Configuring Imperva SecureSphere for GDPR Compliance: Part One

Time is running out. 23 days until GDPR enforcement

The GDPR effective date is less than a month away and, given the significant risk and potential costs associated with a failure to comply, organizational readiness efforts continue to mount. GDPR non-compliance penalties can be severe (up to 79 times higher than existing guidelines), and GDPR applies to any organization of any size that collects or processes personal data originating in the EU. The new rules and fines go into effect on May 25, 2018.
Imperva data protection solutions can help organizations address key GDPR data security requirements, as highlighted in our GDPR: New Data Protection Rules in the EU whitepaper; and our recent blog highlighting key actions to take to help finalize your GDPR compliance program. Of note is the reference to understanding where your data is, and effectively discovering and classifying this information within the context of the GDPR requirements. To that end, this blog — the first in a three-part series — will focus on how Imperva can support compliance with this initial step, and with greater ease as a result of our enhanced solution functionality.

Understand where your data is and what data is sensitive

Understanding where your data is and classifying it is the critical first step in GDPR compliance and is specifically referenced in Article 35: Data Protection and Impact Assessment. In essence, this article aims at assessing the purpose, scope, and risk associated with processing personal data. A key process involved in achieving compliance here involves deriving an inventory of personal data across the organization; and understanding access rights to data, and the risk associated with that access. This really is the first step in effective data security and GDPR compliance.
Imperva SecureSphere finds both known and unknown databases by automatically scanning enterprise networks. Many existing SecureSphere customers have already initiated this key process by leveraging built-in discovery policies, and/or easily creating custom data discovery policies to scan any part of their network. SecureSphere also enables automated, scheduled scans, as they are critical to ensuring continuous discovery to include new data in security and protection efforts.

Four Steps to Article 35 Compliance Readiness with Imperva SecureSphere

The good news for organizations still struggling to complete this initial step is that Imperva’s SecureSphere solution now offers even greater support aimed at discovery and classification in relation to GDPR Article 35. The recent release of SecureSphere v12.4 has made the activation of this process easier, thereby reducing resource time, costs, and complexity in providing a solid step towards the process of overall GDPR compliance with additional out-of-the-box functionality and configuration capabilities.
Let’s now dig into the process of configuring Imperva SecureSphere and supporting compliance achievement with Article 35 (and the overall data security articles within GDPR). As outlined in the v12.4 configuration guide[1], you need to perform the following actions with SecureSphere:

  1. Verify that your SecureSphere Application Delivery Controller (ADC) content is up to date:

Some of the actions required and outlined in the guide are based on profiles, data types and audits that are bundled with the ADC content. Which means it’s imperative to have this step completed. Here’s how to do this within SecureSphere

  1. In the Admin workspace, click ADC.
  2. Under Manual ADC Update, click Download.
  3. Save the MPRV file that will be downloaded.
  4. Browse to the downloaded file using the Browse
  5. Click Upload. SecureSphere will be updated with the downloaded content.
  1. Discover your databases: 

SecureSphere enables you to discover all the databases in your estate and add them to your site tree so that you can then apply scans and policies and other SecureSphere functionality to them, in order to protect the data they hold. Here’s how you go about doing that:

  1. In the Main workspace, select Discovery & Classification > Scans Management.
  2. Under the Scope Selection drop-down list on the top left, select Scans.
  3. Click on the New From the drop-down list, select Service Discovery. The Create Scan dialog box opens.
  4. Give the scan a Name, select a Site, and click Create.
  5. Under the Services tab, you can select which services you want the scan to look for. If you choose ‘allow me to manually review discovered services before updating’, remember to update the site tree manually.
  6. Under IP Configuration, enter the IP groups in which the databases might be located.
  7. Under Service Types, check the database service types you want to discover.
  8. Under the Scheduling tab, select a regular schedule for running this scan for database discovery.
  9. Click Save.
  1. Configure your database connections:

 Once you have discovered the database servers and added them to the site tree, you must configure the database connections in order for security and audit policies to work. Here’s how to complete this task:

  1. In the Main workspace, select Setup > Sites.
  2. Select the newly added server group.
  3. Under the Servers tab, verify that the new server has been added.
  4. In the site tree, select the database service.
  5. Under the Definitions tab, expand Direct Access Information.
  6. Under Database Connections, click the New button. A new row appears.
  7. Enter the data needed to create a new database connection: Alias, IP, User Name, Password, Verify Password, SID, and Port.
  8. Repeat steps 6 and 7 above for each new database connection you wish to add to this service.
  9. Click save 
  1. Classify the locations of personal and sensitive data:

You’re now ready to scan your databases in order to obtain a report of which tables in which databases contain personal data, which is where the new GDPR functionality within SecureSphere comes into play to make this step even easier. SecureSphere v12.4 has an out-of-the-box profile for GDPR, called the Data Classification Profile for GDPR. This profile includes the out-of-the-box data types that are pertinent to personal data. If you added new data types, make sure to include them in the GDPR Profile. Let’s look at this new functionality in a little more detail, and how you can now easily configure and classify data in support of GDPR. To do so, just configure and run a scan using the new functionality as summarized below:
 A. To configure the GDPR classification scan profile:

  1. In the Main workspace, select Discovery & Classification > Scans Management.
  2. Under the Scope Selection drop-down, select Scan Profiles
  3. Select Data Classification Profile for GDPR.
  4. In the Data Types tab:
  5. You can enable or disable any data type by selecting or de-selecting the appropriate checkbox.
  6. You can select any data type, and then enable or disable any of its rules by selecting or de-selecting the appropriate checkbox.
  7. In the Settings tab, you can configure data classification options for the profile.
  8. Click Save

You can now easily run the GDPR classification scan in order to find the locations of the personal data in your environment. The steps to do so are quite consistent with traditional scans within SecureSphere, and outlined in Part B below:
B. To configure and run a classification scan:

  1. In the Main workspace, select Discovery & Classification > Scans Management. The Scans Management window appears.
  2. In the Scans pane, select the scan you want to run, or create a new scan using the New button. If you create a new scan, from the drop-down list, select DB Data Classification scan and base the new scan on the Data Classification for GDPR profile. The scan’s options are displayed in the Details pane
  3. Under the Settings tab, click the Scan Profile drop-down list and verify that the scan is based on the Data Classification for GDPR profile.
  4. Click the Apply to tab. Select the databases you wish to scan.
  5. Click the Scheduling tab. Select your scheduling choices. You should schedule regular scans since tables may be added frequently.
  6. Click Save.

So, you’ve classified your data. Now what?

Once databases are identified and classification has been completed, you’re in a much better position to understand what personal data lives in which databases and who has access. SecureSphere offers a robust set of options to review the results within the UI, or via data export to assist with the review process. The output of this process now helps determine which systems are in scope for GDPR, allowing you to accelerate compliance with several articles within GDPR, including Article 35, which was the focus here. Further, with the help of Imperva data security solutions, support for the other can also be achieved. We’ll get into those use cases and solutions in the next blog in this series.
Contact us to learn more about Imperva’s GDPR compliance capabilities and explore our data security solutions in detail.

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.