När GDPR diskuteras handlar det ofta om vilken data som sparas och hur länge. Vikten av att skydda dina applikationer från angrepp får inte alltid samma fokus. Akamai´s webinar belyste detta på ett bra sätt, nedan följer mina noteringar av innehållet. Kontakta oss om du vill prata mer om Akamai och/eller GDPR (General Data Protection Regulation).

Akamai founded 1998

Security is: Scale, Intelligence and People

Handles roughly 30% of the traffic on the Internet. Gives unique data and insigths
People: World class security personnel

General Data Protection Regulation
Applies to the processing of personal data of EU citizens, both inside and outside EU.

GDPRs risk based apporach
– Better protection af data subjects
– Establishing accountability

Data subject rights
The right to:
– Access
– Rectification (correct data)
– Deletion
– Forgotten

The principle of accountability aims to make ean entity processing personal data responsible for it.
Purpose, where is it stored.

Impact assesment
Assesment of the impact of processing, to the rights and freedom of the data subject.

What is the risk, considering
– type of personal data
– the respective processing activity, and
– the measures in place to protect them

Appropriate measures to protect the personal data
Only limited guidance, as for what is adequate by the GDPR. Encryption, Pseudonnymization (segregatre data so it can not be identified), anonymization.
Examples can be found in the ISO 27001 standard or inte the Annex to section 9 of the German data protection act.

Data breaches, how real are they. (Erik van Veen, CISSP)
Build a bridge between business and IT. Need to talk same language.

Risk = Likelihood * impact
The average network security breach goes undetected for 5-8 months.
201 days, less than 19% of data breaches are self-detected.
80% of IoT and 71% of mobile applications are not tested for security vulnerabilities.
Cost $6 trillion anually 2021.

50% of the cost is brand reputation.

Summary
Evolution and volume of complex targeted threats continue to increase.

Existing security point solutions and applications are often reactive.

Average number of 32 DDoS attacks per client in Q2 2017.

51% SQL injection
33% LFI
9% XSS
Sweden number 6 on top ten list. Count 7192277

Top source of attacks 33.8% from the U.S

Secure password
133 million encrypted credentials published from Adobe.
8% in total had a too simpel password, probably used for other sites as well:
123456 5%
123456789 1.1%
password 0.9%
adobe123 0.5%
qwerty 0.5%
12345678 0.5%
qwerty 0.5%
1234567 0.3%

How can Akamai help customers
Application layer attacks is extremely dangerous, credential attacks as well.

1. Implement ”appropriate technical and organisational measures”. Risk based and based on indystru best practices to protect web applications and websites.
Example: Broadcaster sends live from sports event.
+1600 networks + 230 000 servers

Delivering content and security from the Edge
Delivering content and security from the Edge

Akamai have loads of information regarding specific IP adresses and tracks unwanted behaviour. Reputation control
Risk based approach demanded by GDPR
Akamai risk based kona rule set helps customers to balance their attacks.

Risc based approach to GDPR
Risc based approach to GDPR

1. Best practices
OWASP++
Distributed/scalable
Personal Data transported via API´s
Know the reputation of who is approaching your internet facing resources to even further improve effectivity

2. Do not your WAF Rules go stale

Common with poorly configured WAF
Common with poorly configured WAF

How many people needed to maintan a WAF? 3 FTE. Common with WAF bought but not implemented.
Akamai can automate deployments for smaller environments.

3. Use ”state-of-the-art” technology to precent data theft by using a fully integrated DDoS and Advanced Threat Protection solution.

Mitigation of DDoS and application attacks
Mitigation of DDoS and application attacks

4. Control who has access to what.
Prevent client software installation
Keep track of third party contractors. Kepp single user administration.
Prevent inbound open ports on FW
Create audit trails

Control third party data access
Control third party data access

 

Read more about Akamai Data Protection

/Fredrik Åhlén, CEO – Eastlane Consulting AB