How to prepare for EU Standard General Data Protection Regulation
The GDPR shows that states in the EU are aware of the risk in the cyber world. Protection of private data and personal information are highly important European values and policy-wise organisations have to get ready for new standards. The EU-directive affects all organisations, even if they are not to be seen as part of the critical infrastructure. Also, the BSI in Germany speaks about further national policies. This shows that preparation is necessary.
EU GDPR: Compliance summary
It is difficult to estimate the content of laws and new rules. General norms like ISO 27001 provide a first point of orientation, but it should not be forgotten that compliance always starts with the security architecture. Therefore, tools – such as Privilege User and Access Management software – should be picked that deliver added value for security, but are flexible enough to fulfill existing and upcoming norms and regulations. It needs security vendors that combine the technological skill and the experience with regional demands to master the challenge of compliance and IT security.
IT Compliance will be key!
In December 2015 the General Data Protection Regulation (GDPR) has been decided by the EU-Commission and waits for final approval by the member states and the EU-parliament (read more). After the IT security law that came into effect in July of the same year the EU-regulation will be another piece of IT legislation affecting the German economy. Different then the German law the GDPR will affect nearly all actors in the EU, not just the operators of critical infrastructure.
GDPR is likely that more governmental regulation will follow. The Federal Office for Information Security (BSI) argues that further action is concerned: “The time will show, how the threat landscape in areas outside the critical infrastructure will develop. It could even make sense to issue further IT security policies, if market mechanisms fail to create an appropriate level of protection.”
In general, it is good that action is taken – states in Europe realize that the cyber world and their economies are at risk. The problem for the people on the ground is to deal with these new requirements. Today security architectures not only need to protect valuable assets, but also have to be able to show clear patterns and fulfill different security norms. Regulations need to be concerned and concepts for audit mechanisms have to be provided to proof compliance at any time. Accountability for actions and identification of unusual user behavior gain in importance.
IT Security, IT Operations, Audit & Compliance: everyone is concerned
All this has to happen in the age of digital integration, in which more and more devices and users ask for access to network resources. Security administrators need to protect networks and manage heterogeneous groups of access rights. At the same time, the cloud and the growing usage of service providers adds pressure on them, too. With IT staff also problems may appear – separate admins for windows environments and virtual platforms, SAP super users or DBAs for the database systems are just a few examples. Accounts of some users are not associated with a single person, but are rather shared between several users.
And still there are new demands coming by law – even planned since several years the GDPR was hardly concerned by organisations. A survey among 7.000 cloud service providers showed that only one percent of the companies asked are ready for GDPR. Regulations are valid in all the member states of the EU and do not need further implementation in the individual member states. The approval mechanisms vary between different member states, but the law will come soon; in Germany it needs a majority in the parliament, which is realistically no threshold, because the government has to hold the majority to govern.
Politically the ways are clear, but technically there is a problem. KuppingerCole sees a lack of life-cycle management for privileged users and also the danger of password leaks, when people leave an organisation or contract periods end. If not concerned, this leads to guaranteed fail with compliance rules, because it cannot be seen, who is actually using the administration account and what actions she or he is performing through their session. Security architectures must clarify the accountability of sessions for each user.
Companies cannot risk failing audits – fines of up to four percent of a company’s global turnover for breaching data protection rules are possible, besides a bad reputation on top. Simple hiring more staff is costly and will not necessarily solve the problem. IT departments need matching solutions that can be integrated into security architectures. This means minimal efforts for implementation and integration into an existing security concept, but also transparent operation of the solution in the day-to-day routine
What about Privileged User and Access Management?
One way to tackle the issue is Privileged User and Access management (PAM) that is able to include application on-boarding, maintenance and off-boarding. To cover the full life-cycle it has to start with initial integration into the system, then include all changes during the life-time and end with the system-removal after decommissioning.
Further PAM can check workflows of the users individually to see if their actions are legit. Access rights should be limited in time and depth, so admins can schedule certain actions in a timed access windows. This allows planning activities and assuring protection at the same time.
The most critical point for IT directors is monitoring and surveillance measures. They are needed to response to incidents. With too many users and sessions IT-staff is not able to respond in real-time without further tools. Automation is core issue to ease the burden and allow monitoring each session individually. This way undesired actions could be detected and intercepted.
When building their security architecture companies should also consider, in whom they trust. One reason, why so many companies are not prepared is the distance – many vendors have their offices outside of Europe and develop their products for global markets. European policy is often far away from their product development. But it needs solutions that have been tested and established in the region. With more policy and security norms about to come, vendors in the region have an information advantage and can use their know-how to keep their products in line with future regulations.
Do you want to know more? Download our white paper to achieve GDPR compliance.