On May 25, 2018, the General Data Protection Regulation (GDPR) will be enforced across the European Union (EU). This regulation aims to extend the rights of individuals residing within the EU to better control and protect the use of their personal data in the evolving digital landscape. It’s also an attempt to strengthen, simplify and harmonize the data protection and privacy laws across Europe. GDPR requires any organization whose business involves either collecting or processing any EU citizen’s personal data – not just those that are located within the member states of the EU – to maintain compliance. Non-compliance risks both steep financial penalties and reputational damages. The CyberArk Privileged Account Security Solution protects the privileged credentials that enable access to the systems and applications that contain and process highly sensitive personal data.
Here are five ways CyberArk solutions can help organizations address GDPR:
- Protect and Monitor Access to Sensitive Personal Data
Attackers and non-authorized users target privileged accounts as a means to gain access to critical systems and applications that hold sensitive personal data. CyberArk enables organizations to perform live monitoring and session recording to quickly identify unauthorized, suspicious and high-risk activity. With CyberArk, organizations can control privileged access to systems and applications that hold and process personal data, which is essential for your GDPR data protection program.
- Secure Processing through Least Privilege Enforcement
Organizations are required to limit the risk of unlawful destruction, loss, alteration, unauthorized disclosure of, and most importantly – access – to personal data. CyberArk provides a unified access control solution to regulate and monitor the commands super-users can run based on their roles and the specific tasks they manage. The solution limits the use of privileged rights within the organization, enables them to segregate administrator duties and enforces least privilege policies for their super-users.
- Detect and Respond to Breaches Early in the Attack Lifecycle
GDPR requires unauthorized access to personal data to be reported within 72 hours of detection. CyberArk provides threat detection solutions that will not only detect malicious activity in real-time, but can contain the threat at the earliest stage of the attack lifecycle – before the attacker is able to gain access to personal data. The solution features an analytics engine that leverages statistical modeling, machine learning, user behavior analytics, and deterministic algorithms to detect attackers and malicious insiders navigating the network. As a result, incident response teams now have the additional time they need to stop the attacker before they get to their end target.
- Security Controls and Procedures Risk Assessment
CyberArk has a dedicated Red Team that provides a safe way for security operations teams to test their ability to effectively defend against cyber attacks. This team uses a variety of tactics, techniques and procedures used in real world attacks to help clients measure the risk to critical assets, uncover vulnerabilities, test security procedures and identify areas of improvement. This wide-ranging assessment will help demonstrate if the security measures and mechanisms in place can help guarantee the protection of personal data and demonstrate GDPR.
- Minimize Risk Against Non-Compliance
In the event of a breach, each organization and its business partners need to be able to prove that they’ve met their obligations – and in some cases – determine which party is at fault. So the question then becomes: who has access and to what systems and applications do they have access? CyberArk’s free Discovery and Audit (DNA) tool helps organizations discover privileged user and application accounts in their environments, including those used by third-party users. The tool produces a full report including a list of accounts and associated credentials as well as current account status with regard to your security policies. Furthermore, CyberArk solutions provide detailed logs and audit trails that capture privileged account activity for both internal users and third-party vendors alike. The log files are stored securely in order to prevent manipulation. Audit trails are searchable to aid in the event of forensic investigation or litigation from data subjects.
The core of GDPR is all about data protection by design and by default – CyberArk is all about security by design and by default. By locking down access to sensitive systems and applications, you secure control of who and what has access to personal data. Research shows that most organizations will not be compliant when GDPR officially goes into effect. Given the potential fines upwards of €20 million, impact on customer loyalty, future loss of revenue, brand damage, etc., it makes good business sense to address GDPR requirements urgently. For organizations that have a strong privileged access management strategy in place today, this conversation is already top of mind for CISOs, compliance officers, legal and IT professionals.