Information doesn’t have A price
For years, nations have used their very special agencies (NSA, DGSE, KGB, etc.) to obtain a maximum of information on their enemies or their friends (we never know…).
If we pay attention to companies and their war to become more succesful, we can notice information is essential for them to: have information on competitors, on customers or even on themselves! And this information is data.
Companies have always wanted to protect their critical data (manufacturing secrets…), but digital evolution makes complex IT environments (Cloud, BYOD…). Companies’ data is now more than ever exposed to cyberattacks. If data theft or loss don’t show the same risks, their consequences can be really damaging.
What is the competent AUTHORITY doing?
Citizens and companies all have, information to protect. This includes personal data. In France in 1978, this data was taken into account and protected by the French Data Protection and Freedom of Information Law (Loi Informatique et Liberté). Forty years later (notice the reactivity!), Europe took the problem head on by strengthening personal data protection with the General Data Protection Reglementation (GDPR) the 25th of may 2018.
A strengthening which is not without risks for professionals who don’t want to take care of it. Fines, which can reach up to 4% of the worldwide company turnover, are here to persuade companies to play the game. The goal of this new dynamic is to inverse the power balance between customers and companies, whose access, modifications, portability and delete rights of the companies Information System, are now more strict.
In practice, GDPR brings such change into companies that some seem lost when looking at what needs to be done. To be able respond to the GDPR’s new requirements is not an easy task for companies which aren’t data management specialists.
A BASTION, one of the GDPR responses BRICK
There are data management solutions responding to some technical and legal GDPR requirements. Here we’ll talk about the Bastion solution.
A Bastion is comparable to an airlock where users and targeted servers meet. Through this airlock we can track in real (or deferred) time who does what, when, where and how. The goal is to detect and prevent potential attacks thanks to an intuitive and dynamic web interface (at least for Wallix, the technology I am using).
As required by GDPR, answer traceability needs and security breach with a Bastion:
- subcontractors and collaborators access control
- privileged accounts and risky users management
- password policy creation
- work session record and watching from the web interface in real (or deferred) time
- login tracking
- set up access rules and alerts on targeted events
- analyze SSH streams
- statistics, activities reports and metadata export
- delegate administration
Thanks to the information control offered by a Bastion, it is now possible to set up a security policy that meets traceability needs through users control and authentication on servers, as well as the protection needs by preventing risks of security breaches.
Beyond the Bastion, information control also requires a better knowledge of both personal and professional data content.