The data protection lessons learned over the last 10 years have underscored the importance of protecting personally identifiable information (PII) time and time again. Nearly 4 billion records have been lost across the 15 largest data breaches in history — 10 of which occurred in the last decade. When these breaches happen, businesses face more than just a hit to their brand reputation – they can also translate to fines and penalties equaling millions or even billions of dollars.
Because the security of PII continues to grow in complexity, governments are continuously extending the rights of individuals to better control and protect the use of their personal data. In the European Union, enforcement of the General Data Protection Regulation (GPDR), began in May 2018 to regulate on data protection and privacy.
Meanwhile, in the United States, a bill meant to impose penalties for cybersecurity breaches that put sensitive consumer data at risk, the Data Breach Prevention and Compensation Act is winding its way through congress and several states already have their own security data breach laws similar to GDPR.
The recent New York law, Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which was implemented to broaden data security and breach notification requirements, expanded the definition of the types of private information to be protected. For example, SHIELD added data elements or a combination of data elements that would grant access to someone’s PII to the types of protected information.
Furthermore, email addresses, email passwords and biometric information (digital copies of fingerprints, voice prints, retina scans or any other digital representation of biometric data) fall under the expanded definition of the types of private information under the SHIELD Act.
As more privacy laws continue to be enacted throughout the world, it is clear that companies now have a legal obligation to protect consumer data, and with fines up to as much as 4% of annual global revenue (in the case of GDPR), it is an obligation that no company can afford to ignore. The National Institute for Standards and Technology (NIST) suggests that PII should be protected through a combination of measures including operational safeguards, privacy-specific safeguards and security controls aligned to a risk-based approach.
Privileged access management has a key role to play in protecting PII. Here’s how:
Access Enforcement and Separation of Duties
Organizations should control access to PII through policies and access enforcement mechanisms. One of the ways this can be done is by managing privileged credential policies across the entire IT environment, isolating sessions through a highly secured proxy and implementing role-based access control to help ensure that each user can only access the systems and data needed for their specific role.
Privileged access management solutions continuously scan the environment to detect privileged access, validate privilege by adding discovered accounts to a pending queue and automatically onboard and rotate accounts and credentials based on enterprise policy in a highly encrypted vault.
The use of a secure and fully-isolated proxy helps prevent the exposure of privileged credentials directly to the end users, their target applications or devices. This secure control point manages access to these privileged credentials and implements dual-control for a more robust workflow, providing users with customized approval workflows that ensure that they are in compliance and allowed to access the systems hosting PII – no matter the environment (cloud or hybrid).
User-Based Collaboration and Information Sharing
Another NIST guideline focuses on the need for automated mechanisms to assist users in determining whether access authorizations match access restrictions. This is especially important for PII. Privileged access management solutions can integrate with IT service management solutions to enforce security policies in an operationally efficient manner. They do this by triggering the approval processes that authorize access to systems and applications containing PII and elevate privileges to execute tasks within a system or application.
Remote Access
In order to perform their defined tasks, organizations often grant third party companies access to critical internal systems and sensitive information, including PII. Providing remote access through VPNs is a common and valuable solution for a secure connection from outside the network. However, when it comes to providing access to critical business systems and applications, such as ones that manage and store PII, VPNs aren’t designed to provide granular, role-based access.
Remote access solutions aim to solve this problem by leveraging Zero Trust access, biometric multi-factor authentication and just-in-time provisioning so that third parties only have access to the systems they need, and for only as long as they need it.
Least Privilege
It’s a common best practice to only allow access to applications and machines by those who are performing a specified task. Privileged access management solutions help enforce defined access permissions. These solutions are also integral to enforcing the principle of least privilege – that people only have access to what they need to do their jobs and only for a certain amount of time.
Privileged access management solutions remove and manage local admin rights on workstations and servers, approve applications to run and block malware, including ransomware. Unknown applications are able to run in ‘restricted mode,’ which prevents them from accessing corporate resources, sensitive data such as PII or the Internet.
Auditable Events, Reviews, Analysis and Reporting
In order for businesses to comply with multiple regulations, they need to demonstrate that they are correctly managing of PII for audits. Privileged access management solutions enable companies to automatically record and store privileged sessions within a centralized encrypted repository. Prioritize auditing recorded and active sessions with video playback that streamlines reviewing the most suspicious activity.
Identification and Authentication
A crucial step in a strong security program is the ability to identify and authenticate users before accessing critical systems and sensitive PII. Privileged access management solutions help authenticate users and transparently log onto applications using credentials stored and managed in highly encrypted vaults.
These solutions can also integrate with support user accounts and groups of users whose details are stored externally in LDAP-compliant directories and use Active Directory Federation Services (ADFS) to access environments with single sign-on. Equally, leveraging multifactor authentication (MFA) as part of an overall privileged access management program allows organizations to add an extra layer of protection – beyond a password – to better secure systems containing sensitive information.
As organizations continue to grapple with new and emerging regulations, a mature privileged access management program can play a key role in helping to not only protect sensitive PII and comply with these directives, but also to continue to build consumer trust.
Attackers have been very successful (and profitable) over the last 10 years – putting many companies and their security programs to the ultimate test. As we start this new decade, it’s unlikely that attackers will slow down, but there are tools and technologies to help limit their success.
Want to learn more? Find out how Privileged access management helps meet NIST controls for access management, audit and accountability, and identification and authentication. Or check out the CyberArk Blueprint for simple and prescriptive guidance on how to develop effective and mature privileged access management programs.