Five IAM practices that will help you succeed with GDPR

Overview

Recently the European Union (EU) passed a regulation called the General Data Protection Regulation (GDPR). The regulation aims to provide citizens of the EU with clear and understandable information about the processing, storage, use — and, above all — the protection of their personal data

One major factor of EU GDPR, and perhaps the most challenging for IT organizations, is the requirement to notify both individuals and the relevant data authority "without undue delay, where feasible within 72 hours if data is unlawfully destroyed, lost, altered, accessed by or disclosed to unauthorized persons, where there is a risk to individuals' rights."

GDPR requires both data protection by design and data protection by default. This means that data protection safeguards should be built into products and services from the earliest stage of development.

Other terms that are commonly used to refer to this EU privacy requirements are EU Data Protection Directive or the EU Data Protection Regulation.

GDPR requires both data protection by design and data protection by default. This means that data protection safeguards should be built into products and services from the earliest stage of development and that privacy-as-a-priority should be the norm, not the exception.

These principles prove particularly challenging for organizations that must adhere to GDPR but may not be ready yet. These organizations may not be in a financial or technological position to upgrade systems and therefore must get by with systems not designed or implemented with GDPR in mind.

GDPR applies to any organization – even those outside of the EU – that "processes, stores, or uses" personal information of citizens of the EU. These rigorous regulations with global impact will go into effect in early 2018. To comply with these significant requirements organizations must:

  • Assign a data protection officer (DPO) whose responsibilities include reporting breaches, addressing audit requirements and acting as a liaison with data authorities.
  • Report breaches to supervising authorities and affected customers in a timely manner – 72 hours.
  • Show "continuous compliance" through periodic audits, as well as on-demand audits at the discretion of the supervising authority (most likely as a result of concerned customers requesting an audit).

Fines for non-compliance can reach a maximum of four percent of global revenue.

In a recent One Identity-sponsored survey conducted by Dimensional Research of 821 GDPR-beholden organizations across the EU, UK, North America, and Asia-Pacific. Only four percent felt they were "very knowledgeable" about GDPR (the number was about half that outside of the EU) and less than one in three felt they were currently prepared for GDPR and half were skeptical that they would be prepared by the 2018 date.

Are you ready? Survey says, not really.

  • Who: Any organization that stores personal data of European Union citizens (250 employees or more)
  • What: Must report data breaches, prove compliance in the case of an audit, pay fines of up to 4% of annual global revenue if found in violation
  • When: Effective in early 2018
  • Where: Applicable worldwide (as long as the organization stores personal data on EU citizens)

Most organizations feel unprepared for GDPR

  • Only 4 percent of organizations in the European Union feel they are "very knowledgeable" about GDPR.
    • Less than 2 percent outside of the EU feel "very knowledgeable."
  • Less than one in three organizations feel they are prepared for GDPR.
    • Less than one in four outside of the EU.
  • 97 percent of organizations don't have a plan to address GDPR.
  • Half of organizations are not confident that they will be ready when GDPR kicks off in early 2018.

However, organizations that feel well prepared with access governance also feel most confident in their ability to satisfy GDPR.

A data protection primer – what you can do today.

While GDPR is focused solely on the protection of data, and only has affect in the event of breach (reporting, fines, etc.) preventing breaches is by far the best way to ensure compliance. There are several common technologies and practices that can fortify your data-protection practices for GDPR compliance.

  • Encryption – If data is encrypted in storage, in transit, and on endpoints — even in the event of unauthorized access — personal information is not at risk and therefore not in jeopardy of violating GDPR stipulations.
  • Network and email security – Major attack vectors for unauthorized access of personal data include phishing, APTs, and other external attacks on the network. Therefore, closing these holes will significantly reduce the risk of non-compliance.
  • Access control – Data is meant to be accessed, but that access must be only by the right people, under the right circumstances, and with all the right permissions. Access control is fundamental to any effective data protection strategy.
  • Governance – In addition to access control is the important concept of governance to close the loop on GDPR compliance. Governance places a layer of business-centric visibility and control over access to data and resources. Not only does the right user have the right access, but additional gatekeepers have attested that that user has the right level of access and has granted that user his or her permissions. Best of all, governance, by its very nature, is easily and thoroughly auditable.

There are several common technologies and practices that can fortify your data protection practices for GDPR compliance.

This eBook will focus on the identity and access management (IAM), specifically access control and governance, and show you how to get ready for GDPR.

IAM's role in GDPR

Identity and access management (IAM) encompasses the practices and technologies to grant people appropriate access to systems, data, and applications. There are four fundamental principles that make up IAM:

  1. Authentication – This is what a user does to identify themselves to a system that they are attempting to access. This includes a growing number of methods and devices, such as a password, a smartcard, biometric means, or other identifying factors.
  2. Authorization – Once a user is identified, what level of access – or permissions – do they have? Which resources should they have access and what can they do with that resource? Authorization is often based on group membership in a directory, role assigned or even contextual factors, such as time-ofday, location or relative risk of the request. This concept is particularly relevant with regard to privileged users that may have elevated level of access that, if compromised, could result in a major breach that then leads to egregious violations and the largest fines.
  3. Administration – These critical activities (traditionally performed by IT) manage user authentication and authorization. The more complex an organization, the more likely that IAM administrative load will require automation. There is a potential blind spot here. Because, IT is forced to make assumptions on authorization as they are not aware of subtle, yet very significant, differences in roles by user of the same management level, they are likely to have very crude segmentation. This may leave vulnerabilities to access control. For example "give John the same rights as Bill" without a true understanding of the history or specific requirements for either user. When the in-line business managers are responsible for determining and attesting to access levels, mistakes are less likely to happen and GDPR compliance is more likely.
  4. Audit – GDPR requires organizations to periodically – as well as on-demand - prove that authentication, authorization and administration are happening in a way that does not place personal data at risk or was not the culprit in the event of a breach.

When IAM is done right, the chances for GDPR success are greatly enhanced. When an organization knows exactly who all users are, what those users are supposed to be able to do and not do, has the confidence that each user has precisely the correct permissions to do their job (nothing more nothing less), and can easily prove that those factors are in place and under control, a breach is much less likely and if a breach does occur, the impact is severely limited.

Five IAM practices that will help you succeed with GDPR

Simple IAM-related improvement can smooth the path to GDPR compliance.

In the GDPR survey mentioned earlier, respondents that felt the most prepared for GDPR expressed a higher level of confidence and preparedness with five basic IAM technologies and practices than their less-prepared peers. Most organizations are already doing some version of all or some these things. However, simple improvement in each of these five areas can smooth the path to GDPR compliance. Most importantly, these improvements can prevent the types of breaches with which GDPR is concerned.

Access Control

The basics of authentication and authorization are so ingrained in our daily lives that they may be ignored. However just count the number of password a user has, the number of hoops he or she must jump through to get to required resources, and the amount of IT involvement required to make it all happen. That gives you an idea for how much room-for-error exist in access control.

Fundamental practices, such as unifying authentication (sometimes called single sign-on) to reduce passwords (and password misuse), streamlining administration through business-driven workflows and self-service, and diligent attention to user, group, and directory hygiene closes many of the most commonly exploited vulnerabilities.

Multifactor Authentication

Much of the "low hanging fruit" for data breaches is the ability of bad actors to impersonate legitimate users through passwordbased logons. Multifactor authentication closes that hole by requiring a second "factor" for login and access. While the password is something that a user "knows", and therefore a bad actor can guess, steal, or figure out, multifactor authentication augments that with something the user "has". It is much more difficult (nearly impossible) to fake both the "know" and the "have" factors. It is a good idea to, at a minimum, implement multifactor authentication in an adaptive manner for access to GDPR-covered data and nontraditional access requests such as from an unknown location, at a non-standard time, or via an unrecognized device.

Secure Remote Access

In our increasingly mobile and connected world, granting access only when someone is in the office and under your control is no longer an option. However, with these expanding boundaries comes additional risk of hijacked or unauthorized access to the type of data that will result in a GDPR finding. However technologies exist that can place the same levels of control (or more control if you like) that exists for on-premises employees for those accessing remotely. Combine this secure access with adaptive, risk-based controls and the dangers of remote users lessen significantly.

Governance

GDPR demands periodic audit of the technologies and practices in place to protect covered data. But it also has provisions for ondemand audits of those very same controls in the event a customer (or someone else) feels their personal information is at risk. Traditionally audits are time-consuming, tedious efforts that leave a lot to chance. However if identity administration practices are tightly coupled with governance capabilities, line-of-business personnel can quickly, easily, and thoroughly attest to the access rights of those they are responsible for. Proving that those rights are in place and have been vetted by the line-of-business is a major step towards passing an audit.

Privileged Account Management

Finally, control and audit of administrator access and privileged credentials is crucial to GDPR compliance. These extremely powerful accounts are the crown jewels bad actors crave, and preventing them falling into the wrong hands removes the danger of significant data breaches. Key privileged account management principles that help with GDPR compliance include password vaulting to prevent the sharing (and oversharing) of administrative credentials; session audit to assign individual accountability to administrator activity and provide a log of activities for forensic purposes should the need arise; and delegation of credentials so that individual administrators only have the level of permissions necessary to do the job.

Conclusion

GDPR applies to the vast majority of organizations and the regulation can result in significant consequences if one is found in violation. Most organizations already have the foundational aspects of data protection in place. However it is wise to take a fresh look at IAM technologies and practices to ensure that they meet GDPR requirements:

To recap, the five fundamental IAM technologies that can help are:

  1. Access control
  2. Multifactor authentication
  3. Secure remote access
  4. Governance
  5. Privileged account management

So, are you ready? To get prepared, see how the One Identity family of IAM solutions can help any organization prepare GDPR compliance and enhanced user-data security.

One Identity includes the industry's most complete and mature collection of privileged account management solutions. The One Identity family of identity and access management (IAM) solutions offers IAM for the real world, including business-centric, modular and integrated, and future-ready solutions for identity governance, access management and privileged management.