By Brian Chappell, Senior Director, Enterprise and Solution Architecture, BeyondTrust
Let’s be clear: General Data Protection Regulation is going to require at least some attention to access controls. Still, a recent survey by the UK government has revealed that not many are aware of that fact.
The Cyber Security Breaches Survey 2018, released by the Department for Digital Culture Media and Sport earlier this year showed that only 7% of UK businesses are changing which users have admin and access rights in preparation for the GDPR.
I fear that the 93% who aren’t doing anything around access control are in for a shock when GDPR finally lands in May.
Last year, BeyondTrust conducted a survey which revealed that 38% of organisations grant their workforce admin rights by default.
It’s no secret that many organisations grant their workforce too many network privileges and open themselves up to a whole range of security threats in the process.
This takes on a new menacing aspect when we are talking about GDPR compliance, which threatens large fines for offenders.
It’s not hard to understand why people might be ignorant of specific security solutions in light of GDPR. While there are tons of people offering magical GDPR compliance solutions, the text can be vague and strangely free of specific compliance detail.
To be compliant with GDPR, subjects must take care of access – regardless of whether the text spells it out or not.
For example, Article 25, which deals with data protection by design. The compliant should pay particular attention to its point about personal data being processed only for the expressed purposes.
Moreover, you’ll have to ‘ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.’
This means making sure that access is only handed out to those who need it to do their jobs.
Article 32, ‘the Security of Processing’, is one of the cardinal elements of the GDPR text. Simply it demands that people implement security measures ‘appropriate to the risk.’
Those risks will likely include things like privilege escalation attacks – one of the most popular attack vectors around – or insider threats which continues to be one of the leading causes of data theft (a 2016 Ponemon Survey revealed that 62% of respondents had access to information they shouldn’t).
These are, in other words, ‘risks’.
Article 33, which deals with reporting, is less directly relevant to access controls but [about] monitoring who has access to what, when they access it and how will be key to making sure that you can report to your data subjects and regulators within 72 hours if and when a breach is detected.
This also hits upon GDPR’s particular liking for paperwork. It’s not just about being compliant, you’re going to have to demonstrate compliance with it too. That means a documented access control policy, so you can show regulators when they come knocking.
Access controls are a profoundly important part of a secure network whether you’re trying to comply with the GDPR or just keep cybercriminals out. It is supremely important in either case that you understand, control and monitor who is using your network’s data and how.
Access controls are a key part of a secure, compliant organisation, whether or not the GDPR says that directly. Many of those 93% may have sufficient access controls, but it’s hard to imagine that only 7% don’t.
Access Controls will not make you compliant and no single solution can. The GDPR is much more about holistically addressing the security question and thinking about how personal data is used and protected. The checkbox solution won’t work here. Access controls, however, are a lynchpin piece of compliance which is troublingly being overlooked.