The European Union’s bold move to protect private data requires IAM to succeed – are you ready?

Five IAM practices that will help you succeed with GDPR

GDPR requires both data protection by design and data protection by default. This means that data protection safeguards should be built into products and services from the earliest stage of development.

2

OverviewRecently the European Union (EU) passed a regulation called

the General Data Protection Regulation (GDPR). The regulation

aims to provide citizens of the EU with clear and understandable

information about the processing, storage, use — and, above all — the

protection of their personal data

One major factor of EU GDPR, and perhaps the most challenging

for IT organizations, is the requirement to notify both individuals

and the relevant data authority “without undue delay, where feasible

within 72 hours if data is unlawfully destroyed, lost, altered, accessed

by or disclosed to unauthorized persons, where there is a risk to

individuals’ rights.”

Other terms that are commonly used to refer to this EU privacy

requirements are EU Data Protection Directive or the EU Data

Protection Regulation.

GDPR requires both data protection by design and data protection by

default. This means that data protection safeguards should be built into

products and services from the earliest stage of development and that

privacy-as-a-priority should be the norm, not the exception.

These principles prove particularly challenging for organizations that

must adhere to GDPR but may not be ready yet. These organizations

may not be in a financial or technological position to upgrade systems

and therefore must get by with systems not designed or implemented

with GDPR in mind.

GDPR applies to any organization – even those outside of the EU – that

“processes, stores, or uses” personal information of citizens of the EU.

These rigorous regulations with global impact will go into effect in early

2018. To comply with these significant requirements organizations must:

• Assign a data protection officer (DPO) whose responsibilities

include reporting breaches, addressing audit requirements and

acting as a liaison with data authorities.

• Report breaches to supervising authorities and affected

customers in a timely manner – 72 hours.

• Show “continuous compliance” through periodic audits, as

well as on-demand audits at the discretion of the supervising

authority (most likely as a result of concerned customers

requesting an audit).

Fines for non-compliance can reach a maximum of four percent of

global revenue.

3

Are you ready? Survey says, not really. In a recent One Identity-sponsored survey conducted by

Dimensional Research of 821 GDPR-beholden organizations across

the EU, UK, North America, and Asia-Pacific. Only four percent

felt they were “very knowledgeable” about GDPR (the number was

about half that outside of the EU) and less than one in three felt

they were currently prepared for GDPR and half were skeptical that

they would be prepared by the 2018 date.

… are you ready?

40%

36%

34%

31%

21%

Access management

Privileged account management

Secure mobile access

Multifactor authentication

Access governance (attestation/recertification)

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

11%No change

23%Significant change

66%Minor change

4

A data protection primer – what you can do today.While GDPR is focused solely on the protection of data, and only

has affect in the event of breach (reporting, fines, etc.) preventing

breaches is by far the best way to ensure compliance. There are

several common technologies and practices that can fortify your data-

protection practices for GDPR compliance.

• Encryption – If data is encrypted in storage, in transit, and on

endpoints — even in the event of unauthorized access — personal

information is not at risk and therefore not in jeopardy of violating

GDPR stipulations.

• Network and email security – Major attack vectors for

unauthorized access of personal data include phishing, APTs, and

other external attacks on the network. Therefore, closing these

holes will significantly reduce the risk of non-compliance.

• Access control – Data is meant to be accessed, but that access

must be only by the right people, under the right circumstances,

and with all the right permissions. Access control is fundamental to

any effective data protection strategy.

• Governance – In addition to access control is the important

concept of governance to close the loop on GDPR compliance.

Governance places a layer of business-centric visibility and control

over access to data and resources. Not only does the right user

have the right access, but additional gatekeepers have attested that

that user has the right level of access and has granted that user his

or her permissions. Best of all, governance, by its very nature, is

easily and thoroughly auditable.

This eBook will focus on the identity and access management (IAM),

specifically access control and governance, and show you how to get

ready for GDPR.

There are several common technologies and practices that can fortify your data-protection practices for GDPR compliance.

When IAM is done right, the chances for GDPR success are greatly enhanced.

5

IAM’s role in GDPRIdentity and access management (IAM) encompasses the practices and

technologies to grant people appropriate access to systems, data, and

applications. There are four fundamental principles that make up IAM:

1. Authentication – This is what a user does to identify themselves

to a system that they are attempting to access. This includes a

growing number of methods and devices, such as a password, a

smartcard, biometric means, or other identifying factors.

2. Authorization – Once a user is identified, what level of access – or

permissions – do they have? Which resources should they have

access and what can they do with that resource? Authorization is

often based on group membership in a directory, role assigned or

even contextual factors, such as time-of-day, location or relative

risk of the request. This concept is particularly relevant with regard

to privileged users that may have elevated level of access that, if

compromised, could result in a major breach that then leads to

egregious violations and the largest fines.

3. Administration – These critical activities (traditionally performed

by IT) manage user authentication and authorization. The more

complex an organization, the more likely that IAM administrative

load will require automation. There is a potential blind spot here.

Because, IT is forced to make assumptions on authorization as

they are not aware of subtle, yet very significant, differences in

roles by user of the same management level, they are likely to have

very crude segmentation. This may leave vulnerabilities to access

control. For example “give John the same rights as Bill” without

a true understanding of the history or specific requirements for

either user. When the in-line business managers are responsible for

determining and attesting to access levels, mistakes are less likely to

happen and GDPR compliance is more likely.

4. Audit – GDPR requires organizations to periodically – as well

as on-demand - prove that authentication, authorization and

administration are happening in a way that does not place

personal data at risk or was not the culprit in the event of a breach.

When IAM is done right, the chances for GDPR success are greatly

enhanced. When an organization knows exactly who all users are,

what those users are supposed to be able to do and not do, has the

confidence that each user has precisely the correct permissions to do

their job (nothing more nothing less), and can easily prove that those

factors are in place and under control, a breach is much less likely and

if a breach does occur, the impact is severely limited.

6

Simple IAM-related improvement can smooth the path to GDPR compliance.

Five IAM practices that will help you succeed with GDPR

In the GDPR survey mentioned earlier, respondents that felt the

most prepared for GDPR expressed a higher level of confidence and

preparedness with five basic IAM technologies and practices than their

less-prepared peers. Most organizations are already doing some version

of all or some these things. However, simple improvement in each

of these five areas can smooth the path to GDPR compliance. Most

importantly, these improvements can prevent the types of breaches

with which GDPR is concerned.

7

Access Control The basics of authentication and authorization are so ingrained in our

daily lives that they may be ignored. However just count the number

of password a user has, the number of hoops he or she must jump

through to get to required resources, and the amount of IT involvement

required to make it all happen. That gives you an idea for how much

room-for-error exist in access control.

Fundamental practices, such as unifying authentication (sometimes

called single sign-on) to reduce passwords (and password misuse),

streamlining administration through business-driven workflows and

self-service, and diligent attention to user, group, and directory hygiene

closes many of the most commonly exploited vulnerabilities.

8

Multifactor AuthenticationMuch of the “low hanging fruit” for data breaches is the ability of

bad actors to impersonate legitimate users through password-based

logons. Multifactor authentication closes that hole by requiring

a second “factor” for login and access. While the password is

something that a user “knows”, and therefore a bad actor can guess,

steal, or figure out, multifactor authentication augments that with

something the user “has”. It is much more difficult (nearly impossible)

to fake both the “know” and the “have” factors. It is a good idea to,

at a minimum, implement multifactor authentication in an adaptive

manner for access to GDPR-covered data and non-traditional access

requests such as from an unknown location, at a non-standard time,

or via an unrecognized device.

9

Secure Remote Access In our increasingly mobile and connected world, granting access only

when someone is in the office and under your control is no longer an

option. However, with these expanding boundaries comes additional

risk of hijacked or unauthorized access to the type of data that will

result in a GDPR finding. However technologies exist that can place

the same levels of control (or more control if you like) that exists for

on-premises employees for those accessing remotely. Combine this

secure access with adaptive, risk-based controls and the dangers of

remote users lessen significantly.

10

Governance GDPR demands periodic audit of the technologies and practices

in place to protect covered data. But it also has provisions for on-

demand audits of those very same controls in the event a customer (or

someone else) feels their personal information is at risk. Traditionally

audits are time-consuming, tedious efforts that leave a lot to chance.

However if identity administration practices are tightly coupled with

governance capabilities, line-of-business personnel can quickly, easily,

and thoroughly attest to the access rights of those they are responsible

for. Proving that those rights are in place and have been vetted by the

line-of-business is a major step towards passing an audit.

11

Privileged Account ManagementFinally, control and audit of administrator access and privileged

credentials is crucial to GDPR compliance. These extremely powerful

accounts are the crown jewels bad actors crave, and preventing them

falling into the wrong hands removes the danger of significant data

breaches. Key privileged account management principles that help

with GDPR compliance include password vaulting to prevent the

sharing (and oversharing) of administrative credentials; session audit

to assign individual accountability to administrator activity and provide

a log of activities for forensic purposes should the need arise; and

delegation of credentials so that individual administrators only have

the level of permissions necessary to do the job.

12

ConclusionGDPR applies to the vast majority of organizations and the regulation

can result in significant consequences if one is found in violation. Most

organizations already have the foundational aspects of data protection

in place. However it is wise to take a fresh look at IAM technologies and

practices to ensure that they meet GDPR requirements:

To recap, the five fundamental IAM technologies that can help are:

1. Access control

2. Multifactor authentication

3. Secure remote access

4. Governance

5. Privileged account management

So, are you ready?

To get prepared, see how the One Identity family of IAM solutions can

help any organization prepare GDPR compliance and enhanced user-

data security.

One Identity includes the industry’s most complete and mature

collection of privileged account management solutions.

Learn more by clicking here.

One Identity IAM SolutionsAccess Management

To learn how One Identity access management solutions can help

fill the gaps in your GDPR compliance plan click here.

Authentication

One Identity’s multifactor authentication solution – Defender

– provides an easily deployed, very flexible, and easily scalable

alternative to the risk practice of single-factor authentication.

Remote Access

One Identity’s secure remote access solution combines with its

access control and multifactor authentication solutions to provide

the end-to-end security GDPR demands while eliminating the desire

for users to circumvent security measure for convenience sake.

To learn more about Cloud Access Manager click here.

Identity Manager

Identity Manager, the centerpiece of the One Identity family of IAM

solutions provides that unified provisioning/governance solution that

places the visibility and control in the hands of the people that know

“why” (i.e. the line-of-business) rather than simply those that know

“how” (IT). To see Identity Manager at work click here.

One Identity includes the industry’s most complete and mature

collection of privileged account management solutions.

Learn more by clicking here.

14

© 2016 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. (“Dell”).

Dell Security logo and products—as identified in this document—are trademarks or registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.

The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.

About One Identity

The One Identity family of identity and access management (IAM)

solutions, truly offers IAM for the real world including business-

centric, modular and integrated, and future ready solutions for identity

governance, access management, and privileged management.

If you have any questions regarding your potential

use of this material, contact:

Dell

5455 Great America Parkway, Santa Clara, CA 95054 www.dell.com/security

Refer to our Web site for regional and international office information.

Ebook-IAM-GDPR-US-CW-23814