Recently the European Union (EU) passed a regulation called the General Data Protection Regulation (GDPR). The regulation aims to provide citizens of the EU with clear and understandable information about the processing, storage, use — and, above all — the protection of their personal data
One major factor of EU GDPR, and perhaps the most challenging for IT organizations, is the requirement to notify both individuals and the relevant data authority "without undue delay, where feasible within 72 hours if data is unlawfully destroyed, lost, altered, accessed by or disclosed to unauthorized persons, where there is a risk to individuals' rights."
GDPR requires both data protection by design and data protection by default. This means that data protection safeguards should be built into products and services from the earliest stage of development.
Other terms that are commonly used to refer to this EU privacy requirements are EU Data Protection Directive or the EU Data Protection Regulation.
GDPR requires both data protection by design and data protection by default. This means that data protection safeguards should be built into products and services from the earliest stage of development and that privacy-as-a-priority should be the norm, not the exception.
These principles prove particularly challenging for organizations that must adhere to GDPR but may not be ready yet. These organizations may not be in a financial or technological position to upgrade systems and therefore must get by with systems not designed or implemented with GDPR in mind.
GDPR applies to any organization – even those outside of the EU – that "processes, stores, or uses" personal information of citizens of the EU. These rigorous regulations with global impact will go into effect in early 2018. To comply with these significant requirements organizations must:
Fines for non-compliance can reach a maximum of four percent of global revenue.
In a recent One Identity-sponsored survey conducted by Dimensional Research of 821 GDPR-beholden organizations across the EU, UK, North America, and Asia-Pacific. Only four percent felt they were "very knowledgeable" about GDPR (the number was about half that outside of the EU) and less than one in three felt they were currently prepared for GDPR and half were skeptical that they would be prepared by the 2018 date.
Are you ready? Survey says, not really.
Most organizations feel unprepared for GDPR
However, organizations that feel well prepared with access governance also feel most confident in their ability to satisfy GDPR.
While GDPR is focused solely on the protection of data, and only has affect in the event of breach (reporting, fines, etc.) preventing breaches is by far the best way to ensure compliance. There are several common technologies and practices that can fortify your data-protection practices for GDPR compliance.
There are several common technologies and practices that can fortify your data protection practices for GDPR compliance.
This eBook will focus on the identity and access management (IAM), specifically access control and governance, and show you how to get ready for GDPR.
Identity and access management (IAM) encompasses the practices and technologies to grant people appropriate access to systems, data, and applications. There are four fundamental principles that make up IAM:
When IAM is done right, the chances for GDPR success are greatly enhanced. When an organization knows exactly who all users are, what those users are supposed to be able to do and not do, has the confidence that each user has precisely the correct permissions to do their job (nothing more nothing less), and can easily prove that those factors are in place and under control, a breach is much less likely and if a breach does occur, the impact is severely limited.
Simple IAM-related improvement can smooth the path to GDPR compliance.
In the GDPR survey mentioned earlier, respondents that felt the most prepared for GDPR expressed a higher level of confidence and preparedness with five basic IAM technologies and practices than their less-prepared peers. Most organizations are already doing some version of all or some these things. However, simple improvement in each of these five areas can smooth the path to GDPR compliance. Most importantly, these improvements can prevent the types of breaches with which GDPR is concerned.
The basics of authentication and authorization are so ingrained in our daily lives that they may be ignored. However just count the number of password a user has, the number of hoops he or she must jump through to get to required resources, and the amount of IT involvement required to make it all happen. That gives you an idea for how much room-for-error exist in access control.
Fundamental practices, such as unifying authentication (sometimes called single sign-on) to reduce passwords (and password misuse), streamlining administration through business-driven workflows and self-service, and diligent attention to user, group, and directory hygiene closes many of the most commonly exploited vulnerabilities.
Much of the "low hanging fruit" for data breaches is the ability of bad actors to impersonate legitimate users through passwordbased logons. Multifactor authentication closes that hole by requiring a second "factor" for login and access. While the password is something that a user "knows", and therefore a bad actor can guess, steal, or figure out, multifactor authentication augments that with something the user "has". It is much more difficult (nearly impossible) to fake both the "know" and the "have" factors. It is a good idea to, at a minimum, implement multifactor authentication in an adaptive manner for access to GDPR-covered data and nontraditional access requests such as from an unknown location, at a non-standard time, or via an unrecognized device.
In our increasingly mobile and connected world, granting access only when someone is in the office and under your control is no longer an option. However, with these expanding boundaries comes additional risk of hijacked or unauthorized access to the type of data that will result in a GDPR finding. However technologies exist that can place the same levels of control (or more control if you like) that exists for on-premises employees for those accessing remotely. Combine this secure access with adaptive, risk-based controls and the dangers of remote users lessen significantly.
GDPR demands periodic audit of the technologies and practices in place to protect covered data. But it also has provisions for ondemand audits of those very same controls in the event a customer (or someone else) feels their personal information is at risk. Traditionally audits are time-consuming, tedious efforts that leave a lot to chance. However if identity administration practices are tightly coupled with governance capabilities, line-of-business personnel can quickly, easily, and thoroughly attest to the access rights of those they are responsible for. Proving that those rights are in place and have been vetted by the line-of-business is a major step towards passing an audit.
Finally, control and audit of administrator access and privileged credentials is crucial to GDPR compliance. These extremely powerful accounts are the crown jewels bad actors crave, and preventing them falling into the wrong hands removes the danger of significant data breaches. Key privileged account management principles that help with GDPR compliance include password vaulting to prevent the sharing (and oversharing) of administrative credentials; session audit to assign individual accountability to administrator activity and provide a log of activities for forensic purposes should the need arise; and delegation of credentials so that individual administrators only have the level of permissions necessary to do the job.
GDPR applies to the vast majority of organizations and the regulation can result in significant consequences if one is found in violation. Most organizations already have the foundational aspects of data protection in place. However it is wise to take a fresh look at IAM technologies and practices to ensure that they meet GDPR requirements:
To recap, the five fundamental IAM technologies that can help are:
So, are you ready? To get prepared, see how the One Identity family of IAM solutions can help any organization prepare GDPR compliance and enhanced user-data security.
One Identity includes the industry's most complete and mature collection of privileged account management solutions. The One Identity family of identity and access management (IAM) solutions offers IAM for the real world, including business-centric, modular and integrated, and future-ready solutions for identity governance, access management and privileged management.