After years of debate among European policymakers, the General Data Protection Regulations (GDPR) of the European Union have been codified. The new rules are set to go into effect in May of this year. GDPR applies to any business that deals with private EU resident data (GDPR 1 & 14). This is regardless of whether the company is based in the EU. For example, a US company with a subsidiary in the EU territory, or even just conducting business with EU residents, would be bound by the Regulations. In other words, GDPR impacts virtually every company of any size anywhere in the world. GDPR sets standards for a variety of IT security protocols when dealing with personal data, such as privacy settings (which by default must be set at high), and the need to report data breaches in a timely manner.
The Challenge of Third Party Outsourcing
One major area of the industry set to be affected by the regulations involves privileged account access and the entire industry of third party management of these accounts (GDPR 4 & 9). Privileged accounts are those that allow administrative or “root” access to a system. Those with control of these accounts can access and modify critical system settings, and see monetized data such as credit card and social security numbers. That is why access to privileged accounts need to be tightly controlled and easily revoked when no longer necessary. The situation becomes particularly tricky when it comes to third party outsourcing for various IT tasks, especially when these tasks involve managing, recording, or otherwise dealing with sensitive personal data. Quite often, third-party partners are provided with remote privileged access--albeit often temporary--to physical and virtual resources within the organization. This arrangement opens a potential soft target for cyber criminals. Hackers go for the weakest link in the chain. They will much sooner target a weak service provider with privileged access to a large firm then attempt a head on breach of the target organization. Thus criminals will look for points of access in a company’s supply chain or other IT vendors being employed by the company. Indeed, in observing the most recent major cyber-attacks --internal and external attacks alike--unauthorized access and misuse of privileged accounts have emerged as the main techniques used by criminals. Hackers typically launch a simple “phishing” attack as a way of getting users to grant a foothold into a machine, which allows them to install malicious software to scan the system for administrative passwords to privileged accounts. Hackers can then move laterally across the network and siphon off the valuable data they’re looking for. Imagine the consequences of such an attack pulled off on just one IT service provider employed by a number of large companies. With this in mind, it is not surprising that achieving GDPR compliance requires that a company track administrative access control, not just for internal users, but also when granted to outside parties (GDPR 1 & 47).
Effective Management Solutions
The key for an organization to stay in line with GDPR in the face of the privileged accounts challenge is a robust Privileged Access Management (PAM) solution. A good PAM system offers a secure, streamlined way to authorize and monitor all privileged users for all relevant systems. The system should be able to grant and revoke privileges to users for systems on which they are authorized based on set time frame or project completion. The system should also be able to centrally and quickly manage that access over a disparate set of systems dealing with personal data. Finally, and perhaps most importantly, a PAM solution must be able to create an unalterable audit trail for any operations using privileged accounts. In this way a company can maintain considerable control over the operations of third party service providers and track their actions on company systems. It should be noted that if a company wants to insure effective management of their privileged accounts, user experience is key. Any PAM solution chosen by a company should be easy to install and interact with for all members of an organization. All team members should be able to clearly understand system alerts and instructions. Automation is also a very important element. While the IT department of any company will almost always be required to manually interact with programs, manual approaches to privileged access management are time-consuming and error prone. Most importantly, due to the complexity of tracking activities for multiple users, manual solutions may not be able to provide the desired level of security controls. The market is abound with automated PAM solutions, which can provide control over privileged access without the logistical cost of man hours and the added risk of human error.
The Bottom Line
When a company is assessing how to go about managing their privileged access users the most important thing to consider is the potential costs of non-compliance in the event of a breach. GDPR levies serious fines on companies that fail to abide by its security standards and fall victim to a cyber-attack as a result. Under the Regulations a company can be fined 1,000,000 EUR, or up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher (GDPR 83 & 4). Compare this potential fine to the relatively small investment in a company-wide PAM system, averaging approximately $3,000 for acquisition and installation plus around $300 for each user endpoint being managed by the program. This is of course not including the long term reputation costs of a data breach that comes from a hacked privileged account. In the modern cyber world nothing is more detrimental to a brand than a substantial breach. In a recent Ponemon study that surveyed major US corporations that suffered such hacks, the impact was measured at nearly a $4 million decrease in annual revenue. With these price tags of insufficient data security hanging overhead, companies should take to heart the importance and benefits of efficient privilege management. Harnessing these tools now will allow a company to continue to excel and while staying competitive in the era of GDPR.
Sectona can protect your privileged accounts with its PAM
Our Privileged Access Management (PAM) solution is tailor-made to protect businesses from such challenges and ensure user and data security. Read our Privileged Access Management Datasheet to learn more about our approaches.