It’s About People, Not Data
Over an 18-month period, those in the technology industry bore witness to the foretelling of an impending cataclysm, an Earth-shattering event of unprecedented destruction with epic consequences. An all-encompassing state of mass hysteria ensued, instigating a state of doomsday prepping – leaving all but emergency essentials, the mass evacuations (of data!) began, akin to an Orson Welles radio broadcast telling of a Martian invasion, with many simply running to the hills. This was fueled (mostly) by waves and waves of doom-mongering – men in flat caps with Sandwich boards, stating ‘The End is Nigh’, with an almost constant ringing of bells (yes, I’m talking about technology vendors) – as we waited in trepidation for the forthcoming onslaught of the vast, meteoric impact of… General Data Protection Regulation (GDPR)!
Yet, as some of us congregated on beaches, holding hands and waiting, with a sense of reluctant acceptance that, this indeed, was it – the devouring, biblical Tsunami of economy-collapsing fines and apocalyptic brand damage that was prophesied turned out to be not much more than an ocean swell… a bit rough out there, but nothing a decent umbrella couldn’t handle. We all breathed a collective sigh of relief, went home, put the kettle on and had a nice cup of tea.
A dramatic start. This is a recurring scenario: a new legislation is announced, or updates to an existing one and we struggle to understand the context, accurately foresee the consequences and end up in a whirlwind of differing views and priorities.
Mocking aside, GDPR is an ongoing imperative. One that organisations must take seriously and of which large fines have already been levied for infringements, notably, Marriott Hotels and British Airways, to name just two. So how do we dissect the seemingly endless and overly complex wording of the requirement as a whole? How do we then map those prerogatives to a business strategy? One that is ultimately governed by technology tooling.
The Two Major Themes of GDPR
The main categories of GDPR are:
- Rights of Data Subjects
- Data Protection by Design and by Default
- Data Breach Reporting
- Anonymisation and Pseudonymisation
- Cross-Border Data Transfers and Binding Corporate Rules
- Certifications, Codes of Conduct and Seals
Cut out the jargon and we see two themes emerge, Identity and Data. Indeed, the first emphasis, which makes complete sense, is to focus on the data aspect- it’s right there in the text and there are already a range of technologies that can address those: anonymisation technologies (data and identity), data classification and governance, secure transfers and integrity. These are the points that can be addressed early on – we can look at these sub headings and, as industry ‘experts’ we can recommend a course of action and the tools to help achieve and ultimately maintain compliance.
But let’s look at the other aspect, Identity, which, if we look at the context has the most bearing on all. Let’s take an example: Data Breach Reporting – simply a case of reporting a data breach – something that some people that I’ve spoken to that are responsible for GDPR in their organisations accept as an inevitability – in a timely manner, mitigating the impact on those individuals (customers for the most part) affected. Now, reporting a breach may reduce or even eliminate the chance of a hefty penalty, but it doesn’t prevent the damage done to a company’s reputation, which 9 times out of 10 will cost a whole lot more. So isn’t prevention better than the cure?
The first thing that emerges when discussing data breach is perhaps not surprisingly, data. The protection, classification and integrity of that data – to build a wall around it – which is perfectly valid. What about if we look at it another way? Data doesn’t ‘leave the door’ of its own accord, someone (a human being, whether a single person or group) causes that breach, and they do that for a reason; money, activism, terrorism, etc. – that’s the why. So, now let’s look at the how, if we delve in to the statistics, 74% of data breaches involve the compromise of privileged accounts – a big number! With so many privileged accounts – Operating System, Database, Cloud services, Application accounts – in an organisation, and now in so many locations – co-locations, cloud platforms, cloud services, exposed devices, IoT – gaining access to data via a privileged account has to be the most attractive target to any would-be attacker.
It comes back to identity – an attacker (an identity) wants to access an organisation’s data, using a privileged account (an identity) that has access to that data, so a successful defensive strategy should be identity based, and that’s where Privileged Access Management comes in. The ability to control, monitor and enforce access around who has access to privileged accounts is key, combined with secure, centralized management of those accounts provides a powerful combination – this is the foundation of a preventative strategy against the risk of a data breach. Capabilities also need to extend out to cloud, IoT and applications that use privileged accounts to run, giving a comprehensive policy of control and action in a post-digital transformation world.
In summary, GDPR is already here and organisations don’t want to be the next headline- a Privileged Access Management strategy goes a long way to help reduce the risk. It won’t end with GDPR… organisations need to be ready for the next piece of legislation.