As the world hurtles ever closer towards the European Union’s General Data Protection Regulation (GDPR) coming into effect, conclusive interpretations of its various aspects have yet to be reached despite the fact that the media is abuzz with commentaries, guides, and solutions. The one thing that is clear is the aim of the GDPR – making personal data secure.
So, what constitutes ‘personal data’? In the GDPR personal data means that any data that relates to “an identifiable natural person”. Customer names, email addresses, photographs, work information, conversations, media files, and a lot of other information that could identify individuals are often usually digitally processed and stored by organisations.
>See also: One year to GDPR: guide to compliance
For organisations that want to comply with GDPR, strict access controls and meticulously tracked access to data must be enforced. Personal data is present in almost every area of IT, therefore the consequences of non-compliance must be considered by every organisation concerned with its own responsibility in data-related activities.
The privileged access threat
Cyber attacks can be launched from both internal and external sources. Following recent high profile cyber attacks, analysis has shown that hackers from outside and within are exploiting privileged access to perpetrate attacks.
Most attacks compromise personal data that is processed or stored by IT applications and devices. Security researchers point out that almost all types of cyber attacks nowadays involve privileged accounts.
Targeting privileged accounts
In internal and external attacks alike, unauthorised access and misuse of privileged accounts—the “keys to the IT kingdom”—have emerged as the main techniques used by criminals. Administrative passwords, system default accounts, as well as hard-coded credentials in scripts and applications have all become the prime targets cyber criminals use to gain access.
>See also: Turning GDPR into a business opportunity
Hackers typically launch a simple phishing or spear-phishing attack as a way of gaining a foothold in a user’s machine. They then install malicious software and look for the all-powerful administrative passwords — which give unlimited access privileges — to move laterally across the network, infect all computers, and siphon off data.
The moment the hacker gains access to an administrative password, the entire organisation becomes vulnerable to attacks and data theft. Perimeter security devices cannot fully guard enterprises against these types of privilege attacks.
Organisations are required to work with third parties such as vendors, business partners, and contractors for a variety of purposes. Quite often, third-party partners are provided with remote privileged access to physical and virtual resources within the organisation.
Even if your organisation has robust security controls in place, you never know how third parties are handling your data. Hackers could easily exploit vulnerabilities in your supply chain or launch phishing attacks against those who have access and gain entry to your network. It is imperative that privileged access granted to third parties is controlled, managed, and monitored.
Additionally, malicious insiders — including disgruntled IT staff, greedy techies, sacked employees, and IT staff working with third parties — could plant logic bombs or steal data. Uncontrolled administrative access is a potential security threat, jeopardising your business.
Taking control of privileged access
The GDPR requires that organisations ensure and demonstrate compliance with its personal data protection policies. Protecting personal data, in turn, requires complete control over privileged access—the foundational tenet of the GDPR. Controlling privileged access requires you to:
• Group the privileged accounts in a secure, centralised vault.
• Enforce strong, unique passwords and enforce periodic password rotation.
• Restrict access to accounts based on job roles and responsibilities.
• Enforce additional controls for releasing the passwords of sensitive assets.
• Audit all access to privileged accounts.
• Completely eliminate hard-coded credentials in scripts and applications.
• Wherever possible, grant remote access to IT systems without revealing the credentials in plaintext.
• Enforce strict access controls for third parties and closely monitor their activities.
• Establish dual controls to closely monitor privileged access sessions to highly sensitive IT assets.
• Record privileged sessions for forensic audits.
As explained above, controlling, monitoring, and managing privileged access calls for automating the entire life cycle of privileged access. However, manual approaches to privileged access management are time-consuming, error prone, and may not be able to provide the desired level of security controls.
Market is abound with automated privileged access management solutions, which can empower you to achieve total control over privileged access in your organisation, thereby laying a solid foundation for GDPR compliance.
Though fully complying with the GDPR requires a variety of solutions, processes, people, and technologies, automating privileged access management serves as the foundation for GDPR compliance. Together with other appropriate solutions, processes, and people, privileged access management helps reinforce IT security and prevent data breaches.
Sourced by V Balasubramanian, product manager, ManageEngine