Implementing IAM for your GDPR strategy
12th September 2017 by Mária Bicsi
The original article could be found here.
Working on the Swiss market in the IT security field, especially with Identity and Access Management technologies, I am receiving frequently this question: How Identity & Access Management can bring you closer to the GDPR compliance?
GDPR stands for General Data Protection Regulation and will enter into force on the 25th of May 2018. Maybe many of you are asking why do we speak about an EU regulation in Switzerland. The 3rd article of the Regulation says that all the organizations, which are not part of the EU but are offering goods or services to EU individuals or are monitoring their behavior, are subject to the GDPR, as you can read in my previous article.
Following this concept, this Regulation applies to many Swiss companies.
GDPR is a principle-based regulation, is telling you what to do, but not how to do. Many companies started to prepare to be compliant with the new regulation with a lot of actions: gap analysis, data mapping, contract reviewing, implementing reporting technologies, etc., and we see in practice, that one of the biggest challenges is to define the right steps and to choose the adequate technical solutions.
In the Art. 32., called Security of Processing, GDPR says that the Controller
and the Processor shall implement appropriate technical and organizational measures to
But where is the risk inside an organization?
We distinguished three main categories: People, Data and Application, which are interconnected.
From the security perspective we have to assure pseudonymization and encryption of personal data, we have to have the ability to ensure confidentiality, integrity, availability and resilience of processing systems and services, we have to give business continuity in case a physical or technical incident occurs, we have to proof regularly the effectiveness of the security measures and we have to be able to demonstrate the compliance anytime.
Let’s see how Identity & Access Management can help to correspond to these general requirements.
Identity & Access Management is a security practice, which enables that the right individuals have access to the right resources at the right time. It helps to protect data, applications and people at the same time, and it has all the needed reporting tools to contribute to the compliance demonstration.
A full stack IAM implementation contains at least three sections: Access Management,
Identity Governance and Privileged Identity Management.
- Access Management – minimizes unauthorized access to the personal data, and prevents its disclosure, which is the main focus of the GDPR. Let’s see an example by creating an online account of a customer where personal data is provided. An access management tool can embed the consent of the data subject to the personal data processing, could provide with the mandatory information about the controller, like identity and contact details, and can inform the customer about the purpose of data processing, as requested by the Article 13.
- Identity Governance - is ensuring that only the authorized people have access to the resources they need to perform their job, defining the segregation of duties and the least privileges. Using Active Directory is not enough anymore, that creates and manages the "certificates" in a passive, but not in an agile and intelligent way.
- Privileged Identity Management - is a technology that enables proper control and monitoring of administrative credential usages, like those of the Windows and Unix/Linux system administrators. Such solutions prevent the usage of shared accounts and enforce transparency and accountability, which is one of the core requirements of the GDPR.
In conclusion an Identity & Access Management solution considerably reduces the insider threats, eliminates the anonymity of the shared accounts, enhances the accountability inside your company, informs your customer about the controllers identifier, asks for consent to the personal data processing, thus helps you to do another step on the way of the GDPR compliance.