We have always known that our personal information is gathered and stored in files and databases in systems as we visit stores, shop online, or visit the doctor, but we give little thought as to who is the data guardian of this information. To compete in our consumer world, companies store vast amounts of personal client data that accumulate over many years. The European General Data Protection Regulation (GDPR) that comes into effect in May 2018 makes storing of personal information a greater risk for all organizations. Specifically, if personal data is not cared for properly, with consideration for GDRP and related modern industry computing standards, large fines can be imposed on organizations for contravening laws related to company use of clients’ personal and business information.
With changes in legislation and client expectations, MSPs must be better prepared to protect customer data and better safeguard their systems from increasingly prevalent data breach attacks. What tools or processes can MSPs implement to decrease attack options and mitigate exposure if a breach is successful?
The first step is to ensure you have implemented an Identity Management and Access Control solution that:
- Revokes access to data based on least privilege principles
- Reports on active identities that have or had access to personal data
- Records login attempts and reports on unusual behavior
- Reports on aged accounts, data and redundant access to data
- Responsibly delegates access to personally identifiable data
- Retains a list of active identities with access to systems.
These core identity capabilities become even more important as stronger identity legislation and expectations grow across geographical regions and vertical industries.
MSPs that are hired to manage IT for customers must take a leadership role in pro-actively improving and managing their clients’ Information Governance strategies to help them control access to systems and client information and mitigate risk for their clients’ reputation. By deploying an Identity Management system, an MSP takes the first best step to ensure the core controls are in place and that an auditable account of data access is kept to begin to meet regulatory compliance.
As of May 2018, GDPR mandates an organization storing personal information of their European clients and employees provide evidence that:
- client personal data being stored is properly secured
- the data remains in legitimate economic use to the person and organization
- company users with access to client personal data during the data’s lifetime are authorized to access the data
- organizations can notify individuals or corporations affected in the case of a data breach within 72 hours
- the organization is taking the appropriate steps to govern access and monitor and log the activities proactively
This last point is perhaps the most important as organizations must be able to provide evidence that they have implemented a process to mitigate the risk of a personal data breach and track any user access to this data.
Adopting Identity Management industry best practices can protect your clients’ reputation and data and speeds your ability to comply with GDPR.
Key principles include:
Essential to information security is the application of “Least Privilege” and “Need-to-Know”. Least privilege is a principle that implies a user should have the minimum required access granted on an “object” to perform his/her job or function. Generally, an object is any asset or information that is accessed using a set of credentials or token. It can be a PC, printer, database, CRM or any business application. It can also be an area of a building, a physical file or items like a refrigerator or AC unit.
Need-to-know implies that all subjects (users) be challenged on their requirement to have access to the information available on the object, and should not be granted full access unless required to carry out their duties. Need-to-know usually ties in with a classification system that assigns sensitivity or risk to information held within an object and can also be contained in the examples above. Secret, confidential, and restricted are examples of typical classifications used to help enforce Need-to-Know principles and are often unique to the company or industry.
Least Privilege and Need-to-Know are subtle in their differences. Their successful application in a security system requires a top-down assessment of the job roles each user has, what access they require to objects, and at what level. An Identity Management solution provides the core platform to begin to successfully administer and monitor the principles of need-to Know and Least Privilege.
An IDM platform facilitates control over the systems and directories that are queried for a user’s access to objects based on role and identity and provides the ability to centralize the authority to manage changes quickly. By leveraging Identity Orchestration, MSPs can manage task authority by roles in an organization and be able to adjust those capabilities rapidly to enable the user to meet their task assignments. Successful use of Identity Orchestration and Management (IOM) reduces an organization’s risk on an organization and allows it to react promptly to a data breach, or incident.
When personal data is captured and stored by an organization, these best practices become critical. The data custodian of the personal data must ensure that only authorized people have access and this access can be denied or removed when there is no longer a legitimate business need. The data custodian must also be able to provide historical records of who has had access to this data.
One further challenge with GDPR is that the information must be able to be deleted or “forgotten” as in “the right to be forgotten”. The ability for an organization to safely delete this data with minimal business impact is greatly facilitated if you have applied the concept of Least Privilege and Need-to-Know. If a breach does occur an up-to-date record of the data owners needs to be readily accessible to notify them within 72 hours. By keeping the contact information within an Identity Management platform, the MSP will have quick access to reports to speed the notification process.
A notable benefit of this approach is that MSPs immediately minimize the risk of a data breach in the first place. By restricting access to a bare minimum through Least Privilege and Need-to-Know, MSPs can track unusual attempts to access this data that fall outside normal activities of these identities. These activities include after-hours access attempts, data access attempts from outside networks, and attempts to access data from different locations.
With the addition of a reporting system from the IDM platform, a security auditor can access monthly reports showing which identities (subjects) have access to the various data objects to ensure they meet Least Privilege. This is especially important when a new role or change in role access is recorded. Savvy MSPs will use their Identity Management system to control and audit access to objects and will also proactively revoke access based on role or inactivity. This provides a valuable service for clients by greatly preventing the risk of insider threat or a data breach.
MSPs play a critical role in protecting their clients’ reputation and data through proper deployment of systems. By implementing an Identity Management solution to help govern access to personal data, and enabling the application of Least Privilege and Need-to-Know”, an MSP will provide a defensible strategy to meet upcoming regulations like GDPR.
Contact us to schedule a session to review how Identity Maestro can help you start or improve your and your clients’ journey to mitigating increased security and data access breaches.
For more information, view our on-demand webinar on How to Build your Cloud MSP around Simplified Identity Orchestration and Management.