You are on page 1of 6



Copyright Balabit
All rights reserved

After years of preparation and GDPR in and out drafting. Meanwhile. GDPR removes self-assessment as a basis for international data transfer. can help businesses to comply. As such. Not least because bit closer every day. we think it’s the stakes for failure to keep hackers at bay are about to rise markedly. They have to keep a keen behavioral and how behavior-aware security monitoring eye on their privileged users—ensuring they are accessing and using data for the right reasons (and are not hi-jacked technologies. the European one-stop shop mechanism means that a single set of rules will apply for the whole EU. means that it’s time to stop thinking about GDPR and to start acting. With the GDPR horizon getting a The introduction of GDPR means sufficient system security is crucial for any business dealing with European data. the protection of the rights and freedoms of data subjects (as well as the responsibility and liability of controllers and processors) remains untouched . But these secure environments have to allow for operational time to highlight five of the most maintenance. significant aspects of the legislation As such. data exporting organizations that Particularly as they will have just rely on consent to move data outside the EU must now consider whether their data subjects have been informed of the risks of cross- two years to become compliant border data flow. Controller considerations GDPR preserves the concept of personal data processing from Directive 95/46/EC and its corresponding terminology. so that legitimate privileged access users can access the networks that contain the data and work with it. Thereby easing the accountability and data protection. It extends beyond EU controllers and processors to any external organization that has a trading relationship with EU customers. like Privileged Access accounts). the scope of the legislation European Parliament adopted it. Whether acting on the instruction of a third party or alone. when the Council of the European Union and the Although its focus is on the European Union. Management. Instead. GDPR does not solely apply to the 28 member states. But it recognizes both contemporary processing complexity and joint controllers—where two or more controllers (businesses) jointly determine the purposes and means of the processing of personal data. thanks to cooperation between the data protection authorities of member states. with the new rules on transparency. Additionally. associated administrative and financial burden on data controllers and individuals. businesses have to go further than just protecting data through firewalls and the like. the final t’s were crossed and i’s dotted on the General Data 1 of the EU Protection Regulation (GDPR) in April 2016.

an exception: flexibility for companies (Article 10): part of any data protection strategy under GDPR. IP addresses. should the controllers provide assurances access users dealing with it. there are potentially big problems for organizations that online identifiers. erasure. And it will add a new concept that doesn’t exist Similarly. which will reduce the chances of an technical and organizational measures necessary to de-identify data. and the under the previous data directive in pseudonymization. right to be forgotten. Alongside this. as simple as abnormal mouse movement) that indicate a malign presence will become a vital however. the definitions of anonymous and pseudonymous data. and will help data controllers to meet their protection could have a profound impact on the way organizations process log data. rectification. data will cover location and under GDPR. and health-related information). restriction and data portability do not apply Unless the individual provides additional information enabling his or her identification for exercising these rights Controllers should not refuse to accept additional information provided by an individual in order to support the exercise of his or her rights . it’s likely that organizations will have more privileged requests from citizens. the definition of the data it governs will change slightly. and that the regulation will provide detail on what an ‘identifiable person’ collect and manage large amounts of personal data logs (such as email is—using a test that assesses whether or not data is anonymous. GDPR is going to define additional specific categories of sensitive data (including genetic and biometric information). social security numbers. Having the ability to detect the behavioral anomalies (even if it’s surrounding the ability to re-identify individuals in data sets. data controllers could be exempted from data and portability Because the definition of data is widening. Where a controller is not in a position to identify the individual. addresses. as of 25 May 2018. obligations. geolocation. the obligations for access. The two most Because people will be identifiable as data subjects directly and indirectly significant things to consider here are that. For example. There is. individual being named in a data pool. The definition Implications of GDPR 2 of data for log management When GDPR kicks in.

GDPR requires information While these features go a long way in protecting private data. It is generated from the HOSTID and the RCPTID in the format of HOSTID@RCPTID. features. which may include pseudonymization. syslog-ng can now provide a unique ID for each log message using the use-unique global option. can be identified. indexed. Anonymization isn’t feasible if a security team needs to analyze user activity and respond to suspicious behavior. It has a fixed length: 16+@+8 characters. This method of pseudonymization offers the benefit of enhanced security for the original logs. they may not always strike and notification to be provided in clear and plain language that is easily the right balance between protecting an individual’s right to privacy and securing an accessible. . conducting data Database feature. encryption and robust key management procedures. With these and implementing data protection principles before processing. transparency is key. as a one-way transformation of certain fields will remove any chance of identifying the user. So any sensitive data is To ensure compliance. compressed. Processing and How syslog-ng™ can help 3 compliance Naturally. the user can be re-identified. As De-identifying personal data in log messages can be accomplished using the Pattern well as ensuring the correct maintenance of documentation. organizations will have to implement appropriate available only for authorized personnel who have the appropriate encryption key. Both can store log messages securely in encrypted. security measures to protect personal data. When it comes to reporting. A way to avoid this situation is to store the original logs in a secure environment and forward the anonymized logs for analysis by the security team. the parts of log messages containing personal information can be anonymized. By assigning a unique ID for each log message to both sets of logs. the primary concern most organizations will have with GDPR is syslog-ng Premium Edition and syslog-ng Store Box already offer features that help around processing data and the compliance obligations associated with that. personal data such as login credentials protection impact assessments that identify risks to data subjects’ rights. it can be parsed and rewritten. Based on pre-defined text patterns. and time-stamped binary files. organizations protect personal data contained in logs. Once sensitive text is identified. organization’s IT environment. while retaining the ability of security teams to access the private data only when necessary.

infrastructure assets. erasing of their data (without delay) in certain situations. This means that organizations that will be affected New rules on data rights by GDPR have no choice but to adapt their processes and systems to secure network components. and to request the step closer to full GDPR compliance. Because of this focus on accountability. . then the organization must also notify data subjects. That means requiring users with access to personal data to be constantly monitored. when technically feasible to do so. organizations can go one step further in their data protection efforts. Consequently. it’s inevitable Alongside the encryption of personal data. as well as analyzing their behavior for tell-tale signs new internet-specific freedom to move their data from controller to of hacks and hi-jacks. One of the rights guaranteed to data subjects under GDPR is a By effectively managing privileged access users. or €20 million.. Under the forthcoming GDPR rules. Companies to file as much information as they can provide within 72 hours of will need to protect data in a similar (although slightly less strict) way to how they protect critical becoming aware of a breach. which should also include some level of user authorization process. with organizations required to sensitive data. there will be strict data. controllers and processors have to take technical measures to control access timeframes around notifying authorities. AGDPR introduces severe sanctions against data controllers and processors who breach the rules.A vital part of this will be looking at what security technologies can help them to detect behavior that may result in a breach. If hacked data is readable. Time matters Users need monitoring 4 with GDPR 5 more than ever While no organization ever wants to suffer a breach. it’s going to be necessary for many organizations to designate a Data Protection Officer to keep Why it pays to act now up with GDPR compliance. But it’s not only reporting to the authorities that matters. And one controller. GDPR requires the restriction of access to personal that some will. enabling national data protection authorities to impose fines ranging between a maximum of 2% or 4% of annual worldwide turnover.

and so on. In this case. You can replay the helps recorded sessions in your browser or in a separate application just like a movie—all the data processors’ actions can be seen “Four eyes” authorization exactly as they appeared on their monitors. PSM is an The authorizer also has the option to monitor the work of the trails activity monitoring appliance that controls administrator in real-time. PSM supports Balabit’s Privileged Session Management the four-eyes authorization principle. PSM access rights management . personal data actions. In addition. PSM monitors privileged activity in real-time and detects behavior anomalies as they occur. User activity records (audit trails) records activities in searchable. Consequently. PSM can store the audit trails in a highly confidential intruders or from non-authorized users. it records way—in an encrypted. most rigorous laws and national security certifications. multiple decryption keys are needed to replay the Prevention of malicious audit trails. as though watching the same screen. time-stamped and digitally signed format. The CRM servers (for example). such as passwords.How Central access policy Tighter employee & data enforcement processor control Privileged PSM acts as a centralized authentication and access-control PSM audits “who did what” on systems like your database or Session point in your IT environment. It records all sessions in searchable granular access management helps you to control who can audit trails.makes PSM compliant with the can send you an alert or immediately terminate the connection. companies have to ensure the strict protection of activity PSM isolates your data processing systems from unknown records. forensics or troubleshooting situations. so a single auditor cannot access all information activities about activities and accessed data. . client data. PSM uses multiple keys to encrypt audit trails. Tamper-proof audit requirements set by GDPR. Advanced protection of like audit trails. and prevents malicious credit card information. This is achieved by requiring (PSM) can be a good fit to meet the an authorizer to allow administrators to access the server. In case of detecting a suspicious user This extreme level of data security—together with granular action (for example accessing credit card information). From the Data Protection Regulation perspective. auditors as well. the challenge privileged access to remote IT systems. The four-eyes principle can be used for the help to create a data breach report within the required 72 hours. which improves data security. all authorized access to sensitive data and provides actionable so not even the administrator of the PSM can tamper with the information in the case of human errors or unusual behavior. movie. It can audit information. can contain a great deal of personal data. To prevent unauthorized access or human error. is similar to log management. making it easy to find relevant information in Management access what and when on your data servers.