Managing Privileges for GDPR ComplianceAnirban Banerjee
The EU’s Data Privacy law formally known as (EU) 2016/679, GDPR is set to take effect on May 2018. We have written in detail about how challenging use cases for healthcare companies can take quite a bit of ingenuity to be resolved. Read more about basic EU GDPR and some use cases. In this article we will be discussing some aspects of GDPR that are more interesting than others because of the challenges they pose. We will also highlight strategies for getting around these issues.
These new regulations as part of GDPR are going to add to the complexity of the compliance landscape for most CISOs and SecOps and GRC teams. Many businesses will have to adapt to the nuances of dealing with EU citizen rights, such as the “right to erasure” and “data portability.” Significant penalties are now in place for not complying with the regulations and any breaches that might occur as a result thereof. GDPR has also taken the step of mandating that businesses beyond a certain size need to nominate a Data Protection Officer (DPO).
Privileged Access Management (PAM) is key factor in achieving success with GDPR compliance. We will review GDPR’s impact on access control for data management systems and applications that handle EU consumer data. It will focus on the role of PAM in “privacy by design” as well as GDPR-related audit, compliance documentation, and incident response.
GDPR has injected the privacy discussion into various security and IT workflows. This complicates many existing processes. Consider the addition of a DPO, that itself is going to change the dynamics of how people in teams effectively communicate with each other and how critical security and privacy related decision get made. By having the equivalent of a regulatory authority in-house, everyone who touches personal data will now have some level of obligation to keep the DPO informed about decisions and activities that relate to GDPR compliance. As the point person for data privacy across the entire infrastructure, the DPO may require increased visibility into processes that were formerly unseen by anyone except the person doing the actual task itself. GDPR adopts a broad approach to territoriality, affecting organisations of all types, whether acting as controllers or as processors. There will be significant changes that impact organisations established outside the EU but are conducting business in the EU. This particularly affects organisations with internet-based business models, offering goods or services to consumers located in the EU.
How PAM helps with GDPR
GDPR’s core focuses on these pillars:
- Stop a risky, non compliant event from occurring.
- Discover the pathway that led to this event.
- Remedy the effect of the event and remove the pathway.
- Provide verifiable proof that corrective measures have been taken.
Most IT and security teams are already doing these four things, or should be. With GDPR and its new, high penalties, though, they might need to do it more quickly or face larger economic consequences. That will mean getting better at managing privileged users – knowing who is doing what to the back end of critical systems.
A privileged user has administrative or “root” access to a system. He or she is the individual who can add, modify or delete email accounts on Microsoft Exchange Server, for instance. As a practice, access privileges should only be extended to trusted people. And, like any privilege, admin access rights can be revoked. There are usually tiers of privilege, with some users having more administrative privileges than others. A “super administrator” may have the right to override work done by regular privileged users. A super admin may also be able to add or delete the privileged access rights of others. Some can even override security protocols.
Privileged Users and the Work of GDPR Compliance
With a sense of the privileged user in mind, it should be easy to envision how their work is essential to GDPR compliance. Compliance means tracking administrative access control for any system that manages personal data. In the new rules of GDPR, this might mean managing and monitoring how multiple admins manage and protect data across multiple EU territories. The same goes for applications that handle EU consumer data.
Documentation of privileged access is necessary to establish that GDPR rules are being followed. An organisation may need to demonstrate how it is implementing GDPR rules to a DPA. They accomplish this by sharing documentation of privileged access policies and an audit record that verifies compliance. Even if the DPA doesn’t need to see it, any sizeable organisation should document its privileged access policies to satisfy its own internal requirements to comply with GDPR.
How PAM Solutions Can Help with GDPR Compliance
PAM consists of tools and practices that keep an organisation safe from accidental or deliberate misuse of privileged access. A PAM solution offers a secure, streamlined way to authorize and monitor all privileged users for all relevant systems:
- Grant privileges to users only for systems on which they are authorised
- Grant access only when needed and revoke access when the need expires
- Avoid the need for privileged users to have or need local/direct system passwords
- Centrally and quickly manage access over a disparate set of heterogeneous systems
- Create an unalterable audit trail for any privileged operation
These capabilities give a PAM solution the ability to facilitate many aspects of GDPR compliance. They also make it easier to document compliance than would be possible with ad-hoc management of privileged users. PAM provides the basis for a streamlined internal audit for GDPR compliance. A PAM solution can show, for example, which roles in an organisation are allowed to modify data protection policies. A typical GDPR risk might involve having a privileged user in an EU country whose access logs are not transparent. This user might, with the best of intentions, create a violation of GDPR rules. Without a pervasive PAM solution, that user has generated a potentially costly risk.
PAM solutions can also enable the new “Privacy by Design” intentions of GDPR. With a PAM solution, IT managers and security administrators can define and enforce controls that make privacy by design work. For example, any workflow where an employee has access to personal data should be subject to a control that prevents unauthorised sharing of that data. A PAM solution should give IT managers precise knowledge of who has the privilege of modifying that control.
An effective PAM solution will also conduct session management and session tracking that provides auditors with transparency for incident reporting. The DPA will want to understand what actions led to a breach. A data controller needs to know and document what events precipitated the incident. This responsibility cannot realistically be fulfilled with ad-hoc measures. An organised system for managing and monitoring privileged users is a much better solution.
The Importance of PAM Ease of Use and Deployment
Doing PAM right is a serious security requirement overall, but with GDPR, it is absolutely essential. PAM for GDPR involves having a uniform approach to PAM across multiple sites and regions. The PAM solution must be able to scale easily in a large, extended organisation. It also needs to be used consistently, governing access for all systems that touch private personal data. This may seem obvious, but the truth is that many organisations have an irregularly-used PAM solution.
Usability is the culprit. If a PAM solution is not easy to install, use or maintain, the organisation will in effect be taking an ad-hoc approach to privileged user management. GDPR compliance will inevitably fall short as a result. The right PAM solution for GDPR must feature a high degree of ease of use and simplicity in installation and maintenance.
Also published on Medium.