Wednesday, 5th August 2020

IAM and GDPR: How can security teams ensure they work in tandem?

As organizations digitally transform, critical systems and sensitive information can be accessed by more users in an organisation than ever before. With the added pressure of GDPR, organisations have to ensure that strong security practices are implemented in the systems that people use to access data. This is where Identity Access Management (IAM) and Data Access Governance (DAG) comes in, giving granular access to the systems and data individuals use. Like with any security implementation however, organisations need to consider all areas of potential conflict, including managing employee access in the cloud and how to secure unstructured data. By Aubrey Turner, Director Client Solutions IAM, Optiv.

Could unstructured data be the biggest risk to your business?

Storing personally identifiable information (PII) in a GDPR compliant way can be a challenge, but IAM tools are used to protect and manage access to systems containing PII. And DAG tools can find PII in unstructured repositories and provide insight into effective permission and usage.

When combatting privacy issues, ensuring the confidentiality and integrity of data is a necessity, and is in equal importance with the technology used to protect it. A simple lack of organisation and structure of that data can have dire consequences for a company. There are numerous ways in which the complete visibility of user identity across the business can be hindered, for example, duplicate employee or user account records, incomplete records, or user records that cannot be matched or correlated. As such, there are three stages of the data lifecycle which an enterprise should monitor and protect to ensure this visibility, and they are data “at rest”, “in use” and “in motion”.

“Data at rest” can be defined as data that is stored within shared drives, both physical and in the cloud, that may be accessed less frequently, but is still best protected by utilising encryption methods to ensure cyber criminals cannot access enough data to perpetuate fraud. It must be noted however that this should not be the sole solution. Encryption can be negated through authenticated access and the reality is that most breaches involve stolen credentials to some degree. Intelligent, adaptive authentication can and should be implemented to mitigate these threats.

“Data in use”, or data at the endpoint, is data people require access to, and has a greater likelihood of ending up where it shouldn’t. Complete visibility into the tracking and reporting of relevant information, numerous failed login attempts, for example, can be the difference between a breached system or not. As such, device management and strong authentication practices should also be implemented in this instance.

Lastly, “data in motion” is data shared on private networks, within an organisation, and also externally through public, untrusted networks – something that is hard to avoid in today’s business landscape. Cybercriminals with the right tools and methods can easily infiltrate data on the move which makes having a strong defence necessary. This can be achieved through encryption of employee endpoints such as mobile phones and laptops and all outbound data such as emails for example.

The cloud complication

With the onset of digital transformation, and cloud being a key component of that, managing and controlling access becomes a challenge. It’s not enough to keep track of who has access to data, even once they’ve been identified. Instead, only the right people should be able to access personal data, and for the purpose for which that data has been collected or stored. The company might also likely be using third party tools, which could be collecting, processing or storing data, in the cloud or elsewhere, that further reiterates the need for organisations to complete visibility of who is accessing what data and when.

Problems can arise when an employees leaves a company as well, as the organisation is still responsible for protecting information about that individual. Considering that employees may come and go frequently, this is an aspect that organisations need to take in to account before integrating IAM tools into the cloud. To master this, security needs to be implemented into a cloud program from the very start as this can create alignment between the business and security requirements, and help alleviate cloud migration risk.

Often, security teams simply don’t have the capacity to align cloud initiatives with strategic business drivers while also integrating them with existing governance and compliance programs. It would be too complex and too time consuming. Because of this, it can be useful for organisations to employ an external team of cloud security architects to provide a complete security program lifecycle as this can heavily reduce the burden for the team and free up time to meet more strategic goals.

The IAM road to victory

Many organisations hold concerns over how to undergo processes with the onset of GDPR andenterprise security teams often raise the following questions: Where is data stored? What is its value to the organisation? What are the protection controls? Who has access? How are they using that access? With a fully integrated data access governance (DAG) and IAM strategy however, together with the right combination of services and technologies, these questions can be effectively answered.

,The intersection of DAG and IAM has the potential to meet the necessary requirements and ease frustration. It can also address audit findings through centralised reporting, gain operational efficiencies, and provide significant business value by reducing the threat of breaches related to credentials that have been compromised, insider threat or elevated privileges. Of paramount importance to businesses however is ensuring that before deploying any solution, they fully assess their data landscapeand the data which is of most value to the business along with identifying any security gaps, and dealing with the ramifications of cloud based threats.

Digital transformation needs security at heart, says Jonathan Whiteside, Principal Technical Consult...
One dataset to rule them all, one team to find them. One tool to bring them all and the database bin...
The rise of the Chief Data Officer (CDO) has been meteoric in recent years. Despite being one of the...
The consequences of sensitive data getting into the wrong hands can be significant, and a considerab...
According to the recently-published DLA Piper GDPR Data Breach Survey 2020, more than 160,000 data b...
By Nehal Maniar, Chief Technology Officer, Trūata.