How companies approach data security controls is changing. Segregation of Access (SoAx) is now just as critical as Segregation of Duties (SoD). Who sees sensitive data is just as important as who changes it.
And just to make sure organizations take access controls seriously, regulations such as GDPR are inflicting major penalties for breaches of private data. And soon, it won’t just be about breaches, it’ll also be about fines being levied for data security audit failures.
When GDPR was enacted, there was alot of confusion around the penalties that would be associated with the exposure of sensitive data. Many companies took a wait and see approach in lieu of enacting data protection measures. Especially around legacy applications, such as ERP systems, where the keys to a company’s kingdom are typically stored.
Couple of reasons. Most companies don’t even have a handle where their sensitive data is even stored. And, in addition, most companies don’t focus on regulatory controls until the penalties are real.
GDPR penalties are real. The penalties associated with many of the state-driven data privacy regulations are real. And now we have some guinea pig companies that show just how real they are.
GDPR was enacted in May of 2018. It took a year before the Information Commissioner’s Office (ICO) nailed a company for a breach of sensitive data.
In 2019, British Airways was hit with a proposed fine of $230m for the exposure of sensitive information. Less than a week later, a second culprit was reported. The ICO has proposed a $124m fine to be assessed to the Marriott hotel chain related to the exposure of sensitive data in over 339 million guest records.
But that’s a European regulation that doesn’t apply to us.
We hear that alot. So, let’s talk about some of the recent US-based breaches and their associated penalties.
In 2013, Yahoo was fined $35m by the SEC and paid an additional $50m in a class action suit for a major exposure of customer data.
In 2015, health insurer Anthem was fined $16m for violating HIPAA regulations and allowing the breach of over 79 million customer records. And that was in addition to the $112m they paid to settle a national class action suit.
In 2017, a breach of Target’s customer information was settled for a $18m fine.
Uber, in 2018, was fined $148m for a major breach of driver and rider records. An unusually large fine for that time that was increased due to their efforts to cover up the breach.
The key takeaway is that, while some of those US fines are relatively low when compared to the GDPR offenders, that is changing. With the introduction of the California Consumer Privacy Act and other state initiatives, fines are being structured to follow the GDPR model. That is they will be calculated as a percentage of an organization’s revenue.
All of sudden that $18m that Target paid blows up to hundreds of millions of dollars.
Still want to take a wait and see approach?
Contact us to see how Appsian can help you address your data security controls.
Do You Even Know What and Where It Is?
Not too long ago, I was involved in the war room activities surrounding the breach of a major travel company. A breach that not only led to the exposure of sensitive information, but also to the use of that information to subvert the international travel infrastructure (yes, I’m being cagey with details here.)
A war room, in this instance, is an immediate incident response step and is typically a dedicated conference room full of ‘smart’ people that is setup to lead identification and remediation activities around a suspected or confirmed security breach.
Once the firefighting was done and the immediate threat remediated, the team moved into forensics mode, where the questions moved from ‘what happened?’ to ‘how did this happen?’.
In the course of that activity, the CISO of the company was brought in. In addition to questions around security policies and response capabilities, two key questions were asked:
“Where do we have exposure to the hacking of data we categorize as sensitive to our customers, employees or partners?”
“What controls are in place to secure that data?”
In essence, his answers were:
“If you’re asking for an inventory of where sensitive data exists, I’d have to partner with the application teams to determine that.”
“As far as controls, we have a pretty strong network perimeter. But, again, I would have to partner with the application teams to ascertain what controls are in place at that level.”
That CISO is no longer employed by that travel company.
Let’s talk about the role of the Chief Information Security Officer (CISO)
Presumably it is a position that leads the charge to ensure that the organization is adequately protecting all data that is proprietary and/or necessary to conduct business operations. That casts a pretty wide net.
But that net, in addition to proprietary business intellectual property, clearly includes customer, partner and employee data. The compromise of any of these can lead to major impacts to business operations.
A phishing attack yields the credentials of an application-level, high privileged user? Well, that application is essentially ‘owned’ by the bad guy. What kind of damage can they now do?
Even the compromise of lower level users can lead to a bad guy being able to escalate privileges and/or leap frog across other applications in the enterprise.
Aside from the potential for business disruption, the exposure and malicious use of sensitive data can lead to major financial losses and regulatory penalties for any organization.
Data awareness is a critical component of today’s CISO responsibilities. Knowing where your sensitive data lives is key. Knowing the mechanisms of how it’s accessed and managed is just as key.
In the current compliance environment, data privacy is a hot button that is shaping many of the new regulations around the digital economy. Whether it be GDPR, the California Consumer Privacy Act or the multitude of other mandates on how companies will be required to support data privacy, the anticipated responsibilities of the CISO are evolving well beyond having a handle on your network protection controls.
Application awareness is becoming a necessity. Understanding what applications are housing sensitive data; whether it be a legacy ERP system or a cutting-edge cloud application, will be an inventory a CISO will be expected to maintain.
Contact us to see how Appsian can help inventory and address your sensitive data exposure in ERP applications.
The European Union’s General Data Protection Regulation (GDPR) came into effect on May 25th, 2018 and made a far-spreading impact on how organizations record, manage and process personal data of European citizens. As an organization leveraging PeopleSoft, you house personally identifiable information (PII) on hundreds of pages, making your PeopleSoft applications a crucial variable in regards to sustaining GDPR compliance. Even though the security of your PeopleSoft applications has always been your priority, GDPR just upped the ante! Non-compliance with several clauses in GDPR can potentially knockout significant profit margins – 4% of global revenue or € 20 million to be precise.
Discover a data breach? The clock is NOW ticking!
Imagine all the chaos a data breach brings – the investigation, remediation, financial liabilities, and the overwhelming task of drafting an internal and external communication plan. The timeline of this process was previously driven by your organization – now that GDPR is in effect, communications with affected parties and relevant regulatory agencies all must be completed before the GDPR hourglass empties, i.e., in 72 hours. GDPR’s mandate is a clear message that the ‘wait and see’ approach that organizations could once get away with is no longer going to work! To establish compliance with GDPR, organizations need to evaluate all possible means that data can be breached, leaked, or manipulated and focus on equipping their PeopleSoft applications with internally layered security features, most specifically enhanced logging, in an effort toward being proactive rather than reactive.
Step 1 to GDPR compliance is getting to know your data
Your PeopleSoft applications are inherently built with robust security features, but modern threats demand data security be taken beyond the standard User ID/Password model. Under GDPR, more PII translates to more liability. Therefore, it’s crucial that organizations:
- Establish measures to track the lifecycle of sensitive data in their PeopleSoft applications
- Define control protocols on how and by whom PII is accessed
- Limit unnecessary exposure of sensitive information
For access controls to be effective, each user’s activity and transaction data must be available for tracking and monitoring by security teams so they can identify and remediate a breach effectively and efficiently.
High-level logging is NOT enough
Unfortunately, out-of-the-box PeopleSoft applications are only capable of high-level logging (login and log out instances), and that information is not sufficient for identifying what specific data fields may be compromised, who has viewed it, and when a user may have viewed specific data. This context is necessary for piecing together the narrative for effectively remediating a breach, and thus, making the initial steps towards complying with GDPR.
How GreyHeller’s Application Security Platform can solve the challenge
The key to preparing your PeopleSoft applications for GDPR is equipping them with advanced and robust security measures, that not only help you prevent a breach but allow you to detect and react to it promptly. With GreyHeller’s Application Security platform (ASP) organizations can effectively control the unwanted exposure of PII and accelerate breach detection and remediation. ASP enables security teams to gain maximum influence over what data is accessed, by whom, and how it is used.
Record each transaction as it happens
Designed to log field level transaction activity, ASP provides you with all the details you need to identify a data breach in time and fulfill the requirements imposed by GDPR. The logging features record all transactions within PeopleSoft on a granular level, providing information on what data was accessed, where it was accessed from, user ids and IP address effected and more.
Seeing is believing
The ASP also features an integrated analytics extension that uses the enhanced logging data to populate and display access activity on engaging dashboards. Comprising of elegant charts, graphs, and maps – these dashboards can be grouped by usage patterns, access trends, geographical locations, etc. to gain a holistic picture of user activity in a single view. The dashboards are equipped with deep drill-down capabilities, allowing security teams to investigate the activity and perform root-cause analysis thoroughly.
We are here to answer any questions you may have – Get a free security consultation for GDPR compliance today or write to us at firstname.lastname@example.org.