GDPR compliance and access control – what you should already be doing
(Last updated on March 16, 2021)
With less than a year until the EU General Data Protection Regulation (GDPR) takes effect, all organizations collecting or processing data for individuals within the EU are in the midst of developing their compliance strategy. The new regulation will carry an impact well beyond Europe. A recent PwC pulse survey found that over half of US multinationals have GDPR readiness as their top data-protection priority. Guided by principles such as data protection by design and by default, the GDPR will force organizations to rethink their security practices. While tackling the intricacies of the GDPR is beyond the scope of this blog, we thought it might be interesting to unite the new regulation with the security best practices that we should already be doing.
The 88-page document leaves room for interpretation as it calls for “appropriate technical and organisational measures” across the board. The document (recital 49) also stresses the need for secure IT networks that can resist “accidental events or unlawful or malicious actions” that may compromise the confidentiality of stored or transmitted personal data, and “the security of the related services offered by, or accessible via, those networks and systems.” It goes on to say “This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”
So, how do we begin to put this into practice? We can start off by safeguarding IT assets against common attacks, and not turning a blind eye to basic security principles like access control.
Who has access to critical assets?
Whether it’s critical data, or systems, the GDPR will require organizations to have the appropriate access policies in place. The execution is closely tied to identity management systems as they enable the administration of users within a system and organization. And while the goal is to grant the right individuals access to the right resources at the right times and for the right reasons, recent data breaches hint at overexposure of data. In a recent study by Ponemon Institute, in which 1,371 end-users were surveyed, 62% said they had access to company data they probably shouldn’t see. Even worse, 60% of companies are unable to determine who can access their critical data. Are organizations so preoccupied with the possibility of external threats that they have neglected internal controls?
At the heart of your organization’s computers, users, and IT infrastructure, you will find Active Directory. Used to mirror the corporate structure of a business, Active Directory houses sensitive data for more than 90% of all organizations. Naturally, the first step towards protecting critical assets, from both internal and external threats, should start there, and with these three best practices:
- Scrutinize administrator privileges: Administrator privileges should only be granted to users performing tasks that span across Active Directory domains, or activities that require elevated permissions. To ensure accountability, and move beyond a single point of failure, each administrator should have their own admin account – as opposed to a shared generic account with full rights. Furthermore, each administrator should have a separate user account for day-to-day activities. Finally, stale admin accounts should be deleted as they can be used to access resources without being noticed. Our free tool, Specops Password Auditor, identifies stale admin accounts by reading the lastLogonTimestamp in Active Directory.
- Streamline de-provisioning and off-boarding: Are you doing everything you can to ensure an (ex)-employee doesn’t walk out with more than the bobblehead in their cubicle? A lengthy de-provisioning or off-boarding process can leave your organization vulnerable to data leakage. Automated de-provisioning is best as it will ensure access to corporate accounts is revoked within minutes of termination. This requires Active Directory to be synced with HR directories, as well as cloud applications such as Office365.
- Strengthen authentication: On any given workday, users with active accounts collectively authenticate up to 10 billion times. Securing employee authentication is a significant defense, especially since many of the recent data breaches were the direct result of compromised passwords. The Verizon 2016 Data Breach Investigations Report, found that 63% of confirmed data breaches involved weak, default, or stolen passwords. Unfortunately, as long as people continue using common/predictable passwords, attacks such as dictionary attacks will continue to work. With the right tools in place, such as Specops Password Policy, any dictionary can be banned from being used in the organization.
The three best practices provided in the blog are merely a few steps one should take when securing access to sensitive data.