Access Governance under GDPR

Mike Campbell, Senior Consultant, SecureITsource, Inc.

The General Data Protection Regulation, or GDPR, is an information security regulation coming into effect on May 25th, 2018 for all companies dealing with customers in the EU. It requires companies to put in place reasonable safeguards for securing the personally identifiable information of these customers. Adopted by the EU in 2016, this regulation requires companies who store or process identity information to provide the owner of each identity with transparency into all the information collected about them as well as gives them the ability to limit or erase it. The GDPR also impacts the export of identity data from the EU to elsewhere.

The EU is generally more privacy oriented than the US when it comes to the privacy of its citizens information. As more businesses rely on data to thrive and data breaches continue to hit companies of all sizes, more people are starting to blame the company instead of the hacker when sensitive data is compromised. The GDPR is trying to prevent these types of attacks by ensuring the information is hard or impossible to breach and decode.

The regulation requires most companies to restrict access to sensitive information such as a person’s name, address, and phone number, their web data such as IP address and cookies, their health data, their biometric data, photographs of the person and more. Companies who do not comply risk penalties of up to €20,000,000 or 4% of their annual revenue. While companies should provide the highest levels of privacy protection, there is room for interpretation when deciding what a reasonable level of protection is.

While American companies could block EU users from accessing their systems and stop doing business with them and be compliant, companies are instead investing millions into GDPR compliance strategies to continue business as usual and not risk being fined. There are methods for ensuring that data stored and transmitted through a company’s network is compliant with GDPR. These include data flow mapping, anonymization, pseudonymization, encryption, and access management.

The first step a company should make in becoming GDPR compliant is appointing a Data Privacy Owner. This person is responsible for defining how personal data is stored and processed throughout the company and any third-party vendors. Third-parties who manage part or all of the sensitive information processing must be compliant in order for the company to achieve compliancy.

The next step is to create a Data Flow Map that defines how systems interact with one another and includes the status of sensitive information, encryption levels, storage locations, data owners and users, and when data is created, altered and deleted. The map should show lines from country to country noting where sensitive data is being transferred, especially when in to or out of the EU. This will most likely require interviewing employees involved in the storage and transfer processes. Network diagrams and application documentation can be useful in uncovering where data is coming from and going to.

A Data Flow Map can provide guidance to where security controls should be implemented in the organization, it can help perform risk assessments, and it becomes easier to inform the right people after a compromise has occurred. This step is vital and will determine the success of the project. The second step towards becoming compliant is to implement anonymization, pseudonymization, and encryption controls.

Anonymization happens when identifiable information is encrypted or removed from a piece of data and it is no longer linked to the identity. Pseudonymization occurs when anonymized data can be linked to another piece of anonymized data using an attribute that is common among the pieces but stored separately. GDPR prefers pseudonymization over anonymization but it should be decided on a case-by-case basis which to choose. Pseudonymization is preferred as it allows businesses to continue to use data as part of the business process without displaying specific identity information if the business was to be compromised. Encryption and hashing are methods for disguising sensitive information from anyone who may be able to access it without the key. All three methods should be incorporated to protect sensitive data.

The next step is to improve the means of accessing sensitive data by employees and outsiders. Identity and access management (IAM) and privileged access management (PAM) programs are key in ensuring that sensitive information is not compromised. These tools manage access to servers and directories where sensitive data is kept and can provide tools to help in ensuring compliance. For example, as of version 5.5, ForgeRock’s IAM solution provides customers with a Profile and Privacy dashboard that enables them to manage their collected data, and covers the following rights EU citizens have gained from the GDRP: the “right to be informed, the right of access, the right of rectification, the right of erasure or the right to be forgotten, the right to restrict processing, the right of data portability, and the right to object.”

Your PAM solution should be able to integrate with customer-relationship management (CRM) software and organize data based on geography. It needs to secure access to all systems containing sensitive data by eliminating hard-coded passwords, granting access to systems without revealing credentials, and recording access to sensitive systems. CyberArk stands out as a leader in architecting secure password management across many geographies using multiple password vaults.

The GDRP regulation should not be seen as a burden on companies, but instead as a way of using identity to form better and more trusting relationships with partners. Creating a roadmap for your long-term IAM strategy can help move it into the center of the business, where threats are discovered, and decisions are made.