By Paul Trulove, vice president of product management at SailPoint
The battle for privacy over personal data took an important step forward with the approved General Data Protection Regulation (GDPR) being adopted by the European Parliament in April
Changing the way enterprises view data
The new law dramatically changes the way in which organisations approach customer data protection, particularly in terms of access privileges. With financial penalties in place, which can be as much as 4 per cent of a corporation’s annual turnover, enterprises simply cannot afford to let customer data slip into the wrong hands through mismanagement or a malicious breach. One way to ensure this doesn’t happen is for customer data to be secured under lock and key with the help of identity governance, where entry is monitored and controlled around the clock.
The new GDPR regulation will also require significant changes in how customer data is stored. Existing security models will have to evolve as well. A transition from prevention-only outlooks to detection and remediation methods is now needed to accommodate the new legislation. While the law only applies to EU citizens’ data, any company that operates in the EU must comply, regardless of where the data is stored. This yields a truely global impact on data governance for almost every major company in the world.
Identity is everything
Given the current state of governance over customer data, especially who has access to it and how that access is granted, organisations can’t afford to wait to get started. There are proactive steps that can be implemented to stay ahead by focusing on a few key identity governance priorities: The first is to develop a complete picture of where customer data is stored and what data is required to be protected under the new regulations. In as few as ten years ago, data governance was relatively straightforward. Most information was stored in structured databases or applications that could be locked away in the network, behind application credentials. That’s not the case anymore. Today, most of the data in an organisation is unstructured, meaning it is created and managed in files by end users and can be stored almost anywhere. For example, customer data required to be protected under GDPR may be stored on file servers, on cloud storage services like Box.net, on collaboration portals like SharePoint, and many, many more.
IT security professionals today have a difficult balancing act on their hands to get the right mix of security and convenience. Business users want convenience, but at the same time, data must remain secure. As far as unstructured data is concerned, the scales are tipped so far towards business agility and convenience that IT often has a hard time reigning in control without triggering a user revolt. Achieving security that is on par with convenience doesn’t need to alienate users, however, so long as you pick the right tools and keep users involved in the process at every step of the way.
Granting access to data throughout the user lifecycle
Protecting access to GDPR-related data as users join, move to different roles or leave the organisation is a key step in avoiding a data leak. With hefty fines facing orgainsations that fail to protect personally identifiable information of their customers, companies need to focus on securing access to this information and carefully controlling the relationship between users and where the data is stored – whether in applications and or file storage systems.
A governance-based identity management solution that delivers control over every aspect of access to data, whether it is stored on-premises or on the cloud, allows enterprises to centrally manage all company applications and data. This level of governance significantly reduces the possibility of insider gaining inappropriate access and consequential data leaks that could have major financial ramifications for the business. But organisations need to keep in mind that such governance-based approaches are not a one-time event. Governance over user access needs to be updated on an ongoing basis to reflect any changes in the business if it is going to remain effective.
At first, organisations may feel overwhelmed by the requirements of GDPR, especially considering the financial ramifications of non-compliance. However, leveraging identity governance at the core of your security strategy to protect access to customer data in your organisation can go a long way towards mitigating the risk of a data breach and the resulting penalties that may incur.
As the fastest-growing, independent identity and access management (IAM) provider, SailPoint helps hundreds of global organisations securely and effectively deliver and manage user access from any device to data and applications residing in the datacenter, on mobile devices, and in the cloud. The company’s innovative product portfolio offers customers an integrated set of core services including identity governance, provisioning, and access management delivered on-premises or from the cloud (IAM-as-a-service). For more information about SailPoint, please visit www.sailpoint.com