Impact of GDPR on third-party use of privileged accounts

After years of debate among European policymakers, the General Data Protection Regulations (GDPR) of the European Union have been codified. The new rules are set to go into effect in May of this year. GDPR applies to any business that deals with private EU resident data (GDPR 1 & 14). This is regardless of whether the company is based in the EU. For example, a US company with a subsidiary in the EU territory, or even just conducting business with EU residents, would be bound by the Regulations. In other words, GDPR impacts virtually every company of any size anywhere in the world. GDPR sets standards for a variety of IT security protocols when dealing with personal data, such as privacy settings (which by default must be set at high), and the need to report data breaches in a timely manner.   The Challenge of Third Party Outsourcing One major area of the industry set to be affected by the regulations involves privileged account access and the entire industry of third party management of these accounts (GDPR 4 & 9). Privileged accounts are those that allow administrative or “root” access to a system. Those with control of these accounts can access and modify critical system settings, and see monetized data such as credit card and social security numbers. That is why access to privileged accounts need to be tightly controlled and easily revoked when no longer necessary. The situation becomes particularly tricky when it comes to third party outsourcing for various IT tasks, especially when these tasks involve managing, recording, or otherwise dealing with sensitive personal data. Quite often, third-party partners are provided with remote privileged access--albeit often temporary--to physical and virtual resources within the organization. This arrangement opens a potential soft target for cyber criminals. Hackers go for the weakest link in the chain. They will much sooner target a weak service provider with privileged access to a large firm then attempt a head on breach of the target organization. Thus criminals will look for points of access in a company’s supply chain or other IT vendors being employed by the company. Indeed, in observing the most recent major cyber-attacks --internal and external attacks alike--unauthorized access and misuse of privileged accounts have emerged as the main techniques used by criminals. Hackers typically launch a simple “phishing” attack as a way of getting users to grant a foothold into a machine, which allows them to install malicious software to scan the system for administrative passwords to privileged accounts. Hackers can then move laterally across the network and siphon off the valuable data they’re looking for. Imagine the consequences of such an attack pulled off on just one IT service provider employed by a number of large companies. With this in mind, it is not surprising that achieving GDPR compliance requires that a company track administrative access control, not just for internal users, but also when granted to outside parties (GDPR 1 & 47).   Effective Management Solutions The key for an organization to stay in line with GDPR in the face of the privileged accounts challenge is a robust Privileged Access Management (PAM) solution. A good PAM system offers a secure, streamlined way to authorize and monitor all privileged users for all relevant systems. The system should be able to grant and revoke privileges to users for systems on which they are authorized based on set time frame or project completion. The system should also be able to centrally and quickly manage that access over a disparate set of systems dealing with personal data. Finally, and perhaps most importantly, a PAM solution must be able to create an unalterable audit trail for any operations using privileged accounts. In this way a company can maintain considerable control over the operations of third party service providers and track their actions on company systems. It should be noted that if a company wants to insure effective management of their privileged accounts, user experience is key. Any PAM solution chosen by a company should be easy to install and interact with for all members of an organization. All team members should be able to clearly understand system alerts and instructions. Automation is also a very important element. While the IT department of any company will almost always be required to manually interact with programs, manual approaches to privileged access management are time-consuming and error prone. Most importantly, due to the complexity of tracking activities for multiple users, manual solutions may not be able to provide the desired level of security controls. The market is abound with automated PAM solutions, which can provide control over privileged access without the logistical cost of man hours and the added risk of human error.   The Bottom Line When a company is assessing how to go about managing their privileged access users the most important thing to consider is the potential costs of non-compliance in the event of a breach. GDPR levies serious fines on companies that fail to abide by its security standards and fall victim to a cyber-attack as a result. Under the Regulations a company can be fined 1,000,000 EUR, or up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher (GDPR 83 & 4). Compare this potential fine to the relatively small investment in a company-wide PAM system, averaging approximately $3,000 for acquisition and installation plus around $300 for each user endpoint being managed by the program. This is of course not including the long term reputation costs of a data breach that comes from a hacked privileged account. In the modern cyber world nothing is more detrimental to a brand than a substantial breach. In a recent Ponemon study that surveyed major US corporations that suffered such hacks, the impact was measured at nearly a $4 million decrease in annual revenue. With these price tags of insufficient data security hanging overhead, companies should take to heart the importance and benefits of efficient privilege management. Harnessing these tools now will allow a company to continue to excel and while staying competitive in the era of GDPR.   Sectona can protect your privileged accounts with its PAM Our Privileged Access Management (PAM) solution is tailor-made to protect businesses from such challenges and ensure user and data security. Read our Privileged Access Management Datasheet to learn more about our approaches.
Avatar November 7, 2017

Are passwords a weakling in the world of authentication?

Most organizations still adopt the policy of using passwords to gain access to critical systems and assets. While a dual factor authentication may be enabled, passwords still remain a preferred favorite as one level of authentication. They are a way of life in an IT organization. Yet, despite the repeated news on weak passwords being the cause of attacks, the practice of using them still continues. Reports say that an average of 19% enterprise professionals use poor quality passwords or shared passwords that make their accounts easily vulnerable. 2016 Verizon Data Breach Investigations suggest that poor quality, weak and shared passwords attributed to 63% of the confirmed data breaches. But is the quality of passwords alone to blame here? The advent of BYOD has added fuel to the fire, come to think of it. You cannot keep complex passwords because it gets difficult to type them on a mobile device, for instance. Secondly, best practice suggests that you should not keep yourself logged in throughout unless you are required to access the system. So, the quality of passwords naturally tends to be poor owing to convenience of typing out these passwords. In today’s time, a dual factor authentication mechanism has become a usual affair. So, then the question arises, what is the compatibility of a dual factor mechanism to be set up across all media? Can a dual factor token used on a laptop be used for a tablet device or mobile device seamlessly? If not, then is authentication compromised? What needs to be done in such a scenario?   Solution for better authentication The ideal solution is to firstly ensure a multi factor authentication mechanism is in place if not already implemented. BYOD is an inevitable exercise in today’s times. So, the multi factor authentication solution should be such that it is able to provide flexibility and compatibility across devices. To begin with, passwords should be at least an 8 character alphanumeric word – a combination of lowercase, uppercase letters, number and special character. Also, special care should be taken to ensure that common Dictionary words and common passwords such as [email protected] also are not used. This in itself ensures there are at the very least about 100+ million combinations. A hacker’s toolkit is not going to be able to crack the combinations quickly. Neither is the hacker going to take the pain of identifying the right combination. In conjunction with this, a dual factor mechanism should be used. Now, as far as a dual factor is concerned, flexibility across devices for compatible authentication mechanisms should be enabled. For instance, a dual factor token for a laptop, a bio-metric authentication such as a fingerprint scanning for mobile or voice recognition for tablet devices etc. should be facilitated for access to the same system. This can ensure foolproof authentication and at the same time flexible authentication methods across devices. Having said this, the better scenario would be to have common and apt authentication mechanisms across all media i.e. laptop, mobile and tablet.   Fool-proof solution for robust authentication Will the above mentioned techniques be effective considering the zillions of user passwords and user authentication that needs to be managed in organizations? Well, managing these manually might be a futile exercise and also unproductive. The most effective solution to ensure robust security while keeping intact the productivity would be to install password management, single sign-on tool and multi-factor authentication tools. Better still would be to deploy a Privileged Access Management (PAM) solution which has these capabilities. A PAM solution is well-rounded in its ability to automatically manage passwords and ensure strong authentication and access mechanisms.   How Sectona can help? Sectona has built its own Privileged Access Management - Spectra PAM solution with robust privileged password management and authentication techniques to ensure strong security of user access to critical devices both on cloud and on-premise.
Avatar October 16, 2017