ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

Similar documents
ngenius Products in a GDPR Compliant Environment

Data Protection Policy

Google Cloud & the General Data Protection Regulation (GDPR)

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Protecting your data. EY s approach to data privacy and information security

Overview of Akamai s Personal Data Processing Activities and Role

Arkadin Data protection & privacy white paper. Version May 2018

Checklist: Credit Union Information Security and Privacy Policies

Embedding GDPR into the SDLC

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Privacy Policy for Trend Micro Products and Services for the European Union, the European Economic Area (EEA) and the United Kingdom

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

Privacy Policy of

Arbor White Paper Keeping the Lights On

SDL Privacy Policy Cloud Services

Vanderbilt Video Surveillance. EU General Data Protection Regulation A Compliance Guide

Magento GDPR Frequently Asked Questions

Workday s Robust Privacy Program

Data Processing Agreement

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

GDPR compliance. GDPR preparedness with OpenText InfoArchive. White paper

Smart Software Licensing tools and Smart Account Management Privacy DataSheet

Data Management and Security in the GDPR Era

PRIVACY POLICY OF THE WEB SITE

WEBSITE PRIVACY POLICY

Personal Data Protection Policy

Eco Web Hosting Security and Data Processing Agreement

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Subscriber Data Correlation

GDPR Update and ENISA guidelines

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Emsi Privacy Shield Policy

Website Privacy Notice

Element Finance Solutions Ltd Data Protection Policy

SECURITY & PRIVACY DOCUMENTATION

PRIVACY POLICY. 1. Introduction

CD STRENGTH LLC. A MASSACHUSETTS, USA BASED COMPANY

Baseline Information Security and Privacy Requirements for Suppliers

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

PS Mailing Services Ltd Data Protection Policy May 2018

Privacy and Cookies Policy

DATA PROTECTION POLICY THE HOLST GROUP

the processing of personal data relating to him or her.

Creative Funding Solutions Limited Data Protection Policy

Our agenda. The basics

Data Processing Clauses

Privacy Policy Effective May 25 th 2018

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

WHITEPAPER. Security overview. podio.com

EU General Data Protection Regulation (GDPR) Achieving compliance

Privacy Policy. MIPS Website Privacy Policy. Document Information. Contact Details. Version 1.0 Version date March 2018.

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

Our Privacy Statement

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

DATA PROCESSING TERMS

Cybersecurity Considerations for GDPR

Learning Management System - Privacy Policy

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

Legal basis of processing. Place MODE AND PLACE OF PROCESSING THE DATA

WHITE PAPER. Meeting GDPR Challenges with Delphix. KuppingerCole Report

CliniSys Website Privacy Policy

Data Privacy in Your Own Backyard

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

Wonde may collect personal information directly from You when You:

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Haaga-Helia University of Applied Sciences Privacy Notice for Urkund Plagiarism Detection Software

MiContact Center Business Important Product Information for Customer GDPR Compliance Initiatives

QuickBooks Online Security White Paper July 2017

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Privacy Policy of the products of Ilves Solutions Ltd and Ilves Valmisohjelmistot Ltd / Ilveshaku

Saba Hosted Customer Privacy Policy

Website privacy policy

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

EU General Data Protection Regulation A Compliance Guide

HPE DATA PRIVACY AND SECURITY

Information Security Controls Policy

Data Processing Agreement

Deloitte Audit and Assurance Tools

Data Processing Agreement

GDPR Compliant. Privacy Policy. Updated 24/05/2018

The Common Controls Framework BY ADOBE

ZIMBRA & THE IMPACT OF GDPR

EU DATA PROTECTION COMPLIANCE WHEN SECURING SAAS APPLICATIONS

Smile IT Ltd Privacy Policy. Hello, we re Smile IT Ltd. We offer computer and network support to businesses and home computer users.

Understand & Prepare for EU GDPR Requirements

Personal Data collected for the following purposes and using the following services:

GDPR Privacy Policy. The data protection policy of AlphaMed Press is based on the terms found in the GDPR.

OUR SECURITY POLICY & GDPR

Information Security Policy

Privacy policy SIdP website EU 2016/679

Version 1/2018. GDPR Processor Security Controls

Transcription:

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT Guidelines and Frequently Asked Questions

About NETSCOUT NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) assures digital business services against disruptions in availability, performance, and security. Our market and technology leadership stems from combining our patented smart data technology with smart analytics. We provide real-time, pervasive visibility, and insights customers need to accelerate, and secure their digital transformation. Our approach transforms the way organizations plan, deliver, integrate, test, and deploy services and applications. Our ngenius service assurance solutions provide real-time, contextual analysis of service, network, and application performance. Arbor security solutions protect against DDoS attacks that threaten availability, and advanced threats that infiltrate networks to steal critical business assets. To learn more about improving service, network, and application performance in physical or virtual data centers, or in the cloud, and how NETSCOUT s performance and security solutions, powered by service intelligence can help you move forward with confidence, visit www.netscout.com or follow @NETSCOUT and @ArborNetworks on Twitter, Facebook, or LinkedIn. 2018 ARBOR CONFIDENTIAL & PROPRIETARY 2

Guidelines and Frequently Asked Questions This document addresses questions from organizations that utilize Arbor DDoS products and are evaluating their own GDPR compliancy obligations. What is the GDPR? The General Data Protection Regulation (GDPR) is a new comprehensive data protection law in the European Economic Area (EEA) that goes into effect on 25 May, 2018 and updates existing laws to strengthen the protection of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EEA member state. What does the GDPR regulate? The GDPR regulates the processing, which includes the collection, storage, transfer or use, of personal data about EEA individuals. Any organization that processes personal data of EEA individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EEA. Importantly, under the GDPR, the concept of personal data is very broad and covers any information relating to an identified or identifiable individual (also called a data subject ). Under the regulation: Personal data is defined as any information relating to an identified or identifiable natural person (the data subject ). A controller is defined as the natural or legal person which determines the purposes and means of the processing of personal data. A processor is defined as the natural or legal person which processes personal data on behalf of the controller. The regulation requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The regulation grants data subjects some specific rights, amongst which: right of access (that is, for example, to receive a copy of the personal data undergoing process); right to rectification of inaccurate personal data; right to erasure of personal data; right to data portability; right to object to processing of personal data. Is the use of Arbor DDoS products permitted? Yes. Under the GDPR, only lawful processing of data is permitted. Article 6 of the GDPR identifies the conditions under which processing is deemed lawful, which includes processing [that] is necessary for the purposes of the legitimate interests pursued by the controller. Recital 49 of the GDPR explicitly refers to processing of data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security as a legitimate interest pursued by a controller. Arbor DDoS products are designed for the purpose of network and information security, DDoS mitigation, and traffic statistics. With Arbor SP, customers gain the ability to visualize and explore large amounts of network traffic statistics with varying levels of granularity depending on the age of data or on the system s configuration; with Arbor TMS and Arbor APS, customers can mitigate DDoS attacks and other network threats by instructing the device to apply specific countermeasures to the traffic in transit, and can visualize samples of the traffic itself in order to build more accurate protection policies. The data collected and processed by Arbor DDoS products enables the customer, the controller, to visually see the network traffic and mitigate DDoS attacks to protect and secure their network. 3

Is the data collected by Arbor DDoS products permitted under GDPR? Yes. Arbor SP collects flow telemetry records, which include source and destination address, number of bytes and packets and timestamps of IP traffic flows, as well as other information related to network infrastructure. Arbor TMS and Arbor APS can collect full IP packets for the purpose of analysis of DDoS attacks. While online identifiers such as IP addresses are referenced in the GDPR as an example of personal data that is subject to the regulation, the GDPR also sets forth the principles that some personal data is more sensitive than others and that certain types of processing is more risky to the rights and freedoms of individuals than others. While flow telemetry records and IP packets fall under the scope of personal data due to how broadly the term is defined under the regulation, if the Arbor DDoS products are used for the purpose of network and information security, the level of risk presented by the processing is low. Controllers and processors using Arbor DDoS products can also take advantage of the security features made available by the Arbor DDoS products to further minimize risk associated with processing of this type of data. Do Arbor DDoS products support GDPR compliancy? Yes. Controllers and Processors have the responsibility to implement proportionate security measures to ensure a level of security appropriate to the risk for data privacy, which, in the case of the data processed by Arbor DDoS products, is very low. Arbor DDoS products include security features that, if used, provide a level of security appropriate to the risk associated with the data being processed and support privacy by design and default principles: All Arbor DDoS products provide a built-in firewall to restrict access to authorized IP addresses only (limits accessibility of data). All Arbor DDoS products provide authentication of users by means of a local database or by means of external TACACS/RADIUS systems, thus enabling, for example, two-factor authentication mechanisms. Local password security policies can be enforced as well. All Arbor DDoS products provide granular authorization mechanisms enabling system administrators to restrict access to specific product features (such as access to the command line, or access to raw flow telemetry records or to IP packets) to authorized users only. All Arbor DDoS products provide accounting of user actions, either locally or by means of external TACACS/RADIUS systems. In order to further reduce risk, Arbor DDoS products provide other built-in capabilities: If the feature is enabled for a user, Arbor TMS and APS limit the amount of IP packets that can be captured per interactive capture. Arbor SP provides a way to configure and limit the amount of raw flow telemetry records that are stored and their maximum age before automatic deletion. 4

Is there such a thing as GDPR compliant products? No. The GDPR imposes obligations on the controllers and processors of data, it does not impose express obligations on products in and of themselves. Data controllers and processors comply with the provisions of the GDPR by implementing technical and organizational measure to ensure security appropriate to the level of risk associated with the type of data and type of processing they are undertaking. Arbor DDoS products include features that a data processor or data controller can implement as part of its comprehensive security plan. Can I share traffic data with Arbor s ATLAS program under GDPR provisions? Yes. Arbor Networks does not have any way to associate the IP addresses shared with the ATLAS platform to the identity of a natural person. In order to further reduce the risk of misuse, IP addresses shared with ATLAS are anonymized to hide the source of the data. The anonymized data sharing with ATLAS is disabled by default. Must Arbor DDoS products include pseudonymisation features? No. GDPR does not mandate specific security features, but rather recommends that appropriate security measures are implemented taking into account the state of the art, the costs of implementation, and the risk of varying likelihood and severity for the rights and freedoms of natural persons. While data encryption or anonymization/pseudonymisation is a useful security measure, role-based access controls also constitute an appropriate security measure given the purpose of the product. Can Arbor DDoS products help me comply with my obligations as a controller or processor? Yes. Arbor DDoS products can help controllers and processors establish appropriate measures for the secure processing of data and incorporate data protection by design and default, such as Role Based Access Control 1 and implementation of the principle of least privilege 2. All control plane communications between Arbor appliances are encrypted, as well as administrative connections, permitted only over the secure protocols SSH and HTTPS. All Arbor DDoS products provide a built-in firewall to restrict access to authorized IP addresses only. How to configure in Arbor DDoS products: ip access commands. All Arbor DDoS products provide authentication of users by means of a local database or by means of external TACACS/ RADIUS systems, thus enabling, for example, two-factor authentication mechanisms. Local password security policies can be enforced as well. How to configure in Arbor DDoS products: service aaa local radius tacacs commands. Arbor SP enables advanced password requirements for locally authenticated users, in order to enforce policies for stronger passwords. How to configure in Arbor SP: service aaa password and service aaa local advanced harden _ passwords commands. How to configure in Arbor APS: service aaa max _ login _ failures and password _ length commands. All Arbor DDoS products provide granular authorization mechanisms enabling system administrators to restrict access to specific product features (such as access to the command line, or access to raw flow telemetry records or to IP packets) to authorized users only. How to configure in Arbor DDoS products: service aaa groups commands (in Arbor SP s GUI, also Administration > Accounts/Accounting > Capability Groups and > Account Groups) 1 csrc.nist.gov/projects/role-based-access-control/faqs 2 www.us-cert.gov/bsi/articles/knowledge/principles/least-privilege 5

All Arbor DDoS products provide accounting of user actions, either locally or by means of external TACACS/RADIUS systems. How to configure in Arbor DDoS products: service aaa local radius tacacs accounting commands (also Administration > Accounts/Accounting > TACACS+/RADIUS Accounting in Arbor SP graphical user interface). If the feature is enabled for a user, Arbor TMS and APS limit the amount of IP packets that can be captured per interactive capture. Arbor SP provides a way to configure and limit the amount of raw flow telemetry records that are stored and their maximum age before automatic deletion. How to configure in Arbor SP: service sp device edit <device _ name> raw _ flows commands. Arbor APS provides a way to limit the age of data stored in the system. How to configure in Arbor APS s GUI: Administration > General > Data Retention. Arbor data sharing services are disabled by default, and provide examples of the type of data shared if enabled. To view the current status of data sharing services, access Administration > ATLAS Intelligence Feed in Arbor APS s GUI, and Administration > ATLAS > ATLAS Visibility in Arbor SP s GUI. With regard to the data processed by Arbor DDoS products, must I maintain, acquire or process additional information to be compliant with data subject rights provisions? No. Article 11 of the GDPR states that if the purpose of the data processing does not require the identification of a data subject, then the controller isn t obligated to maintain, acquire or process additional information just to be compliant with the data subject rights provisions. Article 11 also states that if the controller is not in a position to identify the data subject, the data subject rights sections (which includes the rights to be forgotten, right of access, right of portability, right of rectification) does not apply. Recital (57) also gives guidance by saying that, If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. The primary use of Arbor DDoS products is for the monitoring and filtering of traffic not the monitoring of individuals. In addition, the information that may be included in a packet capture file and then stored in the Arbor DDoS products are not captured and stored in a manner that enables the user of the product to identify the information of a given data subject that may be contained inside the packet. Please refer to Arbor DDoS product s documentation and to your account team for additional details on these features. 6

Can I still provide Arbor employees with remote access to my Arbor DDoS product for remote fault diagnosis? Yes. Customers may provide Arbor employees with remote access to their deployed Arbor DDoS products for the purpose of fault diagnosis and technical maintenance services. Providing such access amounts to the utilization of Arbor as a processor or subprocessor. Arbor is committed to compliance with GDPR and has implemented technical and organizational measures to ensure security appropriate to the level of risk associated with its processing activities. What are the measures that Arbor has taken to be compliant with GDPR? The protection of personal data through reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure. The performance of robust security measures on its infrastructure (both on premise and in the cloud) such as antivirus, firewalls, scheduled vulnerability scanning, penetration testing and security code peer reviews. Infrastructure (both on premise and in the cloud) that is hardened against DDoS attacks and monitored 24x7x365. Encryption of all traffic communications on its cloud, in addition to anonymizing, pseudonymizing, or obfuscating data where technically possible. An internal process for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures for ensuring the security of the processing of personal data. As a company having offices in the United States, Arbor is also aware of the need to have an export mechanism in place with customers who may provide it with data originating from the EEA. The GDPR recognizes the European Commission s Decision of 5 February 2010 on standard contractual clauses for the transfer of Personal Data to Processors established in third countries, under the Directive 95/46/EC ("Model Clauses") as an acceptable means for organizations to legalize transfers of personal data outside the EEA. To enter into data protection terms that include the Model Clauses with Arbor, visit: Arbor Data Privacy Addendum. 2018 NETSCOUT Arbor, Inc. All rights reserved. NETSCOUT, the NETSCOUT logo, Guardians of the Connected World, Adaptive Service Intelligence, Arbor Networks, the Arbor Networks logo, ATLAS, InfiniStream, InfiniStreamNG, ngenius, and ngeniusone are registered trademarks or trademarks of NETSCOUT SYSTEMS, INC., and/or its subsidiaries and/or affiliates in the USA and/or other countries. Third-party trademarks mentioned are the property of their respective owners. FAQ/GDPR/EN/0218-LETTER Corporate Headquarters 76 Blanchard Road Burlington, MA 01803 USA Toll Free USA +1 866 212 7267 T +1 781 362 4300 www.arbornetworks.com North America Sales Toll Free +1 855 773 9200 Europe T +44 207 127 8147 Asia Pacific T +65 6664 3140 Latin & Central America T +52 55 4624 4842 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback