GDPR compliance begins with privileged access management

The impending GDPR represents the greatest ever shake up to data protection law, and businesses better get ready.

As the world hurtles ever closer towards the European Union’s General Data Protection Regulation (GDPR) coming into effect, conclusive interpretations of its various aspects have yet to be reached despite the fact that the media is abuzz with commentaries, guides, and solutions. The one thing that is clear is the aim of the GDPR – making personal data secure.

So, what constitutes ‘personal data’? In the GDPR personal data means that any data that relates to “an identifiable natural person”. Customer names, email addresses, photographs, work information, conversations, media files, and a lot of other information that could identify individuals are often usually digitally processed and stored by organisations.

>See also: One year to GDPR: guide to compliance 

For organisations that want to comply with GDPR, strict access controls and meticulously tracked access to data must be enforced. Personal data is present in almost every area of IT, therefore the consequences of non-compliance must be considered by every organisation concerned with its own responsibility in data-related activities.

The privileged access threat

Cyber attacks can be launched from both internal and external sources. Following recent high profile cyber attacks, analysis has shown that hackers from outside and within are exploiting privileged access to perpetrate attacks.

Most attacks compromise personal data that is processed or stored by IT applications and devices. Security researchers point out that almost all types of cyber attacks nowadays involve privileged accounts.

Targeting privileged accounts

In internal and external attacks alike, unauthorised access and misuse of privileged accounts—the “keys to the IT kingdom”—have emerged as the main techniques used by criminals. Administrative passwords, system default accounts, as well as hard-coded credentials in scripts and applications have all become the prime targets cyber criminals use to gain access.

>See also: Turning GDPR into a business opportunity

Hackers typically launch a simple phishing or spear-phishing attack as a way of gaining a foothold in a user’s machine. They then install malicious software and look for the all-powerful administrative passwords — which give unlimited access privileges — to move laterally across the network, infect all computers, and siphon off data.

The moment the hacker gains access to an administrative password, the entire organisation becomes vulnerable to attacks and data theft. Perimeter security devices cannot fully guard enterprises against these types of privilege attacks.

Remote control

Organisations are required to work with third parties such as vendors, business partners, and contractors for a variety of purposes. Quite often, third-party partners are provided with remote privileged access to physical and virtual resources within the organisation.

Even if your organisation has robust security controls in place, you never know how third parties are handling your data. Hackers could easily exploit vulnerabilities in your supply chain or launch phishing attacks against those who have access and gain entry to your network. It is imperative that privileged access granted to third parties is controlled, managed, and monitored.

>See also: How to implement a secure defence from hackers

Additionally, malicious insiders — including disgruntled IT staff, greedy techies, sacked employees, and IT staff working with third parties — could plant logic bombs or steal data. Uncontrolled administrative access is a potential security threat, jeopardising your business.

Taking control of privileged access

The GDPR requires that organisations ensure and demonstrate compliance with its personal data protection policies. Protecting personal data, in turn, requires complete control over privileged access—the foundational tenet of the GDPR. Controlling privileged access requires you to:

 Group the privileged accounts in a secure, centralised vault.
 Enforce strong, unique passwords and enforce periodic password rotation.
 Restrict access to accounts based on job roles and responsibilities.
 Enforce additional controls for releasing the passwords of sensitive assets.
 Audit all access to privileged accounts.
 Completely eliminate hard-coded credentials in scripts and applications.

>See also: Regulation-led security can give hackers a blueprint to a business network

 Wherever possible, grant remote access to IT systems without revealing the credentials in plaintext.
 Enforce strict access controls for third parties and closely monitor their activities.
 Establish dual controls to closely monitor privileged access sessions to highly sensitive IT assets.
 Record privileged sessions for forensic audits.

As explained above, controlling, monitoring, and managing privileged access calls for automating the entire life cycle of privileged access. However, manual approaches to privileged access management are time-consuming, error prone, and may not be able to provide the desired level of security controls.

Market is abound with automated privileged access management solutions, which can empower you to achieve total control over privileged access in your organisation, thereby laying a solid foundation for GDPR compliance.

Though fully complying with the GDPR requires a variety of solutions, processes, people, and technologies, automating privileged access management serves as the foundation for GDPR compliance. Together with other appropriate solutions, processes, and people, privileged access management helps reinforce IT security and prevent data breaches.

 

Sourced by V Balasubramanian, product manager, ManageEngine

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...