Because cyberthreats to data and privacy are ubiquitous, cybersecurity needs to be a part of every corporate network – and of course, protecting the personal, financial, health, and other data held by corporations is of paramount importance. Aside from the loss of the data itself, though, executives must also contend with another serious issue: The financial costs of a data breach, in terms of both damage mitigation and the penalties that will be assessed by various governing agencies should the company not have been compliant with appropriate regulations and laws.
The costs to a company of being found in non-compliance with appropriate regulations are high. In two recent examples, Equifax agreed to a $575 million settlement for not taking adequate steps to protect its network prior to its 2017 data breach, while British Airways was fined approximately $230 million for GDPR violations in connection with a cyber incident reported in 2018.
Non-Compliance Can Be Costly
Indeed, not only are the potential penalties for non-compliance high; the list of different regulations that must be adhered to is long. GDPR and NIS (Network and Information Systems) directive are European in origin, but impact all companies operating in that market. In the United States, companies must comply with both federal and state regulations as well as industry-specific standards, including HIPAA, HITECH, and SOX, and PCI-DSS.
Compliance Can Seem Intimidating – But Needn’t Be
Knowing which regulations and standards a company must adhere to is important, but it can also be somewhat daunting. Furthermore, actually implementing the proper controls and security can appear both overwhelming and costly, particularly to executives charged with the responsibility of compliance, but it can be simplified to a large extent by understanding what all cybersecurity regulations have at their core: That only the right people, at the right time and under the right circumstances, should have the privilege to access sensitive systems and data – and that access should be traced.
As a quick illustration, we can look at a cross section of regulations and standards and see how privileged access issues cross boundaries:
- Article 29 of GDPR requires that data processors access only the data they need for their task
- ISO 27001 Annex 9 provides many standards on privileged access, including “need-to-use” language
- HIPAA requires restricted access and use of healthcare data based on user roles
- PCI-DSS requires that users have privileged access to only the least amount of data necessary to perform their jobs
While not exhaustive, of course, this short list is illustrative of the fact that most, if not nearly all major security standards and regulations require some measure of access control. The core premise of providing privileged access only when it’s appropriate crosses many subsections of requirements across an array of industries and regions – and it is also what lies at the heart of privileged access management (PAM). In order to provide proper PAM – and in turn to ensure compliance with critical cybersecurity regulations – a PAM solution needs to comprise both access management and session management. Both are important for security – and with the proper features, they provide crucial assurance of controlled access and compliance in the face of an audit.
PAM and Compliance
Access management and session management work together to providie real-time views into – and control of – what’s taking place on a network. Access management helps to ensure the principle mentioned above: That only the right people, at the right time and under the right circumstances, have the privilege to access sensitive systems and data, which it does by (among other things) assigning the kinds of privileges need to access all resources, as well as assigning those various privileges to the appropriate users. Session management, as the name suggests, provides a real-time view and full OCR recording of all session activity within the network – meaning that security teams can be alerted to suspicious activity as it’s happening to either validate or terminate the activity, or reviewed later for audit and training.
Preserving History So You Don’t Repeat It
From a compliance perspective, these kinds of safeguards help to ensure that regulatory and standards-based requirements are always met. But there’s another layer to a full-featured PAM solution that’s equally important for compliance: Preserving all session and access history. This is important, of course, from both a security and a training perspective. But it’s also required by cybersecurity regulations, either explicitly or as a way of providing a mandatory audit trail both internally and for when the external auditors come knocking.
And having session and access history is not only important for periodic scheduled audits: In the event that a data breach does occur, proper history can show what happened, enabling better security in the future, as well as demonstrate to external auditors that appropriate regulatory safeguards were in place at the time of the incident – which can help to mitigate or eliminate regulatory penalties that might have been imposed should the company not have been able to prove, via audit trail, that such safeguards were in place.
Some Things are Certain
There’s no doubt that Big Data will continue to get even bigger, leading to higher mitigation costs of a successful breach. And there’s also little doubt that the global regulatory environment will become increasingly complicated as time goes on, with higher penalties assessed for firms that cannot prove compliance. A proper PAM solution helps on all fronts, by providing security that safeguards the network and meets compliance regulations. It’s a win-win for executives that need to be concerned with both security and costs, and its importance on both fronts cannot be dismissed – and there’s no doubt about it.
Schedule a demo with WALLIX's PAM experts to learn how you can achieve regulatory compliance through robust access control