Now that we’ve very nearly reached the deadline for General Data Protection Regulation (GDPR), insider threat management is more crucial than ever. What is an insider threat? It’s when an insider’s credentials and access are used — either directly by malicious actors or indirectly by criminals with stolen or acquired credentials — to obtain sensitive data from an organization.

These threats are especially dangerous when an insider gets hold of access that manages personal data about customers or other employees. This is where GDPR comes into play.

Read the white paper: Prevent Unauthorized Access to Personal Data

CIAM: Doing Something New

At this point, you are likely well-versed on the implications of GDPR for your business. One element is allowing customers in the European Union (EU) to express consent about the management of their personal data, which ties into consumer identity and access management (CIAM), a specific segment within the identity space.

CIAM systems typically collect attributes like name, email address, social network accounts, age, gender and location. But without the user’s explicit consent, the collection of this type of data will likely violate GDPR.

So, what’s needed to align with the new regulation? There must be clear methods for customers to see what personal data is being collected and what the processing activities are on that data. Based on this information, customers should then be able to change or revoke their level of consent.

There has also been a lot of varying industry interest in the CIAM component of GDPR. Many industries are paying close attention — as they know auditors will check what they are doing to achieve GDPR requirements.

Insider Threat Controls

In managing insider threats and becoming GDPR compliant, there are two discovery questions you must begin with: Where is personal data in your company stored? Who has access to that personal data? The answers to these questions will lead to awareness and the ability to take action. They will also confirm whether company insiders have access to the appropriate data.

Personal data can appear in many places:

  • Applications and content, such as records and attributes
  • Unstructured data, such as files and folders
  • Structured data, such as database tables and columns

During the discovery phase, you must be able to look at these three types of data repositories to find personal data. This data could be everything from email addresses to credit card numbers and more. Of course, this will likely require some digging. There could be 2,000-plus files in a folder, but only five might be relevant to GDPR. How do you identify the five out of the 2,000?

GDPR Compliance: Finding the Needles in the Haystack

Identifying personal data is the most critical element of the process — and it’s not an easy job to do. Once you’ve found the personal data, how do you make the information consumable, presentable and understandable for applying controls?

Controls will bring business users to attention, rousing them to make a judgment call. This is where governance comes into play: The three repositories need to converge as one unified, protected user interface. This interface should allow even the least tech-savvy user to understand what they’re looking at and feel confident in determining whether or not the access is appropriate. Dedicated solutions, such as IBM Guardium, could help accomplish this goal.

Stay Compliant, Not Complacent

To remain GDPR compliant, you will need to make sure the right people have access to personal data — and remove those who do not. You can address this requirement through leveraging IBM Security Identity Governance and Intelligence (IGI), as our IGI governance capabilities are applied through application and data governance. IGI allows the correct people to have access to personal data, presenting those people holistically in a single pane of glass and a consumable fashion by someone who is not technical. IGI presents application and data content in this way and allows for controls on top of that information. These controls, such as access review, capture the appropriateness of the access. In addition, IGI provides the reviewer with context throughout the process, presenting the access by enriching the presentation with the data classification related to the content type.

Deliver awareness and actionable controls to minimize your insider threat exposure. And remember: There is no such thing as a solution that delivers compliance.

Read the white paper: Prevent Unauthorized Access to Personal Data

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

To remain GDPR compliant, you will need to make sure the right people have access to personal data and remove those who do not. You can address this requirement through leveraging
governance and intelligence (IGI). In addition to these necessary controls, IGI provides the reviewer with context throughout the process.

More from Identity & Access

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…