By Julie Suhr - Information Security Specialist - Advanced Consultant at NNIT A/S
Nobody wants to pay 4% of their turnover in fines, so companies and authorities are finding smart ways to comply with the new regulations on personal data. Identity and Access Management is key to staying in control.
The EU General Data Protection Regulation (GDPR) is strengthening and harmonizing data protection for EU citizens. GDPR sets entirely new demands to how organizations should handle personal data, resulting in a need for additional information security investments.
One of the current top security investments is Identity & Access Management (IAM), which is only surpassed by Data Loss Prevention (DLP) . This does not come as a surprise, as IAM and DLP both aim to minimize unauthorized access to critical information, and to prevent its disclosure, which is the main focus of the GDPR. Consistent with these trends, security analysts state that if done properly, IAM can be very effective in meeting key parts of the GDPR requirements.
Personal data breaches have previously resulted in embarrassment and, in some cases, contractual fines. Now with the GDPR and penalties up to 4% of the worldwide turnover, compliance is crucial.
As the complexity of organizations’ IT solutions rise, so do the access management related risks. In fact, the majority of security breaches stem from within an organization, where the consequences of negligent or accidental behavior are multiplied tenfold without a solid access management solution.
When handling personal data, employees store, edit and transfer information to structured locations such as databases, as well as unstructured locations such as e-mails, fileservers and cloud storages. Many companies do not have the necessary overview to validate if their employees are provisioned with the right access and permissions in the first place.
The same employees typically switch roles within the organization on a regular basis. This means they get new access to new data sets, often without losing previously acquired accesses. This challenge, which is also known as entitlement creep, is a serious threat to the legal processing of personal data, because the original legal basis of processing the data may no longer apply to the employee’s new role. If this is the case, it is a violation of the GDPR.
Some form of access control is part of everyday life in most organizations. However, decision makers have often been reluctant to implement a full-scale IAM system in the past, because the business risk of improper IAM has previously been less severe. Simplified manual access control processes using e.g. AD groups have been the go-to solution for many, but this is simply no longer sufficient.
Access to systems provisioned through Active Directory alone allows companies to create and manage “certificates” to system access and enables them to verify the authenticity of the users. Whilst this is an important step in the Access Management challenge, the key element of creating an overview of the actual user-access assignments to systems (and not just the expected assignment) is absent in this setup.
As illustrated in the examples above, Active Directory services only provide an overview of AD group user memberships, and not an overview of actual assigned accesses/privileges. Review of user access lists based on AD group assignments results in a false reassurance as this is typically done by Business Managers, and does not necessarily reflect the reality of assigned access to AD Groups done autonomously by application owners.
To succeed, the GDPR needs organizations to overcome the traditional reluctance towards access control. Organizations that fail to manage this, will fail in securing the intended data protection for individuals.
At this moment, senior management in companies and public authorities around the European Member States are waiting to see how this force will be expressed. The national data protection agencies are currently producing guidelines on how organizations can implement adequate security measures to protect personal data, which will indicate the legislative strategy. In Denmark the existing executive order on security does not currently contain specific initiatives to be taken in the area of IAM. This has previously led auditors and data protection agencies to measure organizations’ ability to control their accesses by asking the question: “Do you have a formal authorization process in place?” In the light of the GDPR, this vague question is expected to be replaced by a much more detailed auditing process as the executive order on security is updated.
If companies are not forced to strengthen and centralize their IAM setup, companies’ efforts on implementing other GDPR requirements such as updating their data processor agreements and ensuring data subject’s right to be informed can end up being another false assurance; as the individual’s privacy will still be violated on a daily basis if organizations remain ignorant on where personal data is flowing and who has access to it.
NNIT Security Insights is a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.
NNIT has its own Computer Emergency Response Team (CERT). If lightning strikes, we have the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage.
You are welcome to contact us at firstname.lastname@example.org or visit us if you want to know more about how NNIT can help your business increase its information security level.