The EU’s General Data Protection Regulation (GDPR) intends to strengthen and unify personal data protection for all individuals within the European Union. This regulation imposes totally new requirements on how organizations must process such data, which means that companies must step up their efforts in information security management and associated investments. It is important to specify that the regulation (which is already in force, only the application of sanctions is postponed until March 2018) is binding for all companies, European or non-European, which have an activity that involves accessing personal data of EU citizens (art. 3).
An effective and efficient IAM solution is the cornerstone of the information system of all companies in order to establish and maintain compliance with the many complex requirements of the GDPR.
In the past, personal data breaches have led to disastrous situations (financial but also image-related) both for companies and for those affected, sometimes with high penalties as a consequence. With the imminent activation of sanctions provided by the GDPR it has become crucial to comply as penalties of up to 4% of the global turnover may be imposed (Article 83, 84 of the GDPR and Article 65 of the Law/Act No. 2016-1321 of 7 October 2016).
As the complexity of company information systems increases, risks associated with access management also increase. Moreover, the ubiquity of the Internet has imposed, on the one hand, the widespread sharing of information between companies and their partners and service providers and, on the other hand, the pervasiveness of access to company resources. Therefore, if the most resounding information leaks (Sony, Yahoo!….) are often the work of actors outside the company, the majority (in number and probably in value) of security breaches come from within the organization, where the consequences of negligent or malicious behavior can be multiplied if rigorous management of authorizations and access is not operational. Data protection is at the heart of the GDPR (Article 5).
Within a company information system, data is continuously imported, stored, transferred to and from structured repositories (database, directories…) or non-structured ones (mailings, files…), or even outside the physical perimeter of the company, in the cloud. In general, this heterogeneity does not allow IT managers, security managers and data protection officers (DPO, Guidelines on Data Protection Officers, G29 2017) to have the necessary overview to verify and validate that employees have the access rights and authorizations strictly necessary to carry out their tasks. The validation of the company’s compliance with the GDPR requirements is then an impossible task.
In addition, these same employees may have to change roles within the organization, for example in the event of internal transfer or promotion. This means that they acquire new rights and access new data, without necessarily losing the previously acquired access (at least, not immediately). This distortion of the initial rights model may be a threat to the legality of personal data processing, since the legal basis for the personal data processing may no longer apply to the new role of the employee (Article 4). This would be a violation of the GDPR since the liability principle underlying the GDPR imposes any person liable to demonstrate compliance with the obligations of the regulation (Article 24).
Company directory restrictions
The simplest way to control the access to the information system can be achieved via the features of the company directories: for example, Active Directory allows the company’s resources to be structured into groups with specific access rights. However, these methods are too complex and too static to take into account the mobility and heterogeneity of current use cases. In addition, an overview of the rights and permissions of individuals is simply impossible given the interweaving of different structures; the difference between the apparent and actual rights of an employee can create serious risks of violations of the GDPR rules if the relationships are not properly interpreted. Indeed, taking into account the principles of personal data protection from the conception and by default are an integral part of conformity assessment (Article 25).
Furthermore, authorizations assigned to an employee through the central directory features do not necessarily reflect that person’s rights in a given application if the correspondence is done “manually”. The automation of the process is the only way to ensure that rights assigned are correctly and immediately applied (to a time delta close to the synchronization frequency of repositories, if applicable).
Finally, there are many situations when it is essential to ensure, at any time, that sets of toxic rights, which means incompatible with each other, are not attributed to a person or group of persons at the same time. If that were the case, it would again be a violation of the GDPR rules.
The GDPR defines the objectives to be achieved in terms of personal data protection, without imposing specific methods or techniques. This protection, defined and supervised by the GDPR, is based on the access management to this data, i.e. the control and supervision of access rights and their traceability. A powerful, flexible identity and access management solution like Avencis Hpliance from Systancia dramatically reduces user threats, eliminates generic and shared accounts, automates processing, ensures consistency across company repositories, and provides detailed reports on rights and resource assignment, helping you to progress towards the GDPR compliance.
Frédéric Pierre – Scientific Director