“With great power comes great responsibility” are fictional character Ben Parker’s last words to his nephew, the soon to be famous Peter Parker, more widely known as your friendly neighborhood Spiderman. While we’re certain Uncle Ben’s character had little knowledge of today’s digital world, his words remain true for its technology enterprises. As they make our day-to-day life easier with their technology, our comfort and convenience come with a serious responsibility: the huge amount of personal data stored by the enterprises we interact with, unprotected and vulnerable to malicious acts.
The threat of cyber-attacks set the European Parliament to implement the General Data Protection Regulation (GDPR). According to the GDPR, enterprises that have the great power of storing personal data that allows the identification of individuals will have the great responsibility (remember poor Uncle Ben!) to protect and prevent the misuse of that data. This regulation will be applicable starting May 25th, 2018, and enterprises will face sanctions should a violation occur. These fines could range up to €20 Million!
So, is this limited to European countries? Unfortunately no! Any entity dealing with European individuals or bodies while conducting business will be responsible for complying with the GDPR. That means every country that is a part of the global economy will have to adjust its own regulations to match GDPR requirements and this is already happening in the Americas, Middle East, South East Asia and as far as the Pacific.
One may ask, how can enterprises embrace their responsibility and play by the new book? Well, nearly half of cyberattacks are, intentionally or unintentionally, caused by users within the enterprises. So, chances are many are not deploying measures to secure their environments and simply hoping for the best. This risky position could be easily averted by the use of PAM (Privileged Access Management) tools. With the implementation of a PAM solution, enterprises can prevent their employees from accessing network elements (or limiting their allowed actions) or sensitive data, that they should otherwise not have access to. PAM solutions are capable of monitoring and logging each and every user’s activity on the network, discouraging any attempts to commit a cybercrime as their actions will be clear as day. A PAM solution should be quick and easy to implement and not slow down an enterprise’s everyday operations.
Another way of dodging the blades of GDPR sanctions is the real-time masking of stored data in order to limit what users can access without changing either the underlying database or the operation of the user’s application. This is also useful for supplying useable data for an application under development rather than using actual personal information stored in the enterprise’s systems. One way of applying data masking is deploying an SQL Proxy to the network, which acts as an intermediate layer between the underlying database and the user that performs and manipulates the query. By masking the stored data using a SQL Proxy, enterprises can prevent the direct usage of personal information, as the resulting data will be an unintelligible, yet still coherent version of the original data. One may think of this as creating brand-new data from personal data… However, there is no GDPR risk if there is no “personal” data, right?
In less than two-months’ time, companies must find a way to safely preserve personal data. There are solutions that can keep you off the GDPR radar and help you save millions of dollars. In addition, vendors are also adjusting their solutions to be able to cover more aspects of the regulatory regime than what their products currently offer (the data masking described here is a particularly significant example as an add-on to a conventional PAM offering). Regardless of which vendor an enterprise chooses to work with, actions are required in accordance with the new demanding regulation and before it is too late.