The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. In April last year, Matthias Reinwarth, a Senior Analyst at KuppingerCole was quoted saying, “A strong, robust, reliable and trustworthy IAM strategy and capability is a core building block required to achieve compliance with the GDPR.” Reinwarth makes it clear that ensuring that users only have access to the data and resources they are entitled to and that the company operates within the GDPR guidelines is key.
It is vital that information security personnel, such as Identity and Access Management (IAM) professionals and Risk & Compliance Officers, work together to achieve this because the alternative to compliance can be catastrophic. Aside from the damage to a company’s brand, failure to comply could result in fines of up to 4% of the company’s total annual worldwide turnover, or €20,000,000, whichever is greater. For example, if Google were to fail GDPR compliance, it would have to pay a fine of $4.386 billion, which is 4% of $109.65 billion.
To prepare for GDPR, companies must take specific steps to properly comply with the regulations. As time marches inexorably towards GDPR, IAM has never been more critical. For example, accountability, consent, breach notifications, and individual rights must all be properly addressed. As with many things, preparation is crucial and both IAM professionals and Risk and Compliance Officers need to collaborate to make it happen.
As a general rule, knowing what data you have and where it is located is the first step to ensuring compliance. Once you know what information is in your control, you can more easily classify it and determine if it legally requires protection. Some of this protection might need to be done by Data Protection Officers (DPOs) that are specifically hired to manage large volumes of personal data that many companies amass over time. Defining your data and hiring DPOs are tasks that IAMs and Risk and Compliance Officers should work together on to make sure the GDPR guidelines are met.
Authorization recertification is another task that IAMs and Risk and Compliance Officers need to collaborate on. Recertification policies that a company establishes must be robust, effective, and appropriate for their specific situation. Moreover, recertification is essential because it facilitates ongoing compliance.
When preparing for GDPR, IAM must meet the needs of all of the stakeholders - employees, customers, and the company’s executive branch. It is important that identities and access are managed in such a way that all stakeholders are able to do their work or have access to products and services, all while protecting GDPR-related data. The most effective method for doing so, whether it be in the cloud or on-premises, is by taking advantage of the Policy-Based Access Control (PBAC) approach.
When thinking about GDPR and protecting your organization, you might be tempted down the well-beaten path of rule-based IAM. After all, that’s how it’s always been done. But the many problematic and fundamental failings of rule-based IAM make it incompatible with GDPR requirements. Instead, embrace the PBAC approach. It is platform agnostic, flexible, scalable, and is great for compliance.
The inherent advantage of PBAC is that you can build policies that are at once comprehensive and flexible. Policies can be defined broadly or narrowly, depending on the resource and the resource attributes (for example: view only general data and not personal data). Because PBAC supports many kinds of variables, such as time and location, it becomes highly flexible on the fly. For example, if an employee at a third-party supplier no longer works for her company, but still has login details to your company’s ordering system, with PBAC, the runtime authorization will block access even if the login credentials are valid. In other words, PBAC enables access decisions to be made in real-time, protecting sensitive data.
You could be forgiven for thinking that the seemingly endless permutations and complexity of IAM would make it nearly impossible to satisfy both business needs and GDPR requirements. Of course, access policies should be crafted with business needs in mind - which resources should employees, customers, and executives have access to so that they can get things done. But don’t be mistaken - business needs are not mutually exclusive to GDPR compliance. When IAM professionals and Risk and Compliance Officers work together, they can build policies that fit in with the organization’s data access controls and also with GDPR in mind.
Complex PBAC policies can be created using straightforward business language (for example: “Traders can execute trades on working days between 09:00 and 17:59”). Policies that are easily understood by everyone means that all relevant stakeholders - including business leaders - can be certain that business goals are being met. It also means that PBAC policies provide full and transparent visibility for compliance with GDPR and other relevant regulations.
By its very nature, PBAC policies for IAM reduce the amount of manual input required for auditing and recertifying policies. Policies can reduce the amount of manual approvals by 30% – 80%, which is a massive savings in time and effort. Additionally, manual intervention in any system inevitably means introducing the element of human error. PBAC systems practically eliminate those concerns. And you cannot ignore the effect manual input has on scalability - the more automatic a system is, the more scalable it becomes - which is why PBAC systems are highly advantageous.
So there really is only one way to ensure your organization will be able to navigate the choppy waters of IAM in a GDPR world. With strong collaboration between IAM professionals and Risk and Compliance Officers, PBAC is the only way to future-proof your company’s information and data security and to simplify the GDPR compliance process. 25 May 2018 is closer than you think.