Webinar Recording

Personal data breach and the GDPR – Prevention, Detection and Notification

Log in and watch the full video!

The general data protection regulation (GDPR) as issued by the European Union will be a major challenge for literally any organisation doing business in Europe. All systems dealing with data subject to data protection legislation (i.e. PII = personally identifiable information) will need to be compliant to the requirements of this regulation. And, quite logically, IT systems will in turn be key enablers for many organisations to achieve compliance to this new set of requirements.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
So good afternoon or good morning, ladies and gentlemen, welcome to this webinar, personal, personal data breach and the GDPR prevention detection and notification. This webinar is supported by cyber arc. The speakers today are me. My name is Steiner I'm senior Analyst with cooking a Cole, and we will be later joined by Duncan mills, who is senior product marketing manager by, at cyber a before we start some information about cooking a Cole, the obligatory housekeeping nodes, and the look at our today's agenda, but we will make that introductory part very quick about cooking a coal. The company was founded in 2004. We are headquartered in Germany with a team of international Analyst spread across the world, including the us, UK APAC and central Europe. We offer neutral advice and expertise in various areas to companies, to corporate users, to integrate us and software manufacturers. We started out with identity and access, managing management, being the original starting point.
We are now working in all areas, information, security, GRC, and governance, and cloud security, very important. And generally speaking, we cover all the important topics in the areas concerning the digital transformation. Our business areas are very quick. We have research and in research, we provide a wide range of strategic documents and reports, including our leadership compass, comparing vendors and market segments. We do events and we will have a look at that in the, on the next slide. Cause that is an important part for us, especially now. And in the third area, which is advisory, we provide vendor independent market expertise to customers like end users and vendors ranging from roadmap, advisory, product and technologies, selection, or maturity assessments, our conferences, our events, we are looking forward to two or in fact, four events in may. There will be the European identity cloud conference in Munich from the ninth to the 12th of May.
This is the lead conference around identity and cloud insecurity. And we had a very successful and an inspiring event covering all the new developments in the consumer identity world between opportunities and regulations. Some weeks ago in Paris, we will be embarking on the consumer identity world tour 2017. And we will come to Singapore, Seattle, and Paris later this summer and fall to reiterate on that consumer identity topic, some guidelines for this webinar, you are all muted centrally as the participants. So you don't have to mute unmute yourself. We take control of these muted unmute features. We will record this webinar and the podcast recordings along with the slides will be available by a latest by tomorrow. And there will be a Q and a session, a question and answer sessions at the end, and you can enter your questions. Anytime can use the questions or Harding feature in the go to webinar control panel.
And we will get back to them later in the Q and a sessions. So if you have any questions regarding what I talking, I'm talking about, or what Duncan will show us, please enter your questions. And we will take care of that. And if there are lots of lots of questions, we can catch up with them after the webinar, the agenda for today, the first part will be my part, which will be key concepts of the general data protection regulation. So an introduction to the GDPR, and especially with the role of secure and privacy oriented systems and processes for achieving compliance, and then Duncan mills of CyberArk will take over and he will focus on securing the supply chain controlling and auditing access of third parties to come the full personal data as a short disclaimer, neither Duncan nor me. We are no lawyers. So this is not intended to be any advice of the legal character, but from a practitioner's point of view.
So if there are any illegal or regulatory questions open, please get in touch with your legal department with a lawyer of a, like the third part, as I mentioned, questions and answers. So then we will catch up with the questions being provided and seeing already the questions coming in, which is great. So then I will start with my first part, the key concept of the general data protection, a very basic, but hopefully thorough introduction of what we expect to happen in the next more or less one year. So first of all, the overview and history, so we have three segments on that slide. The first is what was before the GDPR, before the GDPR, we had at least with the focus on the EU individual data protection laws within each EU member state. And although there were quite some heavy EEO EU directives, they had to be transposed into each national legal system to become effective.
So the result was, was very diverse when it came to the individual legal situation, which in, within each EU member state, then the GDPR was designed. And we will look at that to the right later when we see what, what it looks like. But the idea was that the GDPR entry into force was actually by the 25th of May in 2016. And it will be applicable by the May 25th, 2018, which means we have two years of implementation, which is meant for the one hand, for all people who are subject to the GDPR or organizations who are subject. And it's also a phase for the individual countries to, to add some accompanying national laws and yeah, for the companies of course, to achieve compliance with the GDPR, we get to a situation where we have a harmonized data protection regulation across the EU, and as the GDPR applies directly without any national law being required.
So we have a real harmonized situation per the date of being applicable. So the May 25th, 2018, it is meant to align with the technological developments that happened since the earlier legislations had been designed. And it's also designed to be dynamic, to, to adopt, to changing factual iterations. It's very much strengthens the data protection standards, especially when it comes to the legal situation of the data subject subjects, which means European people like me and special, important aspect it's that is also binding business business businesses outside the EU to European standard when they are operating in the EU or the EA the European economic area. And we will have a look at that later on. So we have before we have two years in between, and we have the GDP being force. So if we fire up our favorite it GRC tool Excel, and we have a look at this short calculation, we will see 25, 3 20 5th of May, 2018.
And the 23rd of March is today. So we have 428 days to go to achieve compliance, or at least to give an hint at how we want to achieve compliance and have taken the first steps. So that is quite interesting because that is not too much time left. And these 428 days are actually with Christmas new year's Eve Easter holidays, all of that. So that is not too much just to show the urgency of action. If there has not been done anything yet, a short summary of the key provisions of the GDPR, we have put it down in six main topics. The first of all is that many organizations, not all, depending on the type and the character of the data, personal data that is processed and how it is done will need to appoint a data protection officer. And that needs to be decided on a per organization basis, but it will be much more organizations than before.
And in several countries, there was no obligation to do that at all. Second will be, there will be a have to, has to be a mechanism for data breach notifications. So a identify, a data breach and B the right counterparts, which will be the data protection authority on the one hand, and in very critical cases. Also the individual data subjects, the, the people, the data was leaked or breached for the overall processing that needs to be for every processing step, either consent by the individual data owner, which is the, the data subject, the person, or there need to be legitimate grounds, like for example, a contract or a law imposing the organization to do that. So there needs to be a good reason to process data. Otherwise it's not lawful.
We have very much extended rights of the data subjects, and we will get to that later. And the idea, of course, for international organizations doing business within the whole of the EU, that there is to be a one stop shop. That's how they call it. So there should be one data protection authority in one country, which takes overall contact for, for the organization as a whole. So if you have a main, main home for your organization within the EU, for example, in, in France or in Germany, then the DPA, there will be the one stop shop for you. And the last thing at least to mention them once to be true, actually twice later on, there will be some heavy administrative fines in case the GDPR provisions are not yet fully implemented or breached, but again, as we are not lawyers that needs to be verified, of course, with the legal team in general, the data protection principles that are to be imposed on the way that organizations deal with data are the following.
And I go, so then quite quickly, of course, the first thing is lawfulness famous and transparency. So you have to do it only if the law allows it, or if you have consent, you have to be fair and, and open in the communication towards the, the data subject. And you have to be transparent. Every processing of the data needs to be purpose limited. So it's really only for the processing that you have consent for, or the lawfulness in general, you should only store the information that is required to actually follow your purposes. This information needs to be accurate and accurate means that anything that is not wrong or that needs to be corrected has to be corrected or removed storage limitation means that the, the amount of time that information is stored is only limited to the time that it needs to be there. And after that is over, it needs to be re removed integrity and confidentially confidentiality of the information of course has to be maintained.
So it needs to be, make sure, make sure that it's kept confidential and that it's fully consistent. And there's a clear role of accountability, which might be relevant for both the data processor and the data owner. And we will have a look at that later on as well. So these principles are very much built into the DNA of the GDPR and therefore need to be built into the applications and services that are created around that. I mentioned that before the data subject rights are extended, mostly not everywhere, but in many cases, and these data, subject rights are quite quite logical built upon each other. So if we have a look at these data subject rights, the first is transparency. People have to know that organizations story about information about them. The next thing is once they know that you have information, they need to have access to that information complete, fully and accurate.
If there are any issues there, they have the right for the rectification of this information. They have the right for erasure, this which went through the press, this right to be forgotten. So every information that is no longer needed and that the data subject wants to be removed, or that needs to be removed anyway, should be removed. The restriction of processing is an important data subject, right? So when you agree that the information is used for the fulfillment of a contract, that does not mean that the information is automatically also allowed to be processed for marketing purposes. Data portability is a very new right by the subject. So they can say, please hand over the information to me because I want to move it somewhere else. So it needs to be extracted in a portable way. Portable means a machine readable format that the next service can can efficiently work with.
Objection is very important access, right, or subject, right? To make sure that you really object the usage in case you don't agree with the, the usage. And there is no lawful reason for that and important, right, is that the information cannot be, must not be used for automated decision making without further provisions made by the data processor. So these are very strong rights, and these are rights that are not necessarily built into today's application systems. And that might involve some, some heavy work by organizations and application owners and system providers and programmers to actually achieve the implementation and of these, of these processes that be, that are behind that. And that need to be in place to implement the GDPR and to get compliant to that. The scope of applicability. We mentioned that before is very important. This is a yeah, a world map. And actually that, there's a reason for that because we have two different dimensions for that for EU businesses.
So for all businesses actually located in the EU, the GDPR applies directly because it's E EU legislation. And so it's directly applies to both the data controllers and the data protest processes. So those who own the data and those who deal with the data, which might be the same instance in some cases for non EU controller and processors, there is this so-called extra territorial effect where the processing activities are related to, and I don't read it out, but the main thing is in the case, that data by you, citizens is involved. Then the European data protection regulation also applies. So if you offer goods or services, if you monitor their behavior, then the, they are, I citizens. Then the GDPR replies, and that is not limited to payments related services or goods, but also for most probably free and, and yeah, for free services and free goods, not that often available, but anyway, so this will be an extension of the scope towards organizations who store data of EU citizens and systems outside the EU.
And that is a large extension of the scope of applicability, a short slide about fines. The GDPR article 79 says that a company that violates certain provisions of the GDPR, for example, and I'm not a lawyer, as I mentioned, the basic processing principles are especially the rules relating to cross-border data transfers. So out of the EU, somewhere else may be subject to fines, amounting to either 20 million euros or 4% of the company's total worldwide annual turnover. I repeat 4% of the company's total worldwide annual turnover whatever's higher. So these fines are quite substantial. So achieving compliance, even if you do not agree with the, that are behind that, the money aspect that is presented on that slide might give a hint of really implementing and, and achieving compliance to the GDPR. Very quick, the applica, the obligations for data controllers and data processes, they need to, they are obliged to document what they're doing. They need to cooperate with a competent data protection authority. So that's one stop shop thing they implement have to implement appropriate technical and organizational security measures. And that is of course latest when, where Duncan and cyber and their solutions come in. So appropriate technical and organizational security measures are very, very important.
They need to notify in case of a data breach. So identify the breach and deal with the breach in an adequate manner. In any case, you need to identify a legal basis. If you transfer data internationally and if required, they need to designate a data protection officer. So my last slide before I hand over to, to Duncan is this one. So what are the tasks and challenges, if you want to prepare the first steps for dealing with the GDPR and for achieving compliance, the first step that you have to make is you have to assess your organization. So you really have to understand what data is there, which personal data is there, how it is processed. And you need to understand what happens with a data protection is not handled adequately, so impact assessments and what are the risks to the rights and freedoms of data subjects.
And that depends on the amount of money and the money, the amount of data and the type of data that you store about your data subjects. The next step would be that you have to make sure that you embed GDPR compliance into both your processes and systems. So it is always a combination of organizational measures to make sure that for example, adequate consent is requested and that it is documented, which would be done in an it system later on. So it's both systems and processes implement content management that, as I mentioned before, gather content of the data owners of the data subject documented, have it at hand when somebody asks for the documentation. So process data, according to given consent or legitimate grounds for processing that what I mentioned before regarding a contract or legal application, legal application to, to store data next step would be if you have this all in place, nevertheless, prevent for the breach, make sure, prevent the breach to make sure that there are mechanisms in place that prevent data breaches from design purposes.
And that is what is called within the GDPR as data protection and privacy by design and default. So that means systems should be designed that there should not be a way to have a data breach at all. So there should be, for example, end to end encryption. And by default means that data protection should not be something that is switched on afterwards, but data protection and privacy should be the default. And in case of a consent of somebody, then they might be lifted or weakened or opened up. But the highest possible protection and privacy level should be the default value to start from. But nevertheless, prepare for the breach. So detect breaches have mechanisms in place that detected and Duncan will have a look at that later on provide mechanisms that will make sure that you have adequate notification processes in place. And for example, and good, a good thing to do is to have pre-canned communication implemented so that you really have enough time to deal with the, with the notification of the data protection authorities at that part.
Okay. And the last part of that is demonstrate compliance, which is an important part here. So you have frameworks in place that are used to document your compliance, that you have all controls implemented and that you document all the measures that are heard to are adhere to. So you really are always able to provide evidence that you are compliant, because that is part of your documentation duties when it comes to the GDPR and getting to implement to an implementation of these six blocks is a, in our opinion, at least from Cola as an Analyst company, a good starting point, but when it comes to technical details to implementing real life solutions, you have of course go to into more detail implement systems that make sure that you are compliant. And with that, I would like to hand over to Duncan for the second part of the agenda, getting into much more specific detail. But just as a reminder, in case you have any questions regarding my, or Duncan's presentation, please enter them into the questions panel of the go to webinar software so that we have a good basis to jump into the Q and a session right after Duncan's presentation right now. So I would like to hand over to Duncan and I would like, if you want to introduce yourself, that would be great. Thank you. Looking forward to your talk.
That's great. Thanks a lot Matthias. And just let me add my welcome to everyone here. So my name is Duncan mills. I work in the team at sidebar, which is responsible for understanding challenges and problems in the market that we can help customers to solve, and then communicating how we solve those out into the market to organizations like yourself. So I think Matthias done a really, really good job is giving us some great information and a great overview of the regulation. And I think what is really interesting to see from that is that this is not just about technology far from it, but technology just has a major part to play, especially when we are talking about securing data. And I'm sure most people on this call on the webinar are, are aware of all the media attention that's being given to GDPR over maybe the past 12, maybe even 18 months.
And most of that media attention is focused on some of the real highlights and you're seeing vendors in the cyber oil information, security space. So cyber apps, peers, and competitors in this space who everybody is talking about, how they can help organizations to, to help to meet the regulation, to comply with the regulation. And of course that's the right thing to do because as a, an information security company, our remit is to help protect information. And part of that information is of course personal data. And what we have done at cyber is spend probably the last, the last six months or so talking with GDPR experts to help us understand where we can really focus down so that we can add significant value. So yes, we do have a story to tell around the big picture and how we protect information in general and protect valuable assets. But what I would like to do today is first of all, just talk around that piece to what we do as an organization and how we can help to protect you in general and protect your personal data. Then I want to drill down into some of the very specific parts of the regulation that we've identified, where we can add significant value.
So at sidebar, we are all about protecting privilege credentials. So privileged credentials enable organizations, users, applications to access high, highly valuable assets. And these credentials are everywhere. They, they sit on endpoint servers, networking, infrastructure, equipment, cloud applications, industrial control systems, and even the security controls themselves. The organizations have deployed to help protect data. So you imagine the situation. This is a really good example. You've spent lots and lots of money on deploying security controls to protect personal data, maybe encryption, maybe DLP data, data loss prevention. If an attacker can steal the credentials to log into that DLP server, then they can potentially dis it disable the functionality and all of investments that you've made in those security controls is completely gone because it, it, it's no longer providing the protection that you expected, expected it to provide. So this is why protecting those credentials. The privilege credentials is so important and research that we've done shows that most organizations have between three to four times as many privileged credentials as user, as user accounts.
So standard user accounts, which is a massive number and lots of organizations don't actually understand where those credentials actually fit. So our role is to help organizations to manage those credentials, the way that foot block see the attack chain is what you're looking at here on this slide. So two types of threats and internal threats and an external threat to all I intents and purposes, if an attacker manages to, to compromise your perimeter, then they are inside your network. And they are to all intensive purposes, an internal, an internal user. We talk about internal threats because clearly there are malicious users in, in any organization. And also there are well meaning insiders as well. And GDPR does actually take account of accidental loss or destruction of data. So there is an element of accidental here, which also needs to be addressed. So it's not, it's not always malicious malicious users, malicious attackers that you are trying to protect against.
So the way we actually see the attack chain is that a bad actor and attacker will typically land on an endpoint. So maybe they'll send the Phish and email to a user and they'll adequately socially engineer that users. So they click on the link that downloads malware, and that means the endpoints then compromised. And the attacker will, then the first thing they will do is try and steal credentials. So for the more technical people listening to this webinar, you'll know that windows endpoints, for example, cash lots and lots of credentials. So if a user requests say an administrator to help them with a problem and the administrator logs into their laptop, those admin credentials are cashed on that laptop. And it is, it is a very, very simple process to go and dump those credentials out. So you can then use those credentials to try and access other assets on the network.
So higher value assets, servers, domain controller. So what we see is that an attacker will move laterally across the network and they'll elevate privilege as they go until they reach the high value assets and the target in the case of GDPR, of course, that would typically be personal data. And what they then do of course is try Excel, trade about personal data, or maybe destroy it for some reason to, to, to disrupt the business. So what Fiberlight does is, is we, we break the attack chain. We, we manage, we secure credentials so that that attacker cannot move across the network to reach those assets. We start on the endpoint so we can secure privilege on the endpoint and we manage all of those credentials or for access to, to privilege and high value assets. And of course those credentials could belong to a full-time employee.
They could belong to a, a contractor who you've got working in your organization, or even a third party business partner and drilling down now into GDPR. And one of the areas we've found that we can add to where we can add significant value is around third party risk. So why's third party risk important. So if you look at the majority of organizations today, they're very focused on their core competencies and they do this because that allows them to, to focus, which means that they can produce quality products and services for their customers. What this does mean is that they have to fill the gaps by building ecosystems and, and complex supply chains. And what that means in itself is that you have this complex supply chain, which means that typically you, you need to give access to non-employees to your systems, your network, and to that personal data.
So let's take a very simple example as an organization, you might outsource your customer support, but you would allow access to this third party so they can access your customer database. Yep. So they then become a, a data processor to all intents and purposes. And we'll, we'll move on. And we'll talk about that right now, but what actually happens of course, is that for these guys to access your systems, they need to have credentials. So they will have credentials that allowing them to access that personal data on your network. And that is a potentially a weak link. So we've identified quite a few articles within the regulation, which do relate to third party. I've highlighted here, just the, the four key ones I want to talk about. So first one, article 28, this is an, this is a, a part of the regulation, which for the first time in a pan European regulation provides for data processes, sharing responsibility with data controllers.
So this means that in the past with the, the ODU directive, the controller was liable for personal data with GDPR, that liability is now shared between controllers and processors. Let's just step out and let me define those two terms for you. So a controller determines the purposes for which, and the manual in which data is processed and the processor processes data on behalf of the controller. So article 29 suggests that the processor is only allowed to process data, which they have been authorized to process, and they're only allowed to do with it, what the controller tells 'em to do with it. So that's really quite key as well. Now this is all very well, but you imagine this complex supply chain we've been talking about, and you end up with potentially multiple controllers and multiple processes in that supply chain. So you have a concept of sub processes and each of these parties has to have contractual relationships with each other.
So you have back to back contracts and back to back clauses in those contracts. And that's really, really important because if there is a data breach, you need to understand who's responsible for that breach. And of course there are technology solutions in place and, and around that can help you to understand who who's responsible for breaching the data and sorry, who's responsible for the breach leaking data, destroying data and, and how it happens. It's really important that those technology solutions allow you to do that. So article 32 is the one that, which is really focused down on the technical measures. So this is about how you secure the processing of data. What's really interesting here is that it doesn't specify particular technologies. So some regulations will actually talk about a specific technology and that's great for organizations like ourselves, because if they specify privilege account security, then that means that we can really, really help and put part in the box.
But GDPR is a little bit vague and there are specific technologies that, that really mentioned. So article 32 talks about technical measures to prevent unlawful or accidental destruction loss, or disclosure of personal information. And I think what's key here for me is the accidental piece. Now this is not always about somebody maliciously trying to expose data. And as I said before, these third parties who are accessing your systems, you know, they potentially have a similar level of access to insiders. So do consider insiders as well, whether it be a malicious insider. And I guess the ultimate example, there would be Edward Snowden. We all know that story, but also consider the accidental piece here that an insider could accidentally leak data or destroy it. And then finally, the bit that really, we need to think about protecting against as well are the attackers. So the attackers who have managed to breach your perimeter article 82 is never interesting article because it's, it's not really been given much media attention.
Most of the, the tangible and intangible costs associated with GDPR that people are talking about are around the fines that can be imposed by the regulatory bodies. So the, the 20 million euros or 4% of turnover that Matthias mentioned earlier, and what people don't tend to be talking about very much is an explicit right to compensation for an individual, either material on or nonmaterial damages. So you think about that 20 million euros. And, you know, if you think about some of the media attention for breaches over the past few years, and it's not unusual to have seen 200 or 300,000 records that have been exposed. So you're imagining two or 300,000 individuals taking compensation from an organization, and that could potentially clip the 20 millions that we're talking about. So there could be a massive liability here and that liability shared across the controllers and processes. So it's really important.
Again, they have their back to back contracts in place, but what's also interesting is if an individual goes after one party, then that party can seek compensation from the other parties. So if an individual goes after one processor to try and seek compensation and their successful, then that processor can seek, share the compensation from the sub processor. But of course they have to prove liability here as well. And again, technology solutions will enable you to help prove that liability. So how, how big a problem is this third party? Well, it's, it's actually really, really serious. So there's a few numbers on this slide from various bits of research. So 58% of organizations don't trust their business partners security and rightly so because other research suggests that 63% of security vulnerabilities have been introduced by a third party. As I mentioned before, this is not necessarily in malicious Tuckers.
It's not, not necessarily malicious third party employees. It could well be that an attacker has managed to reach that third party organization. And this is not uncommon. The supply chain has been under attack for a number of years. And the reason why is because small businesses typically have few resources to focus on security, they have less budget, and they may also be quite complacent. A very small organization would typically take an attitude of why would anybody want to attack me and potentially they want to attack them because they're not the eventual target. They want to use that trusted business relationship to actually infiltrate and, and gain access to a larger business partner and a number here just to validate that 65% of SP Fisher attacks team 2015 were targeted at companies with few women, two and half thousand employees.
So what's important here is that you need to protect yourselves from organizations from security. You have no control over you can't control the security policies or the controls that are put in place at your business partners. And this starts with securing those third party accounts that the business partners are using to access your systems and your personal data. So securing credentials in a third party business partner is really difficult. You don't know whether their users are writing them down on a post-it and sticking them on their screen. You don't know whether they're saving those credentials into a file and saving it on their desktop. So it's really, really difficult to, to actually manage, first of all, that kind of the human element, but then also you don't know what endpoint security controls they have. So we spoke earlier about the attack chain and the landing point typically is the endpoint.
First of all, you've got no idea whether your business partners have good endpoint security. You, you don't know whether it's up to date. So you dunno whether their various signatures are up to date, et cetera. And of course, once an attacker has those remote credentials, then they can access your systems. So the on is on you to secure those credentials. That's the bit that you can control. You can control the access to your systems. So you control those credentials. You monitor the access to your systems from those third parties, and that enables you to have an audit, an audit trail, those accesses, and by demonst, the controls you have in place, you can show, you have adequate security measures in the event of breach.
So confirmation of this third party problem that have been lots and lots of examples in the media over the past 12 months or so, and you couple this with this increasing reliance on the, on ecosystems and more complex supply chains. And then you add GDPR to this. And I think GDPR could well focus people down on this and hopefully make people understand that they do need to control this third party access, and it should increase the, the levels of security. So where can cyber a help here? So I've got a number of recommendations here and they are, they're all kind of aligned with what we can do to help you manage this third party access. The, the first one is around identifying all of those third party accounts and indeed all of your privileged accounts and fiber can actually work with organizations. We have a free tool, which allows you to you run it in your environment and it'll help you to identify all of the privilege accounts in that environment for the purpose of this discussion.
Of course, it will help you to identify those third party credentials or third party accounts or accounts that are being used by third party. And the accounts are being used to access personal data. So, and of course, personal data with third parties, the second area where we can help is to help you to secure those credentials. So the credentials that are being used and we can secure them, we can rotate them and we can track usage of those credentials. Our enterprise password vault is the, is the product. And it really forms a basis of cyber's privilege account security solution. And we can align this with your, your password policies, your existing password policies in terms of length, strength, rotation, time, and it allows you to protect credentials, both on-premise and in the cloud, and for any authorized users, including these remote users. The way it works is when a remote user logs in, we try to access the target system that contains personal data.
Instead they log cyber a into our Porwal via either single sign or multifactor authentication, et cetera. They'll get presented with a list of target accounts that they have access to. They click on the account. An enterprise password vault will either pipe the credentials straight into the target system, or it will present the credentials to the user and the user can then input those into the login themselves, I guess a good example here, just to put this at a bit of context around it, work on the assumption that you have a policy that maybe rotates the password after, after every single use. So if the, if, if an attacker has compromised the user endpoint device and they, they see that password and they managed to steal that password, and then they're going try and use it again later, they won't be able to get into the target system because the password will already have been rotated.
The next level here is our privilege session manager solution. And this allows you to do two things. It allows you first of all, to isolate all of the sessions. So what we do is we actually, we act as a, as a what we call a jump server, and it's a proxy that flues the, the privileged session. So let, just give you an example of how this actually works. So as before, if a user goes to log in, the same thing happens this time they're logged in automatically. So the password will, will be taken from the vault sent into the target system, and that will authenticate the user. And then through the duration of that session, all of the communication will flow through privileged session manager. And that means that first of all, you have this element of isolation I've just been discussing, which means that if the end user device is promised in any way, then that if it's malware, for example, that malware will not be able to spread to the target system because privileged session manager is isolating it.
And then of course, because the session is flowing through privileged session manager, we're able to record that session so we can record and track every single thing that that user does. And that appears like a video type recording. And the recording installed in a temp proof safe, and that's safe. Can then only be accessed by your own side administrator and just refer him back to GDPR. Article 30 actually highlights a necessity for recording of processing of data. So this will provide you with an element of that recording of what was done during that session. And again, it will help you to understand a breach, prove, prove what happened and prove who was maybe involved in that breach.
So finally privileged threat analytics. This is a product which is integrated with both our, our vault and integrates with third party Sims. So security, instant event management. And we will take data from multiple devices, take information around privileged sessions, and we actually baseline the user behavior. So then in future, if we see any abnormal behavior, we can alert him in real time and your incident response teams can actually react and potentially disrupt and attack while it's in progress. And again, this is about showing that you'll have the controls in place. So just to summarize what we covered here, the, the number of third parties, part third parties, processing data is increasing due to the, the building out of ecosystems and complex supply chains. And we know that there are between 40, 60% of breaches actually originate in those third party systems. So controlling access from third parties into personal data is absolutely a key requirement and auditing that access to key requirement as well.
One thing that we haven't spoken about, which is worth mentioning is that this is all about minimizing liability. GDPR does not allow you to completely absorb yourself or any liability. And this is interesting because what this means is that all of these organizations in the supply chain really have a, they have to help each other to become compliant. So this is not just about portion in blame. Now, a lot of it is about helping your partners to be compliant. And another reason that's really, really the good thing to do in best practice is because if you look at some of the, some of the other articles, so article 58, a regulatory body, a regulatory body can actually suspend processing. So me in the event of a breach, one of the re courses that a regulatory body can take is they can tele data process and you are no longer allowed to process data.
Now, you imagine that's a key part of your supply chain, and that potentially could fit your business as well as theirs. So it's really in your best interest to ensure that all of these, all of these business partners and third parties in the supply chain are compliant and help them to be compliant. And then finally GDP is already enforce. And I, I think probably not, not many people know that came into force last may the 25th of May, 2018 date that everybody's talking about is the date when it will be enforced. And just recently, there was some, there was some stories in the media around what happens if an organization is breached already today, but they don't discover it or don't report it until after the 25th of May and the legal people who were discussing this were not in agreement. Some suggested that the, the new regulation would actually apply, even though the breach occurred prior to the enforcement date. So the message here is act. Now do something now don't wait until next may. And then finally, what do you do next? So please come and talk to cyber letters, engage and letters, come and talk to you about our DNA tool. This is the tool that will allow you to identify all of the privilege accounts in your environment, including those third party accounts. I have access to personal data. So with that, that's me finished and Matthias out to questions I assume.
Yes, absolutely. But first of all, thank you Duncan very much for this great presentation. So for our participants, we are now moving into the Q and a session. So please make sure you have added all your questions through the questions panel on your, on your screen. There are some already there, so please feel free to add last chance. And for the Q and a session, there will be a technical backup for Duncan. So he will be accompanied by Alexei Wilson, who is the mayor solution architect at cyber a and we have a, already a few questions, so let's start with them. So, first of all, question, that is with a bigger picture background. You have suggested, you have mentioned, and because we are looking at privilege management here at that point, but GDPR compliance includes privilege management, but it goes beyond that. So are you cooperating with other vendors, especially with vendors that do provide overall documentation systems for proving GDPR compliance is there is something that gives a complete picture when it comes to providing evidence.
So yeah, let me address that first of all, and maybe I'll hand over to Alexei to, to drill down if he, if he has anything to add. So I guess at a high level, if you look at across the information security space, I think it's one of the, it's one of the few industries where organizations still build out best of breed. And I think it, I think it's poised to continue to do that for many, many years. And there are, there are players in the space who do provide quite a lot of different solutions and products, but I think that in the enterprises and, and smaller businesses, they do tend to look at building our best of breed. And, and of course we see ourselves as being part of a part of an ecosystem. In fact, we have a business development team whose sole job it is to go and seek out Alliance partners and work with Alliance partners, who we can add value for our customers by integrating with them.
And also I think by its very nature, what we do, we have to integrate because we have to integrate our products with those target systems so that we can do the password ation and pipe the passwords through. So it's, it's very, very important, but we have, we do have those lines cause the, we actually have something called our CQ Alliance, which, which includes many different organizations that we have integrations with, but also organizations that, that we just work closely with so that we can help customers to understand how by deploying both sets of solutions or multiple sets of solutions with our Alliance partners, it can bring them additional value. And I guess, Alexei, do you want to just drill down into any of the particular technology areas there where we, where we add, where we add a significant amount of value?
Sure. Hi. So yeah, I would probably focus on three different areas. So the first of those I would say is around the it service management area. So with this, I think Matthias kind of alluded to this earlier. You have to combine your technology processes with your business processes and what we can do with the it service management integration with the likes of the service nows and the remedies out there in the world is we can make sure that whenever anybody, whether it's a third party or an internal user needs to access some form of personal data or to access privilege credentials within the network, we can make sure that they go through the relevant technology process. I E through the cyber R controls we've put in place and they must have valid business processes. In other words, they've raised a ticket, they've had it approved and we can validate that in real time.
So whenever anybody wants to access personal data, we know they've gone through the relevant business processes they've put in place. The second key area that I would probably focus on would be around the IM solutions. So the art sites, the world, the spunks, and this is really about the preventing the breach. So obviously every organization has a number of different security products, each reporting on different different indicators within the network that there may be of breach in progress. Now, breaches quite often, as you've kind of already mentioned, Duncan, we'll go through a process of escalating privilege now by combining these different security solutions, including cyber a and sending these logs to a central location, I, your spun, your a sites or any other same solutions, hopefully it allows an organization in most cases to actually pick up on these breaches before they reach the point of compromising that personal data.
And the, the final sort of key area that I would probably focus on at the moment would be the integration into the likes of identity governance administration products. So thes the sale points, the RSAs where those solutions are actually very good at demonstrating the compliance. In other words, documenting who should have access to which type of privilege to count what personal data should be accessed by each team, making sure that you certify these processes and, and you have, you have a process in place for providing that realtime reporting of anybody, third party or internal that can access your personal data at any point in time. So those are the, the three key areas that I would, I would probably focus on for now.
Okay, great. Thank you for this extensive answer and that really good picture to understand that there's really a way to, towards a best of fleet approach across different vendors, also consuming their expertise in the different areas. Another question that I have here, I wish I'm not quite sure if we are able to answer that because it goes very much into also the legal aspect is something, do you see special requirements for the access of HR data? So for, for managers or HR clerks, that is something that I would generally, if I, first of all, pick up the, the, this question and try to answer a bit, at least I would like to, to answer that with all the principles that I mentioned before that are the, the foundation for the GDPR and how it handles data also applies of course, to, to staff data, to HR data, to personnel data. So data minimization, for example, and the lawfulness course applies as well. So we should only explore the data that is required, but whether or not that requires in special requirements for access management. I don't know if this isn't something that should be addressed to the HR team or the legal team within an organization, but I don't know, maybe Duncan, do you have an opinion on that as well?
No, I'm not really sure. Martin, I it's. I think in terms of GDPR it's, it's personal data I've and comes under the, the full regulation as any other personal data would do. I'm not sure. I'm not sure whether it would be treated any differently from a GDPR perspective,
Right? That, that, that would be my expectation as well. But again, that should be added by the right professional at that point. And that should be a lawyer. And on, on top of that, there is very good public information on the GDPR around including the full, of course, the full legislation text, including comments. So I would like to refer to that as well. The samples true. Another question that I have that says under the GDPR, sorry, do companies have to document or disclose data breaches in the annual reports that goes beyond what actually the GDPR requires, but that should be based on the, the legislation around the, the company structure and their publication duties. And that again, would be something that I would expect the, the organization of the different forms would have to, to discuss with their own legal department. And I would like to refer that to that as well, hope that although it's not answered that also still answered the question that there are open questions that need to be clarified with the right qualified people. Another question that I have here is you mentioned privilege management around general systems most more and more important cloud systems. So does, do you provide also solutions that take care of personal data that, that is stored in the cloud? Do you have protecting this information and detecting breaches, for example, when it's actually processed in the cloud?
Such of interesting question, I guess the cloud cloud systems cloud applications, it's, it's just another target system. So it it's, you protect the credentials that need to access those target systems, albeit that there are some significantly high privileged accounts that exist for some of those cloud systems. You can imagine the disruption that somebody could cause if they managed to steal your credentials to, for your AWS administrator, for example, you know, you're talking about potentially massive amount of disruption to, to an organization, so diversified from personal data, obviously. So there's a lot of, I think there's a, there's some far reaching implications to protecting some of those credentials in terms of architecture for protecting credentials on cloud infrastructure. Alexei, would you like to talk a little bit about that? Maybe a little bit about, about the deployment architecture? So cyber product can be deployed in, in, in multiple architectures?
Yeah, absolutely. So cyber solution is a very flexible solution and it can be deployed either as a fully cloud based solution with all the components actually sitting in a public or a private cloud, or you can take a hybrid approach where you keep the credentials, which are obviously the keys to the kingdom. On-prem whilst putting the rest of the components into the cloud, but ultimately purposes that you can provide the production to any credentials, whether they fit on-prem in the cloud, as well as catering some of the new attack vectors, like the consult credentials that Duncan's just mentioned, but it also gives us the ability to detect when new services are being spawned in a auto-scaling process or essentially orchestrated process. And, and it allows us to keep up with the realtime management of those privilege credentials that that's necessary.
And I guess the other thing that's probably worth just mentioning is that quite clearly, if you are starting personal data in the cloud, then that cloud provider becomes a data processor. So all of the stuff we've been talking about around third parties and back to back contracts, etcetera, that all applies in that situation.
Okay, great. Thank you. So we are over the hour already, so I want to sum up and close down the, the session for today. So first of all, thank you all for your questions and for your participation for all the participants in this webinar, the GD PR is a topic will stay with us. Of course. And of course I would like to refer all of us to the EIC conference in Munich, in may where it's strategies and technologies for coming compliant will be an important part of the track schedule as well. Thanks again, to, to Alexei and to Duncan of cyber a, we have some few unanswered questions, unfortunately, but we are already over the hour, but, and, and if there are any other further questions, please feel free to get in touch with either cyber a and Duncan and Alexei or with us at, and before I close down Duncan, do you want to, to add anything, some final thoughts, some final famous words before I close down this session for today.
Yeah. Thanks Matthias. I guess just thank you to yourself and cutting a call for, for hosting this session. Thank you to everybody who's attended. And I guess my, my final ask is clearly, you know, remember that no one organization can help you out with, with GDPR, but most of us can add some value and significant value in some areas. So if you are interested in helping in us, helping you to identify those privileged accounts and those accounts that do have access to personal data, then please do get in touch with us and we can help you understand how you can deploy our DNA tool, and we can help you to do that. Or one of our, one of our partners can help you to do that. So just thank you very much for your time. And I hope it was valuable.
Thank you very much Duncan and Alexei. So to all the participants, we would be happy to welcome you in another webinar soon. And I'm very, of course, very much looking forward to meeting some of you in real life at the upcoming EIC. So that's it for today. Thanks to everybody. And thanks for your time and for your participation. Goodbye.

Stay Connected

KuppingerCole on social media

Related Videos

Event Recording

Standards & Regulatory Frameworks Are Static, Security Isn't

Current frameworks from Cyber Essentials in the UK, to the NIST Cyber Security Framework, HIPPA, PCI-DSS and even ISO27002:2022 often take at least 18-24 months to agree by their governance bodies. The world is much faster moving that that, the fact many regulatory frameworks will take…

Webinar Recording

You Can Only Protect and Govern the Data You Know About

Data is widely recognized as the lifeblood of the modern enterprise. However, the exponential rate at which it is being generated means that it is crucial that organizations have the capability to manage it effectively to ensure its confidentiality, integrity, and availability. These…

Webinar Recording

What Does the Future Hold for Passwordless Authentication and Zero Trust?

Enterprises of all types face a growing number of cyber threats today. Studies show that most data breaches begin with compromised passwords. Moreover, password management is expensive and not user-friendly. Enterprise workforce users are driving the consumerization of IT. They want the…

Webinar Recording

Complying With PSD2: Everything You Need to Know

With the Revised Payment Service Directive (PSD2) coming into full effect this fall, banks and online retailers need to adapt to changes that carry with them many regulatory and technical challenges. Acknowledging these extensive changes, Germany’s Federal Financial Supervisory…

Webinar Recording

Leverage Enterprise Architecture to Achieve GDPR Compliance

Several measures have been undertaken by Organizations at various levels to comply with GDPR, most of which remain reactive, fragmented and largely ad-hoc. These controls are also not continuous in nature and therefore fail to satisfy ongoing compliance requirements. Organizational leaders…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00