May 23, 2018 By Katherine Cola 3 min read

Now that we’ve very nearly reached the deadline for General Data Protection Regulation (GDPR), insider threat management is more crucial than ever. What is an insider threat? It’s when an insider’s credentials and access are used — either directly by malicious actors or indirectly by criminals with stolen or acquired credentials — to obtain sensitive data from an organization.

These threats are especially dangerous when an insider gets hold of access that manages personal data about customers or other employees. This is where GDPR comes into play.

Read the white paper: Prevent Unauthorized Access to Personal Data

CIAM: Doing Something New

At this point, you are likely well-versed on the implications of GDPR for your business. One element is allowing customers in the European Union (EU) to express consent about the management of their personal data, which ties into consumer identity and access management (CIAM), a specific segment within the identity space.

CIAM systems typically collect attributes like name, email address, social network accounts, age, gender and location. But without the user’s explicit consent, the collection of this type of data will likely violate GDPR.

So, what’s needed to align with the new regulation? There must be clear methods for customers to see what personal data is being collected and what the processing activities are on that data. Based on this information, customers should then be able to change or revoke their level of consent.

There has also been a lot of varying industry interest in the CIAM component of GDPR. Many industries are paying close attention — as they know auditors will check what they are doing to achieve GDPR requirements.

Insider Threat Controls

In managing insider threats and becoming GDPR compliant, there are two discovery questions you must begin with: Where is personal data in your company stored? Who has access to that personal data? The answers to these questions will lead to awareness and the ability to take action. They will also confirm whether company insiders have access to the appropriate data.

Personal data can appear in many places:

  • Applications and content, such as records and attributes
  • Unstructured data, such as files and folders
  • Structured data, such as database tables and columns

During the discovery phase, you must be able to look at these three types of data repositories to find personal data. This data could be everything from email addresses to credit card numbers and more. Of course, this will likely require some digging. There could be 2,000-plus files in a folder, but only five might be relevant to GDPR. How do you identify the five out of the 2,000?

GDPR Compliance: Finding the Needles in the Haystack

Identifying personal data is the most critical element of the process — and it’s not an easy job to do. Once you’ve found the personal data, how do you make the information consumable, presentable and understandable for applying controls?

Controls will bring business users to attention, rousing them to make a judgment call. This is where governance comes into play: The three repositories need to converge as one unified, protected user interface. This interface should allow even the least tech-savvy user to understand what they’re looking at and feel confident in determining whether or not the access is appropriate. Dedicated solutions, such as IBM Guardium, could help accomplish this goal.

Stay Compliant, Not Complacent

To remain GDPR compliant, you will need to make sure the right people have access to personal data — and remove those who do not. You can address this requirement through leveraging IBM Security Identity Governance and Intelligence (IGI), as our IGI governance capabilities are applied through application and data governance. IGI allows the correct people to have access to personal data, presenting those people holistically in a single pane of glass and a consumable fashion by someone who is not technical. IGI presents application and data content in this way and allows for controls on top of that information. These controls, such as access review, capture the appropriateness of the access. In addition, IGI provides the reviewer with context throughout the process, presenting the access by enriching the presentation with the data classification related to the content type.

Deliver awareness and actionable controls to minimize your insider threat exposure. And remember: There is no such thing as a solution that delivers compliance.

Read the white paper: Prevent Unauthorized Access to Personal Data

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

To remain GDPR compliant, you will need to make sure the right people have access to personal data and remove those who do not. You can address this requirement through leveraging
governance and intelligence (IGI). In addition to these necessary controls, IGI provides the reviewer with context throughout the process.

More from Identity & Access

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today