Leslie K. Lambert
Chief Security and Strategy Officer, Gurucul
Dec 6, 2017
In my my last blog on the EU GDPR, I talked about the stiff crippling penalties (a whopping 4% of an enterprise’s global revenue) associated with non-compliance of any multinational company controlling the personal data of an EU citizen, in the event of a breach. I expect anyone reading this now is on the wakeup call status, and recognizes this is not a ‘nice to have’ option. It’s a ‘must do’ action.
Recognizing that fact, I’ve assembled a few thoughts about how organizations need to align themselves to assure they are ready to go when the EU GDPR mandate comes into effect on May 25, 2018. As this deadline approaches, those who have not already begun their transition plan are now starting to do so now. A number of the areas this planning needs to address include:
GDPR Preparation Category
Assess legal obligations of GDPR
|Understand the requirements as they relate to your organization in regards to collecting, processing and storing data, as well as the special categories within the legislation.|
|Designate executive sponsor and technical lead. Determine requirements (internal or outsource) for a GDPR Data Protection Officer.|
Data audit, inventory and classification
|Identify relevant EU personal data along with data flows and any systems that interface with the data, whether internal, third party or backup. Document every aspect of this data discovery, including research, findings, decisions and actions.|
Risk and gap analysis within GDPR mandate
|First, determine if data falls under a GDPR special category. Then, classify who has access to different types of data, who shares the data, and what applications process the data. Assess risks based on private data varieties, volume and processing systems. Identify gaps in processes or technology capabilities that ensure data processing integrity.|
Security access and activity logging for anomalous behavior
|Apply security measures to production data containing core assets, and then extend those measures to back-ups and other repositories. Implement and maintain monitoring of all access and activity of GDPR related systems, with special visibility on private data access and activity across all silos and domains with a risk-based approach, to ensure holistic global security.|
Controls alignment with GDPR
|Investigate any other risks to data not included in previous assessments and established security solution approaches. Identify existing control sets within the organizational environment that align with compliance requirements. Identify security technology gaps, especially with the SOTA* requirement, and plan for technology adjustments and adoptions in a measured phased approach. Technology consulting partners may be required. Reassess and adjust solution strategy on a regular basis, to assure security capabilities remain in sync with evolving challenges and requirements.|
Acquire full budget and organizational support
|With CISOs often sitting a couple of levels below the C-level decision makers, and sometimes reporting into the CIO, there can be inherent resistance to the proposals that will be presented to make an organization compliant. Too often security initiatives are perceived a cost center, not as protecting value, and therefore not contributing to the bottom line. Instead, this initiative should be seen as a competitive advantage. Short-changing the budget on the EU GDPR mandate fulfillment could very well represent a threat to the organization’s survival.|
* SOTA is “state-of-the-art”, and my first EU GDPR blog was on this topic. Check it out if you haven’t already.
So much focus of my blogs on EU GDPR has been about the dire consequences, stiff penalties, and rigid requirements of fulfillment. But there’s good news too, and this should be shared with the C-level decision makers in making the case for what might represent a seismic upgrade in their organization’s security capabilities. If the organization adopts an advanced security analytics solution to address “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services” (one of the four core GDPR principles), benefits an organization might realize can include:
- SOTA-empowered security capabilities and quality. The mature capabilities of advanced security analytics, leveraging mature machine learning algorithms, empower holistic risk-based monitoring across a range of on-premises, cloud and hybrid environments, risk scoring the gray areas of unknowns, and minimizing false positives.
- Comprehensive shadow IT management. IT groups within organizations no longer need to face the significant risk of unknown, unmanaged and ungoverned data being accessed through shadow IT solutions by employees in unsanctioned cloud services that can put the entire organization in jeopardy with their use. Comprehensive risk-scored access and holistic activity monitoring across all silos ensures control of shadow IT activity.
- Role-based access controls and data masking. Next-generation capabilities define new roles with access controls for data and actions. Data masking through workflow, for incident management, ties into role-based access controls and enables a tiered hierarchy for access and visibility to meet EU privacy and GDPR regulations.
- Optimized, discovery, monitoring and visibility in four core GDPR compliance areas. By addressing administrator controls and separation of duties, access control, data loss prevention and user activity monitoring, this solution provides the baseline ability to view the full context of a user’s access and activities, both legitimate and anomalous. The SOTA and mature solution also includes analytics for hybrid environments, providing a combined 360-degree view for identity, and risk-scored behavior anomalies, driven by machine learning.
- Improved productivity and cost savings. Extending beyond the benefits of GDPR compliance, the solution adds value to the organization’s bottom line. By having holistic visibility across all an organization’s environments, users and devices, SOC teams’ efficiencies are maximized, delivering cost savings. In addition, as enterprises migrate to cloud applications, the ability to expand platforms without adoption of additional solutions helps minimize costs.
All in all, independent of the EU GDPR mandate, the enterprise’s environment will be safer and holistically monitored on a cost effective basis. That’s a win-win for the adopting organization. To learn more about the EU GDPR, check out our white paper on the topic: Advanced Security Analytics Applications in EU GDPR.