25. Januar 2018 - Series: Tools for the GDPR

How to test the resilience of IT systems


Resilience is a new requirement of the General Data Protection Regulation (GDPR) for security in data processing. However, how can resilience be tested? Tools may help.

DSGVO: Wie lässt sich die Belastbarkeit von IT-Systemen kontrollieren? Which tools help with testing the resilience of systems? (image: solarseven / iStock / Thinkstock)

What does resilience mean?

Looking at article 32 of the General Data Protection Regulation, „Security of Processing“, one finds familiar points like encryption among some new ones like the resilience of systems and services that the controller has to ensure.

At first glance „resilience of systems and services“ does not sound much like data protection. However, this item is about a special aspect, the availability of personal data, which is emphasized expressly in the GDPR.

Resilience in this context means the resilience of the IT in the event of errors and malfunctions, including high capacity utilization.

An example where the resilience of an IT system would be put to the test are DoS or DDoS attacks (denial of service or distributed denial of service attacks).

During these events, attackers launch so many requests to a web server that it is overloaded and ceases to operate if the attack is successful. The website published by this web server will go offline in this case.

Overloading a web server makes it difficult or even impossible to access the data managed by the server. Inadequate resilience of the IT therefore impacts the availability of data.

Starting point: Record of processing activities

How can the resilience limit of an IT system be tested?

Only a documented test of the required resilience can ensure that an operator is considering the security of processing in the sense of the GDPR.

On the one hand, a resilience test must not result in an actual shutdown of productive IT systems. On the other hand, test methods depend on the type of IT system, i.e. which systems and services process personal data.

A good starting point for testing is the record of processing activities.

Resilience testing tools

It is useful to apply suitable tools for the test.

This is explained here on the example of testing cloud services, because the cloud, as a type of remote IT use, poses a special challenge. Being able to test the data security is important for the selection (and the permission to select!) a cloud provider.

Some cloud providers have their own tools for testing performance under load. These tools are useful if you are certain that they permit independent tests.

If you prefer to use external services or tools, consult with the cloud provider, else the provider may interpret the resilience test as an external attack. Providers like Alibaba and Microsoft describe the key features of a resilience test.

The test should be performed by the internal IT department, the customer’s IT service provider, or a third-party inspection service provider.

Services and tools for performing a resilience test for cloud services and applications include, among others:

Please note: We continue to monitor the market and will expand this entry when we find interesting and suitable solutions.

Oliver Schonschek
Oliver Schonschek is a physicist, analyst, and technical IT journalist for IT security and data protection