13 Big Bets Security Vendors And Partners Have Made To Help Customers Become GDPR Compliant
More Data, More Problems
Vendors and solution providers have looked to make GDPR compliance easier for customers by rolling out capabilities that assess where GDPR-relevant data resides, put users' consent preferences into action, provide users with a view of all the data an organization has about them, and devise a game plan for managing GDPR data going forward.
The General Data Protection Regulation was adopted by the European Union in April, 2016, with enforcement slated to begin this Friday. The rule aims to give EU citizens and residents greater control over how their personal data is used.
To better address GDPR's robust requirements, security companies have made it easier to identity and isolate unstructured data, retain recordings in region of what IT administrators are doing, and put thresholds in place so that organizations are more focused on areas with clusters of personally identifiable information (PII).
From making it easier to anonymize personal information to a consulting approach that goes beyond legal risks, here's what 13 vendor and solution provider CEOs and technical leaders said they are doing to streamline GDPR compliance for their customers.
Advanced Policy Manager
The Janrain Advanced Policy Manager allows enterprises to define how policies around consent are used and enforced, with a real-time rules engine querying the data once it's been accessed, according to Jim Kaskade, CEO of the Portland, Ore.-based company.
Once consent is revoked, Kaskade said the Advanced Policy Manager is often programmed to remove data from downstream systems so that there's no risk of it being used improperly.
Janrain launched the offering on May 25, 2017, or a year to the day before enforcement of GDPR takes effect, and is being used to administer and audit policies around GDPR, according to Kaskade.
Specifically, Kaskade the central administration and granular control provided around each element of personal information (ex. a user can consent to having their name used, but not their address) was informed by the upcoming regulation.
Assessment Showing Where In A Business GDPR Data Resides
Digital Guardian has for the past year offered through the channel a packaged assessment that partners can use to scan for GDPR projects at customer sites, according to Marcus Brown, vice president of global channels for the Waltham, Mass.-based company.
The fast-to-implement assessment tool quickly scans for GDPR data and creates a report showing what kind of sensitive GDPR data has proliferated around the enterprise, which Brown said gives clients a clear understanding of their current level of risk. The assessment is very relevant for GDPR, Brown said, since companies need to understand where breaches can occur in order to prevent them.
The assessment is available in Europe and has proven to be very popular in the region, Brown said, with customers using it to get an initial handle on what their exposure is around GDPR. The tool has also generated strong follow-up business, Brown said, with many clients opting to implement a more complete offering for ongoing visibility and protection.
Authentication System Being Rebuilt Using A Distributed Ledger
SecureKey Technologies is rebuilding its authentication system to satisfy regulatory privacy by design requirements and eliminate any visibility of data whatsoever in a centralized node, according to Greg Wolfond, CEO of the Toronto-based company.
To ensure there's triple blind privacy, Wolfond said SecureKey is rewriting the authentication system using blockchain or distributed ledger methodology. Once the work is done, Wolfond said the network in the middle won't be able to see any data, either encrypted or unencrypted, and the central node won't know where a user is going when they're logging into to tax or unemployment systems.
Everything SecureKey has done around the rebuild is aligned with GDPR's position that consumers need to be in the middle of their data and consent every time their data is being shared, Wolfond said. The three-year rebuild is expected to be complete in the fall, Wolfond said, and required collaboration with SecureKey's banking partners since they'll need to be able to interact with the system.
Baseline Assessments To Define GDPR Responsibilities
Accudata Systems offers baseline assessments to help customers get some understanding of the extent of the remediation they would have to undertake in order to be GDPR compliant, according to Paul Kendall, advisory services principal for the Houston-based company, No 200 on the 2017 CRN Solution Provider 500.
A typical baseline assessment involves going in and doing extensive interview on both the business and IT side with the goal of figuring out what data is being captured, where it's coming from, and how it's flowing through the organization, Kendall said.
From there, Kendall said Accudata develops a gap assessment to tell clients where they're at currently, what GDPR requires, and what it would take for them to get there. Accudata usually tries to prioritize the improvements based on the client's circumstances the level of complexity that's required for them to become compliant, Kendall said.
Crawler On DLP Product Looking Specifically For GDPR Data
In addition to having a desktop agent and blocking items going out the door, Forcepoint's DLP (data loss prevention) product offers a crawler, which is software a client can sic on their network to look at file shares, network folders, and inside databases, according to Allan Alford, CISO at the Austin-based company.
Forcepoint implemented a crawler in the first half of 2017 that looks specifically for GDPR types of information and data, Alford said. All the user has to do is name the country and the type of information they're looking for (such as all instances of personally identifiable information as defined by the French government), he said, and the crawler will hit databases and find this information for the customer.
"This tool is a real leg up," Alford said. "It's a very successful and useful tool, and not a lot of vendors are doing this particular thing."
Data Governance Offering
Ping Identity's data governance offering provides fine-grained access based on either static or dynamic rules, according to Baber Amin, market leader in the office of the CTO for the Denver-based company. The offering reads consent information that was already captured, and based off of that, the client is able to make a real-time decision as to what kind of data can be used in what manner, Amin said.
Up until now, Amin said customers have primarily been looking to what data they have and where they have it in order to figure out what kind of system they need to put in place. Ping Identity is just now starting to see more actual spending on technical controls, which aim to address how a company wants to manage its data going forward, according to Amin.
Amin expects most of the spending around technical controls to happen in the second half of this year, with an emphasis on strong authentication, strong encryption protection to secure data at rest, and examining the governance aspects of the data layer.
Discovering And Mapping Out Data
The initial stages of GDPR compliance are really focused around discovery and mapping, with organizations figuring out where their data is, how it moves around the organization, and categorizing the data and data flows, according to Ken Phelan, CTO of Montvale, N.J.-based Gotham Technology Group, No. 188 on the 2017 CRN Solution Provider 500.
Organizations often that their data story is much more complicated than they initially thought, with the boundaries of where their data resides extending far beyond structured databases into unstructured spreadsheet and shadow IT applications such as Dropbox, Phelan said.
Customers inherently rush toward network segmentation and east-west firewalls whenever they encounter a problem with their data flows, according to Phelan. But far more often, Phelan said it's a problem around privileged access and controlling who has control, since once a user gains administrative access rights, it's pretty much game over.
A Holistic Consulting Approach That Goes Beyond Legal Risks
Big customers who are most concerned about the impending GDPR regulations have already spent a lot of time looking at the legal ramifications and are now looking to get a more holistic view, according to Juha Sallinen, founder and CEO of Espoo, Finland-based solution provider GDPR Tech.
GDPR Tech provides clients with a big picture view, Sallinen said, focusing not only on the legal aspects, but also on security, information governance, and people and processes.
For clients that haven't done GDPR prep, Sallinen said GDPR Tech runs a couple of workshops covering the most important issues since many of these companies lack information governance and haven't had any kind of documented risk assessment. From there, GDPR Tech attempts to help clients understand where data comes into the company, and what kinds of risks they have when they're hiding that data.
Privacy And Profile Management Dashboard
ForgeRock's privacy and profile management dashboard is an extension of the company's existing identity management module, which enables organizations to - from a single location - manage the entire lifecycle of an individual, their devices, and the services they have access to, according to Nick Caley, vice president of financial services and regulatory for the San Francisco-based company.
The company has long focused on helping firms master identity by taking people coming through different lines of businesses and joining them up internally to provide companies with a single view. Now with the new dashboard, ForgeRock has extended that single view to the end user, making it easier for firms to fulfill GDPR requirements around giving users access to an organization's data about them.
The dashboard provides end users with visibility into how a business is using data about them both in relation to internal processing as well as which third parties they're sharing that information with, Caley said. By automatically providing customers with this level of visibility, Caley said they would have less of a reason to file a subject access request for the data.
Project Portfolio Management
To comply with privacy policies including GDPR, CA Technologies is now allowing businesses to anonymize personal information for inactive resources in its Project Portfolio Management (PPM) toolset. Authorized administrator or manager are also able to anonymize custom resource data, according to CA Technologies.
The resource ID, first name, middle name, last name, and email address are now all anonymized, with resource information appearing scrambled with serialized code values. Personal data for customers is no longer accessible in various parts of the website including contact information, user information, audit trail data, rate matrix, billing data, and conversations, CA Technologies said.
CA Technologies is also adding a feature in the PPM tool to make it easier for businesses to delete data when its requested by the data subject, according to Christoph Luykx, chief privacy strategist for the New York-based company.
SecurityIQ Sensitive Data Discovery Ruleset
One of the biggest gaps SailPoint is currently seeing in enterprise security is around understanding who has access to files and file storage systems, according to Paul Trulove, chief product officer for the Austin-based company.
In the fourth quarter of 2017, SailPoint began shipping the most a version its SecurityIQ identity governance tool with a new GDPR policy with pre-canned rules for unstructured data, Trulove said. The GDPR implementation runs against an organization's file storage environment and helps isolate instances of unstructured data or data that’s residing outside of where it's intended to be.
All told, Trulove said the sensitive data discovery ruleset allows SailPoint and its customers to hone in on areas where there's a very high likelihood that an audit would find a compliance gap. Customer receptivity to providing more complete coverage around regulations such as GDPR has been very positive, according to Trulove.
Session Recordings That Always Remain In Region.
CyberArk has long produced for its clients' session recordings of what the customer's IT administrators are doing, which need to be stored somewhere, according to David Higgins, director of customer development, EMEA for the Newton, Mass.-based company.
As a byproduct of the IT administrator's role, Higgins said they may be looking at user data, which in turn means that a recording of the session is actually capturing their data. To comply with GDPR, Higgins said CyberArk has begun offering clients the ability to keep those sessions in region, ensuring that critical user data remains in the European Union and doesn't end up being stored in the U.S. or Asia.
The geographic controls were introduced last year, and Higgins said the modular design of the toolset made it relatively straightforward for CyberArk to control where data is flowing without having to go through a major re-architecture.
Templates That Search For GDPR Classified Data
Druva rolled out a template a few months ago that allows businesses to search across their entire ecosystem for GDPR-relevant data rather than having to do separate configuration for each characteristic of GDPR data, according to Dave Packer, vice president of product and alliances marketing for the Sunnyvale, Calif.-based company.
In order to build out the template, Packer said Druva needed to go through the entire tomb of EU countries and understand the various elements that make up identifying information and therefore need to be tracked. From there, Druva built out template to identify those elements, and provided thresholds so that the focus is on masses of sensitive data rather than each individual instance.
For instance, a single driver's license number on a user's machine may or may not be problematic, but ten driver's license numbers on a single machine is a good indication that a user has access to a sensitive file, Packer said. Druva has tweaked its parameters to be more efficient and minimize the likelihood of false positives and false negatives while still capturing presumptive violations, he said.