With less than five months until the implementation of GDPR, organizations are scrambling to comply with the strict data security standards.
by Gerry Gebel. This article originally appeared in CSO Online.
The implementation of the General Data Protection Regulation (GDPR) in the EU will impact hundreds of thousands of businesses globally. GDPR imposes a significant update to data security laws on all EU members defining the protection and use of data of European citizens. It is the most extensive change in data privacy regulations that we have seen in years, and any business found not in compliance will face stiff regulatory fines.
With a deadline of May 25, 2018, enterprises are scrambling to identify exactly how they can comply with its strict data security standards and the effect GDPR compliance will have on their overall digital business initiatives. And in the process, many businesses are finding themselves unprepared for GDPR.
So how can businesses take a practical approach to meeting GDPR requirements?
Preparing for GDPR with access control
A key theme within the GDPR is the control of who has access to digital assets that are covered by the update. Dynamic authorization or Attribute Based Access Control (ABAC) can help navigate GDPR compliance (while also supporting digital business initiatives) by providing data and transaction protection capabilities. Dynamic authorization provides contextual and fine-grained access control. It’s a policy-based access control approach, and the policies are built using the relationships between ‘attributes’ that define the who, what, when, where, how and why a user is granted or denied access to a given information asset.
Dynamic authorization can do more than just protect who receives access to sensitive data. In a GDPR context, dynamic authorization supports the establishment of intimate trusted customer relationships by balancing privacy protection, risk management and security practices. This can further solve a variety of GDPR requirements including:
Consent means that the user (data owner) needs to give consent to the ‘data controller’ to use the data for specific purposes (lawful and fair). The consent options need to be presented to the user in a way that enables the user to make conscious decisions when deciding whether to give consent or not. The user should be able to quickly revoke consent for all or specific use of the data.
By implementing a dynamic authorization solution as part of a consent management strategy, an organization can achieve consistent enforcement of access to all PII data stores (in both relational databases and Big Data stores), APIs, microservices and applications. The benefit of this approach is that end users can manage the permissions that grant consent in one place and that the authorization engine dynamically enforces these preferences at runtime.
Data protection is described in numerous ways and referenced in several parts of the law, and it embraces several sub-areas that can be quite challenging to implement. These areas include: data minimization, data encryption, data pseudonymization, data transparency, data accuracy, data quality, data access, data sharing, data portability and data control. Dynamic authorization supports several of these data protection topics well:
- Data minimization is about physically minimizing the data an organization has stored. In addition to this physical minimization, dynamic authorization can help minimize the data access points by providing “logical” data protection. By applying contextual and fine-grained access policies to large sets of data, an organization can reduce the threat vectors to the data and make sure that it is only exposed to users who are authorized to view it.
- Data transparency, data accuracy and data quality include capabilities that allow the end user to view and correct data. A dynamic authorization solution can enforce strict policies that expose the PII data to just those authorized end users, with the ability to govern dynamic data masking, specific actions they’re allowed to take (tasks such as having access that is read-only, the ability to update, or the ability to edit).
- Data access, data sharing and data control are also areas where a dynamic authorization solution supports a very contextual and data-driven access control relationship. By leveraging the full capabilities of the authorization model, PII can be protected by policies that extend to the end users discretion.
Records of processing activity
Centralized authorization solutions, like dynamic authorization, create and maintain an audit log of who has accessed, or attempted to access, PII. This authorization audit log, together with other logs such as logs from the applications, provides vital proof of ‘records of processing activities’ that can be used for internal or external auditors and security professionals in search of a reason for a data breach. This information can also be used to provide proof to the end user if requested.
Privacy by design and by default
Security by Design is not a new concept. GDPR extends this concept to include ‘privacy by design’ and ‘privacy by default.’ It applies to all services that handle PII whether developed in-house or is acquired common off the shelf (COTS) software. It also applies to any software as a service solution (SaaS) delivered through a cloud service provider.
Dynamic authorization can play a significant role in conforming to these principles. PII access policies should be deployed using a top-down approach and applied to all systems and applications that store and maintain PII data. This top-down approach includes a strong governance process where the whole authorization life-cycle is incorporated.
Dynamic authorization can help meet and manage GDPR by providing centralization of access control, a fine-grained policy-based approach to access control, efficient change management and ease of enforcement across the enterprise. With the implementation quickly approaching, the time to act is now.