GDPR is finally with us, and within just hours of it becoming law Google and Facebook were hit with privacy complaints that could lead to fines up to $9.3 billion. This is a clear demonstration that the European Union (EU) is very willing to take action and that companies everywhere have to be prepared for GDPR if they have any business in Europe. In this – the first of two blogs – I’ll look at how an effective Identity and Access Management (IAM) strategy is at the heart of GDPR compliance.
I don’t want to re-hash all the details on GDPR, but suffice to say, the purpose of the legislation is to radically shift the relationship between individuals and companies in the handling of personal information. The individual – customers, employees, contractors, suppliers – now has much greater control over how their information is gathered, stored, processed, used and shared. Fines are levied where it is shown that data has been misused or a data breach has occurred.
In fact, dealing with data breaches is the core element of GDPR, which makes it strange that more focus has been given to data protection than identity management. As I have said in previous blogs, organizations can no longer take an internally focused view of IAM when the network perimeter is more porous every day. You need to find ways to enable controlled and secure access for employees, partners, mobile workers, contractors and customers. In this context, GDPR requires that you pay close attention to how all actors access the sensitive, personal data that you hold.
The cost of data breaches
In 2015, Hilton Hotels was fined $700,000 for data breaches. One industry estimate suggests that fine could have been $420 million under GDPR. That figure will capture the attention of any company when you consider the range of insider and outsider information threats happening today. In 2017, Security Intelligence reported that 75% of breaches were from insiders, and according to the Ponemon Institute, the most likely cause of data breaches are careless insiders, followed by malicious insiders, followed by external hackers.
Think about that: could it be you or your colleague that inadvertently leads to an information or systems breach? Unfortunately, precisely this just happened to Reddit.
Under GDPR, all these threats to data privacy have to be carefully managed. Although there is little explicit in the regulation about IAM, GPDR calls for ‘Privacy by Design’ to be delivered through technical implementation that must include ‘user authentication’. This requires an IAM strategy and platform that provides controlled access to the sensitive personal information you hold for everyone who accesses that data—from when the user is first given access, as their roles change, to when they no longer need access to the data.
Implementing an IAM strategy for GDPR
To comply with GDPR, you need to ensure that personal data can only be accessed by the right people, for the explicit purpose that it’s been collected, and for only the period of time it is required. Data minimization is a key theme of the regulation. You must ensure you hold as little data on any individual as you possibly can. One way to think about data minimization is in terms of IAM: you should provide the minimum amount of access necessary.
However, while access must be kept to a minimum, the authentication and authorization you apply can’t be. For example, many organizations are creating central Single Sign On (SS0) capabilities for all their corporate assets. This appears to deliver both convenience to the user and security for the organization, but, if universally applied, it will be a red flag for GDPR.
The danger is that users gain general access to assets for which they don’t have authorization. Where it may be possible to give this type of general access where personal and sensitive data is not involved, multi-factor authentication will be required to ensure that the person is who they say they are and that they do have access rights when dealing with personal data.
For most organizations, there will be three elements to your IAM strategy:
It’s not enough to know what personal data you have and what employees and departments have access to them. For GDPR, IAM has to be much more granular. You need to know where all your sensitive data is stored, who has access to the data, and the level of access they have. You must be able to manage change in status quickly to overcome ‘entitlement creep’ where a user’s role changes and are granted new access without switching off their old access rights. In addition, you must identify and eliminate ‘ghost accounts’. Industry research suggests that as many as a quarter of all accounts are inactive and this is becoming an increasing target for hackers.
2. Partners and contractors
There is perhaps no company left where personal data remains within their own four walls. Sharing and collaborating on data is essential to many organizations working with complex ecosystems of partners. In addition, those companies are also relying more and more on contract staff and mobile workers. Especially if you are a Data Controller—the person that determines the purpose and means of processing personal data—then you need to be able to ensure proper access for data held beyond the corporate firewall. This will involve federated authentication that is pervasive so that you manage not only all the personal data but also the interactions between the users with access to that data.
It is not only large eCommerce enterprises where customers are gaining more direct access to the corporate network. Any organization that offers online services—government and private—are enabling their customers to create digital identities. These all include self-service capabilities and, most often, function using simple password authentication. This is a vulnerability and you need to apply the same GDPR concepts of data minimization and secured user authentication.
In the past, many organizations have been slow to implement an enterprise IAM strategy but GDPR should change this perspective. It moves the need to protect personal data beyond the employee to encompass partners, suppliers, mobile workforce and customers. It’s difficult to see how an organization can comply with the regulation without taking this approach.
Traditional approaches have often revolved around simple manual access control processes such as using Active Directory to establish groups. The drawback is that these processes are slow, cumbersome and costly as well as the fact that they don’t scale well and often fail to monitor or manage actual user access.
This is no longer acceptable for GDPR and IAM has to become a strategic effort for all organizations. All companies must consider the urgent need to create and continuously update an identity governance program back by an enterprise IAM platform that provides dynamic and comprehensive authorization and authentication capabilities across your organization and trading partner network.
In this way, you can protect access to personal information in your organization, minimizing the risk of data breaches and reducing your exposure to fines.
If you’d like to know more about how an effective IAM strategy can help you secure data access that GDPR requires, please contact me through this blog. In my next blog, I’ll take a deeper look at the role IAM plays in meeting data protection requirements under GDPR.