After years of debates among European policymakers, the General Data Protection Regulation (GDPR) of the European Union (EU) came into implementation in May 2018.
GDPR applies to businesses that deal with private EU resident data (GDPR 1 & 14), regardless of whether the company is based in the EU. For example, a US company with a subsidiary in the EU territory, or even just conducting business with EU residents, is bound by the Regulations. In other words, GDPR impacts virtually every company of any size anywhere in the world.
GDPR sets standards for various IT security protocols when dealing with personal data, such as privacy settings (which by default must be set at high) and the need to report data breaches in a timely manner.
The Challenge of Third-Party Outsourcing
One major area of the IT industry set to be affected by the regulations involves privileged account access and the entire industry of third-party management of these accounts (GDPR 4 & 9).
Privileged accounts allow administrative or “root” access to a system. Users and third-party vendors possessing control over these accounts can access and modify critical system settings and see monetized data such as credit card and social security numbers. That is why access to privileged accounts needs to be tightly controlled and easily revoked when no longer necessary.
The situation becomes particularly tricky when it comes to third-party outsourcing for various IT tasks, especially when managing, recording, or otherwise dealing with sensitive personal data.
Quite often, third-party partners are provided with remote privileged access to physical and virtual resources within the organization. This arrangement can open a potential soft target for cybercriminals. Hackers typically go for the weakest link in the chain and much sooner target a vulnerable service provider with privileged access to a large firm than attempt a head-on breach of the target organization. Thus, cybercriminals will look for access points in a company’s supply chain or other IT vendors employed by the company.
Indeed, as observed from most infamous cyber attacks (internal and external attacks alike), unauthorized access and misuse of privileged accounts have emerged as the main techniques used by criminals. Hackers typically launch a simple “phishing” attack to get users to grant a foothold into a machine, which later can allow them to install malicious software (to scan the system for administrative passwords) and access privileged accounts. Hackers then can move laterally across the network and siphon off the valuable data they want to steal.
Imagine the consequences of such an attack pulled off on just one IT service provider employed by several large companies. With this in mind, it is not surprising that achieving GDPR compliance requires that a company track administrative access control, not just for internal users but also when granted to outside parties (GDPR 1 & 47).
Effective Management Solutions to Comply with GDPR
The key for an organization to stay in line with GDPR in the face of the privileged accounts challenge is a robust Privileged Access Management (PAM) solution.
A sound PAM system offers a secure, streamlined way to authorize and monitor all privileged users for all relevant systems. A few essential features of a PAM system include the following:
- The system should be able to grant and revoke privileges to users based on a set time frame or project completion.
- The system should also be able to centrally and quickly manage that access over a disparate set of systems dealing with personal data.
- Finally, and perhaps most importantly, a PAM solution must be able to create an unalterable audit trail for any operations using privileged accounts.
In this way, a company can maintain considerable control over the operations of third-party service providers and track their actions on company systems.
If a company wants to ensure effective management of its privileged accounts, user experience is key.
Any PAM solution chosen by a company should be easy to install and interact with for all members of an organization. All team members should be able to understand system alerts and instructions clearly.
Automation is also a critical aspect of PAM. While the IT department of any company will almost always be required to interact manually with programs, manual approaches to privileged access management are time-consuming and error-prone. Most importantly, due to the complexity of tracking activities for multiple users, manual solutions may not be able to provide the desired level of security controls. The market abounds with automated PAM solutions, which can control privileged access without the logistical cost of man-hours and the added risk of human error.
The Bottom Line
When a company is assessing how to manage their privileged users, the most important thing to consider is the potential costs of non-compliance in the event of a breach.
GDPR levies severe fines for companies that fail to abide by its security standards and fall victim to a cyber-attack. Under regulations, a company can be fined 1,000,000 EUR, or up to 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher (GDPR 83 & 4). Compare this potential fine to the relatively small investment in a company-wide PAM system, averaging approximately $3,000 for acquisition and installation plus around $300 for each user endpoint managed by the program.
Of course, this does not include the long-term reputation costs of a data breach from a hacked privileged account. In the modern cyber world, nothing is more detrimental to a brand than a substantial breach. A recent Ponemon study surveyed significant US corporations that suffered such hacks; the impact was measured at nearly a $4 million decrease in annual revenue.
With these price tags of insufficient data security hanging overhead, companies should take to heart the importance and benefits of efficient privilege management. Harnessing these tools now will allow a company to continue to excel while staying competitive in the era of GDPR.
Sectona can Protect your Privileged Accounts with its PAM
Sectona Security Platform is a cutting-edge Privileged Access Management solution to secure enterprise privileged accounts from internal and external threats. Users can ensure better access security and management with the tool’s lightweight, integrated features in a single console. Explore the power of automation. Learn more here.