagrams, but aren’t automated enough. And therein lies one of the problems with GDPR compliance: you need a picture of your IT infrastructure and a comprehensive inventory of your network, but the traditional network documentation tools are immediately out-of-date due to their manual nature and the network discovery tools are too narrow in their scope. Making sure this process is as automated as possible and ensuring the completeness of the IT diagrams is key.
b) Visualize potential issues in the network
Even if you do manage to have an up-to-date picture of the network, you should be able to visualize potential vulnerabilities. This goes beyond just alarming (which is a feature available in netTerrain’s network discovery): having vulnerability scanning may not be sufficient as those tools won’t necessarily give you a visual picture of where the offending devices are and what else is affected.
netTerrain’s RESTFUL API and ready-made connectors can help out here: by connecting to your vulnerability scanning software, netTerrain can automatically map and visualize scanned objects and alert the system using netTerrain’s visual overrides and automated messaging.
c) Document your security processes in netTerrain
That’s right: the same tool that you can use the automatically map the network and visualize problems can also be used to document the processes themselves! In fact, we eat our own dog food and so this is exactly what we do internally: at Graphical Networks we document our physical and virtual environment automatically with SNMP, ready-made connectors to VCenter, Azure and AWS, visualize and color code elements correctly to identify potential non-compliance and then we document those very processes in the tool itself! One tool, one visual umbrella, one go-to software for the rescue.
In sum: netTerrain itself is GDPR compliant due to it’s flexible, customizable business-rules-driven architecture and it can also be used to help in ensuring your organizational GDPR compliance by mapping the network, visualizing your IT infrastructure and problem areas, as well as documenting the processes themselves.