The Danger of Access Risks with GDPR: The story of Artie Fact

How much personal data are your employees able to access? What you don’t know will surprise you…and could possibly hurt you.

Imagine you’ve been with a company for 10, 20, even 30 years. How many roles have you had? How many applications have you worked with over that period? If you’re like many individuals, you will likely have switched jobs at least 2 or more times. Here’s the (fictitious) story of Artie.  Artie Fact has been with HappyGoLucky (HGL) Global for 5 years. He loves the opportunities he’s had to grow with the company, taking on a variety of roles with increasing responsibility.

When it comes to GDPR, an employee such as Artie Fact could become an inadvertent risk. Even if he doesn’t behave badly and misuse his employee access, what about someone who steals his credentials? The access to personal information that your employees have could be critical. Is there a purpose for their entitlement to that access? Do they still need it? How do you identify those access ‘blind spots’ — especially direct access to unstructured data and databases — where loose controls could potentially be exploited?

GDPR is not just about finding the personal data you hold or process; it is also about putting controls in place such that only individuals with a specific purpose have access to certain data, and the access rights should exist only as long as justifiably required and only for the intended purpose.

Traditionally, Identity and Access Management has focused on systems and applications with well-defined and catalogued entitlement->user mappings. Access entitlement to structured and unstructured data is a much more abstract concept though, and the IAM systems and controls in place today do not necessarily have visibility into that realm of access entitlements.

So, how do we find, evaluate and mitigate these data access risks? Let’s look at Artie’s case in more detail.

HGL is a great place to work – it has grown quickly and employees are encouraged and rewarded for great ideas, thought leadership, and innovation. With this, however, security controls can be an afterthought. ‘Goodie Gumdrops’ is an example of an exceptionally successful program, sending extravagant gift baskets on special occasions to HGL’s VIP clients.  Artie started as a Customer Service representative, handling complaints from VIP customers, and his response was often Goodie Gumdrops.

Beginning simply as the most cost and effort efficient solution, all the Goodie Gumdrop information, including client contact and personal data, was stored on a single SharePoint server. As HGL has grown, capacity and redundancy needs have as well. Servers now are in data centers in Europe and North America, and two new data centers are breaking ground in Asia.

Artie also frequently needs to cross-reference the Gumdrop gift system with the customer service database, and since he’s a power user, he’s been given direct access to that database as well. Now imagine multiple Artie Fact’s around the company, each having their own set of complex system entitlements, and you can see how difficult it is to gain visibility into access entitlements, especially as they grow over time. Luckily Artie is a loyal employee, but what about a sophisticated phishing or social engineering campaign targeting HappyGoLucky?

With GDPR, the access privileges challenge becomes even more important. We need to know not only where sensitive personal data resides, but also who has access and how they have access, and we need the ability to revoke access – not only when it’s no longer needed, but also if there are any indicators of the access leading to or perpetuating a breach. Additionally, we must identify and mitigate the Segregation of Duty risks of data access combined with application and system access.

It’s also important to note these visibility requirements extend to ALL data that could identify individuals who are located on European soil – not just VIP’s, but also customers, partners, and employees. In HappyGoLucky’s case, the challenge is that traditional identity governance systems have focused on application access and roles instead of business activities–they don’t necessarily have visibility into structured and unstructured access, so have not been able to address these access blind spots. IBM and STEALTHbits `have been working together to address these challenges.

First, we can use GDPR-defined classifiers to search for and identify the personal data in these unstructured data stores. Next, STEALTHbits is capable not only of identifying the “resource” and how the user has access to a specific file, but the actual rights that the user holds on those shares. We can import this entitlement information into the IBM Identity Governance & Intelligence solution to identify who has access, what are the access risks, and put processes in place to periodically review and revoke unneeded entitlements. Extending the challenge to structured data is also a concern. External attacks frequently exploit compromised credentials that have elevated privileges and allow direct database access. IBM Guardium helps us identify GDPR personal data in databases as well as these direct database access entitlements.

Together, we now provide a more comprehensive and classified view of personal data, where it is located, who has access, and help implement appropriate controls to limit access. Now Artie Fact and HappyGoLucky Global can get back to the business of customer happiness and building trust! After all, everyone is a VIP.

To learn more about how STEALTHbits and IBM can work together to help support GDPR requirements, join us on our upcoming webinar: https://go.stealthbits.com/game-over-use-ibm-stealthbits-sirius-stop-playing-hide-seek-gdpr-access-risks

Click here to learn how IBM Security can help clients with GDPR initiatives.