Insider Threat Controls: What Are the GDPR Implications?
Now that we’ve very nearly reached the deadline for General Data Protection Regulation (GDPR), insider threat management is more crucial than ever. What is an insider threat? It’s when an insider’s credentials and access are used — either directly by malicious actors or indirectly by criminals with stolen or acquired credentials — to obtain sensitive data from an organization.
These threats are especially dangerous when an insider gets hold of access that manages personal data about customers or other employees. This is where GDPR comes into play.
CIAM: Doing Something New
At this point, you are likely well-versed on the implications of GDPR for your business. One element is allowing customers in the European Union (EU) to express consent about the management of their personal data, which ties into consumer identity and access management (CIAM), a specific segment within the identity space.
CIAM systems typically collect attributes like name, email address, social network accounts, age, gender and location. But without the user’s explicit consent, the collection of this type of data will likely violate GDPR.
So, what’s needed to align with the new regulation? There must be clear methods for customers to see what personal data is being collected and what the processing activities are on that data. Based on this information, customers should then be able to change or revoke their level of consent.
There has also been a lot of varying industry interest in the CIAM component of GDPR. Many industries are paying close attention — as they know auditors will check what they are doing to achieve GDPR requirements.
Insider Threat Controls
In managing insider threats and becoming GDPR compliant, there are two discovery questions you must begin with: Where is personal data in your company stored? Who has access to that personal data? The answers to these questions will lead to awareness and the ability to take action. They will also confirm whether company insiders have access to the appropriate data.
Personal data can appear in many places:
- Applications and content, such as records and attributes
- Unstructured data, such as files and folders
- Structured data, such as database tables and columns
During the discovery phase, you must be able to look at these three types of data repositories to find personal data. This data could be everything from email addresses to credit card numbers and more. Of course, this will likely require some digging. There could be 2,000-plus files in a folder, but only five might be relevant to GDPR. How do you identify the five out of the 2,000?
GDPR Compliance: Finding the Needles in the Haystack
Identifying personal data is the most critical element of the process — and it’s not an easy job to do. Once you’ve found the personal data, how do you make the information consumable, presentable and understandable for applying controls?
Controls will bring business users to attention, rousing them to make a judgment call. This is where governance comes into play: The three repositories need to converge as one unified, protected user interface. This interface should allow even the least tech-savvy user to understand what they’re looking at and feel confident in determining whether or not the access is appropriate. Dedicated solutions, such as IBM Guardium, could help accomplish this goal.
Stay Compliant, Not Complacent
To remain GDPR compliant, you will need to make sure the right people have access to personal data — and remove those who do not. You can address this requirement through leveraging IBM Security Identity Governance and Intelligence (IGI), as our IGI governance capabilities are applied through application and data governance. IGI allows the correct people to have access to personal data, presenting those people holistically in a single pane of glass and a consumable fashion by someone who is not technical. IGI presents application and data content in this way and allows for controls on top of that information. These controls, such as access review, capture the appropriateness of the access. In addition, IGI provides the reviewer with context throughout the process, presenting the access by enriching the presentation with the data classification related to the content type.
Deliver awareness and actionable controls to minimize your insider threat exposure. And remember: There is no such thing as a solution that delivers compliance.
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.