On May 25, 2018 the General Data Protection Regulation (GDPR) becomes enforceable. Both European and international companies are reviewing their existing data processing practices to ensure their are in compliance with the new standard, as the proposed non-GDPR compliance penalties are steep can reach as high as €20M or 4% of the company’s worldwide revenue.
The main driver behind the regulation is to give EU residents control over when, how and by whom their personal data are accessed. Businesses should have a legitimate business or public reason for needing the data and the person, whose data it is, should give consent.
Any organization who either has operations in Europe or processes data of European residents is subject to GDPR. One of the biggest innovations in the new regulation is Privacy by Design and by Default (Article 25). This requirement speaks to engineering practices at the data processor who now needs to proactively implement defences in order to prevent unauthorized data access and minimize exposure.
How Wallarm Helps with GDPR
Wallarm provides a number of features that will help enterprises and SaaS providers achieve GDPR compliance for their web applications and mobile applications using HTTPS-based APIs. Specifically, Wallarm helps meet requirements of articles 24, 28, 30, 32, 34 and 35.
Article 32 — Protection from unauthorized access Wallarm protects vulnerable applications from access by malicious actors. Wallarm protects from OWASP Top Ten vulnerabilities as well as from many of Zero Day, thus reducing the number of possible data breaches and unauthorized accesses.
Article 24, 32 — Protection from credential stuffing Credential stuffing are attacks where bad actors attempt to use illegally obtained authentication information in a different context. In many cases (as high as 90%), attackers tend to run credential stuffing attacks against APIs for mobile clients, which is inhibiting common prevention methods such as CAPTCHA. Wallarm protects from such unauthorized access.
Article 28, 32 — Access controls Within the Wallarm application itself, every enterprise or SaaS customer is provisioned with a set of access controls for their employees and administrators, limiting the scope and operations to only those necessary.
Article 30 — Monitoring and Logging Wallarm integrates with corporate SIEM and issue-tracking infrastructure for monitoring and logging. The Wallarm Node is managed by DevOps tools such as Chef, Puppet, Ansible, and Salt. For monitoring and failover, Wallarm uses standard protocols such as SNMP, syslog, VRRP, and CARP.
Article 33 — Faster breach detection GDPR requires that once a breach is detected, notifications be immediately made to both the individual whose personal data might have been compromised and to the Supervisory Authority. Wallarm helps identify incidents across all the customers’ applications in a timely manner as well as pinpoint the exact API where the problem has occurred, making it easier to identify the affected information.
Article 34, 35 — Improved risk assessment Wallarm active threat verification capability, where Wallarm replays potential attacks to detect if they can result in a significant exploit, allows customers to properly understand the risks of personal information exposure.
Article 32 — Data protections built into the design phase Wallarm AST capability moves information protection earlier in the development cycle by creating automated security tests and enabling increased security testing coverage. This is in line with the Privacy by Design doctrine.