five iam practices that will help you succeed with gdpr€¦ · · 2017-03-03five iam practices...
TRANSCRIPT
The European Union’s bold move to protect private data requires IAM to succeed – are you ready?
Five IAM practices that will help you succeed with GDPR
GDPR requires both data protection by design and data protection by default. This means that data protection safeguards should be built into products and services from the earliest stage of development.
2
OverviewRecently the European Union (EU) passed a regulation called
the General Data Protection Regulation (GDPR). The regulation
aims to provide citizens of the EU with clear and understandable
information about the processing, storage, use — and, above all — the
protection of their personal data
One major factor of EU GDPR, and perhaps the most challenging
for IT organizations, is the requirement to notify both individuals
and the relevant data authority “without undue delay, where feasible
within 72 hours if data is unlawfully destroyed, lost, altered, accessed
by or disclosed to unauthorized persons, where there is a risk to
individuals’ rights.”
Other terms that are commonly used to refer to this EU privacy
requirements are EU Data Protection Directive or the EU Data
Protection Regulation.
GDPR requires both data protection by design and data protection by
default. This means that data protection safeguards should be built into
products and services from the earliest stage of development and that
privacy-as-a-priority should be the norm, not the exception.
These principles prove particularly challenging for organizations that
must adhere to GDPR but may not be ready yet. These organizations
may not be in a financial or technological position to upgrade systems
and therefore must get by with systems not designed or implemented
with GDPR in mind.
GDPR applies to any organization – even those outside of the EU – that
“processes, stores, or uses” personal information of citizens of the EU.
These rigorous regulations with global impact will go into effect in early
2018. To comply with these significant requirements organizations must:
• Assign a data protection officer (DPO) whose responsibilities
include reporting breaches, addressing audit requirements and
acting as a liaison with data authorities.
• Report breaches to supervising authorities and affected
customers in a timely manner – 72 hours.
• Show “continuous compliance” through periodic audits, as
well as on-demand audits at the discretion of the supervising
authority (most likely as a result of concerned customers
requesting an audit).
Fines for non-compliance can reach a maximum of four percent of
global revenue.
3
Are you ready? Survey says, not really. In a recent One Identity-sponsored survey conducted by
Dimensional Research of 821 GDPR-beholden organizations across
the EU, UK, North America, and Asia-Pacific. Only four percent
felt they were “very knowledgeable” about GDPR (the number was
about half that outside of the EU) and less than one in three felt
they were currently prepared for GDPR and half were skeptical that
they would be prepared by the 2018 date.
… are you ready?
40%
36%
34%
31%
21%
Access management
Privileged account management
Secure mobile access
Multifactor authentication
Access governance (attestation/recertification)
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
11%No change
23%Significant change
66%Minor change
4
A data protection primer – what you can do today.While GDPR is focused solely on the protection of data, and only
has affect in the event of breach (reporting, fines, etc.) preventing
breaches is by far the best way to ensure compliance. There are
several common technologies and practices that can fortify your data-
protection practices for GDPR compliance.
• Encryption – If data is encrypted in storage, in transit, and on
endpoints — even in the event of unauthorized access — personal
information is not at risk and therefore not in jeopardy of violating
GDPR stipulations.
• Network and email security – Major attack vectors for
unauthorized access of personal data include phishing, APTs, and
other external attacks on the network. Therefore, closing these
holes will significantly reduce the risk of non-compliance.
• Access control – Data is meant to be accessed, but that access
must be only by the right people, under the right circumstances,
and with all the right permissions. Access control is fundamental to
any effective data protection strategy.
• Governance – In addition to access control is the important
concept of governance to close the loop on GDPR compliance.
Governance places a layer of business-centric visibility and control
over access to data and resources. Not only does the right user
have the right access, but additional gatekeepers have attested that
that user has the right level of access and has granted that user his
or her permissions. Best of all, governance, by its very nature, is
easily and thoroughly auditable.
This eBook will focus on the identity and access management (IAM),
specifically access control and governance, and show you how to get
ready for GDPR.
There are several common technologies and practices that can fortify your data-protection practices for GDPR compliance.
When IAM is done right, the chances for GDPR success are greatly enhanced.
5
IAM’s role in GDPRIdentity and access management (IAM) encompasses the practices and
technologies to grant people appropriate access to systems, data, and
applications. There are four fundamental principles that make up IAM:
1. Authentication – This is what a user does to identify themselves
to a system that they are attempting to access. This includes a
growing number of methods and devices, such as a password, a
smartcard, biometric means, or other identifying factors.
2. Authorization – Once a user is identified, what level of access – or
permissions – do they have? Which resources should they have
access and what can they do with that resource? Authorization is
often based on group membership in a directory, role assigned or
even contextual factors, such as time-of-day, location or relative
risk of the request. This concept is particularly relevant with regard
to privileged users that may have elevated level of access that, if
compromised, could result in a major breach that then leads to
egregious violations and the largest fines.
3. Administration – These critical activities (traditionally performed
by IT) manage user authentication and authorization. The more
complex an organization, the more likely that IAM administrative
load will require automation. There is a potential blind spot here.
Because, IT is forced to make assumptions on authorization as
they are not aware of subtle, yet very significant, differences in
roles by user of the same management level, they are likely to have
very crude segmentation. This may leave vulnerabilities to access
control. For example “give John the same rights as Bill” without
a true understanding of the history or specific requirements for
either user. When the in-line business managers are responsible for
determining and attesting to access levels, mistakes are less likely to
happen and GDPR compliance is more likely.
4. Audit – GDPR requires organizations to periodically – as well
as on-demand - prove that authentication, authorization and
administration are happening in a way that does not place
personal data at risk or was not the culprit in the event of a breach.
When IAM is done right, the chances for GDPR success are greatly
enhanced. When an organization knows exactly who all users are,
what those users are supposed to be able to do and not do, has the
confidence that each user has precisely the correct permissions to do
their job (nothing more nothing less), and can easily prove that those
factors are in place and under control, a breach is much less likely and
if a breach does occur, the impact is severely limited.
6
Simple IAM-related improvement can smooth the path to GDPR compliance.
Five IAM practices that will help you succeed with GDPR
In the GDPR survey mentioned earlier, respondents that felt the
most prepared for GDPR expressed a higher level of confidence and
preparedness with five basic IAM technologies and practices than their
less-prepared peers. Most organizations are already doing some version
of all or some these things. However, simple improvement in each
of these five areas can smooth the path to GDPR compliance. Most
importantly, these improvements can prevent the types of breaches
with which GDPR is concerned.
7
Access Control The basics of authentication and authorization are so ingrained in our
daily lives that they may be ignored. However just count the number
of password a user has, the number of hoops he or she must jump
through to get to required resources, and the amount of IT involvement
required to make it all happen. That gives you an idea for how much
room-for-error exist in access control.
Fundamental practices, such as unifying authentication (sometimes
called single sign-on) to reduce passwords (and password misuse),
streamlining administration through business-driven workflows and
self-service, and diligent attention to user, group, and directory hygiene
closes many of the most commonly exploited vulnerabilities.
8
Multifactor AuthenticationMuch of the “low hanging fruit” for data breaches is the ability of
bad actors to impersonate legitimate users through password-based
logons. Multifactor authentication closes that hole by requiring
a second “factor” for login and access. While the password is
something that a user “knows”, and therefore a bad actor can guess,
steal, or figure out, multifactor authentication augments that with
something the user “has”. It is much more difficult (nearly impossible)
to fake both the “know” and the “have” factors. It is a good idea to,
at a minimum, implement multifactor authentication in an adaptive
manner for access to GDPR-covered data and non-traditional access
requests such as from an unknown location, at a non-standard time,
or via an unrecognized device.
9
Secure Remote Access In our increasingly mobile and connected world, granting access only
when someone is in the office and under your control is no longer an
option. However, with these expanding boundaries comes additional
risk of hijacked or unauthorized access to the type of data that will
result in a GDPR finding. However technologies exist that can place
the same levels of control (or more control if you like) that exists for
on-premises employees for those accessing remotely. Combine this
secure access with adaptive, risk-based controls and the dangers of
remote users lessen significantly.
10
Governance GDPR demands periodic audit of the technologies and practices
in place to protect covered data. But it also has provisions for on-
demand audits of those very same controls in the event a customer (or
someone else) feels their personal information is at risk. Traditionally
audits are time-consuming, tedious efforts that leave a lot to chance.
However if identity administration practices are tightly coupled with
governance capabilities, line-of-business personnel can quickly, easily,
and thoroughly attest to the access rights of those they are responsible
for. Proving that those rights are in place and have been vetted by the
line-of-business is a major step towards passing an audit.
11
Privileged Account ManagementFinally, control and audit of administrator access and privileged
credentials is crucial to GDPR compliance. These extremely powerful
accounts are the crown jewels bad actors crave, and preventing them
falling into the wrong hands removes the danger of significant data
breaches. Key privileged account management principles that help
with GDPR compliance include password vaulting to prevent the
sharing (and oversharing) of administrative credentials; session audit
to assign individual accountability to administrator activity and provide
a log of activities for forensic purposes should the need arise; and
delegation of credentials so that individual administrators only have
the level of permissions necessary to do the job.
12
ConclusionGDPR applies to the vast majority of organizations and the regulation
can result in significant consequences if one is found in violation. Most
organizations already have the foundational aspects of data protection
in place. However it is wise to take a fresh look at IAM technologies and
practices to ensure that they meet GDPR requirements:
To recap, the five fundamental IAM technologies that can help are:
1. Access control
2. Multifactor authentication
3. Secure remote access
4. Governance
5. Privileged account management
So, are you ready?
To get prepared, see how the One Identity family of IAM solutions can
help any organization prepare GDPR compliance and enhanced user-
data security.
One Identity includes the industry’s most complete and mature
collection of privileged account management solutions.
Learn more by clicking here.
One Identity IAM SolutionsAccess Management
To learn how One Identity access management solutions can help
fill the gaps in your GDPR compliance plan click here.
Authentication
One Identity’s multifactor authentication solution – Defender
– provides an easily deployed, very flexible, and easily scalable
alternative to the risk practice of single-factor authentication.
Remote Access
One Identity’s secure remote access solution combines with its
access control and multifactor authentication solutions to provide
the end-to-end security GDPR demands while eliminating the desire
for users to circumvent security measure for convenience sake.
To learn more about Cloud Access Manager click here.
Identity Manager
Identity Manager, the centerpiece of the One Identity family of IAM
solutions provides that unified provisioning/governance solution that
places the visibility and control in the hands of the people that know
“why” (i.e. the line-of-business) rather than simply those that know
“how” (IT). To see Identity Manager at work click here.
One Identity includes the industry’s most complete and mature
collection of privileged account management solutions.
Learn more by clicking here.
14
© 2016 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. (“Dell”).
Dell Security logo and products—as identified in this document—are trademarks or registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.
The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.
About One Identity
The One Identity family of identity and access management (IAM)
solutions, truly offers IAM for the real world including business-
centric, modular and integrated, and future ready solutions for identity
governance, access management, and privileged management.
If you have any questions regarding your potential
use of this material, contact:
Dell
5455 Great America Parkway, Santa Clara, CA 95054 www.dell.com/security
Refer to our Web site for regional and international office information.
Ebook-IAM-GDPR-US-CW-23814