GDPR and the Security Monitoring Challenge

May 25, 2018 is the enforcement date of the European Union’s (EU) General Data Protection Regulation (GDPR). GDPR enforces new data protection standards and is having a major impact on the way organizations acquire and manage data. For many organizations, this fast-approaching deadline is the biggest IT event since Y2K. (Yes, I’m really that old.)

It’s almost impossible to have missed some of the major failures to manage personal data that have happened recently. In the past month we saw Mark Zuckerberg testify before a US congressional committee about the release of 87million Facebook users’ data to the political consultancy group Cambridge Analytica—triggering widespread concern and scrutiny from regulators, lawmakers, and consumers around the world regarding how organizations should handle personal data.

Many falsely think that GDPR doesn’t apply to non-European organizations

GDPR regulations cover all global entities that create, retain, process, transit, and control data pertaining to any EU resident, employee, or “natural person” (defined as any individual)—so a good percentage of organizations are impacted by GDPR in some way regardless of their size.

Frequently, I’m asked how GDPR will impact security monitoring organizations; this is where compliance becomes complicated. GDPR encompasses data you control for external users. But it also covers data you control for everyone under the GDPR mandate—including employees, contractors, and partners—and individual data in your cloud providers like Salesforce, Workday, Dropbox.

To complicate matters further, it’s far less prescriptive in its regulations, providing EU member states more leeway to fill in gaps with their own legislation. What is clear is that GDPR requires organizations to carry out effective security monitoring: Article 5(2) and 30.

The role of security monitoring in GDPR

Chances are your organization is collecting sensitive information. For instance, you might be tracking the websites your employees surf. Some organizations may mistakenly conclude they can’t collect browser information, or that they need to disassociate such information from users. Yet, both of these actions will undermine your ability to effectively monitor and secure your organization, so neither is acceptable. The solution is simple, and the good news is you’re most likely already doing it.

Robust role-based access controls fronting your monitoring solution and data masking of personal data are the primary mechanisms that prevent open access to your collected data. And a good secondary control is to ensure that you “watch the watchers,” keeping logs on what they do and investigations they run. GDPR requires that monitoring data can only be used for the purpose it was collected. Such data can be used for security purposes, but nothing else.

GDPR requires security monitoring, while not violating its privacy regulations

I frequently hear that users need to provide permissions before monitoring. While GDPR does require consent from the individual to process their data (which is implicit to security monitoring), there are exceptions for when explicit permissions are not needed.

Security monitoring is an essential part of protecting data. You are monitoring access to the data and the IT systems that process and store it, which is how to prevent data breaches; identify when a breach has occurred and what data was lost; identify who is responsible and avoid impact to you your organization.

Monitoring is designed to protect those whose data you retain, including your employees. It’s a valid defense when there isn’t the explicit approval to monitor. There are those who might argue against this, but the alternative (such as employees opting out of monitoring) isn’t an option. For example, consider the monitoring against a malicious third-party stealing an employee’s credentials—not only is such monitoring required by GDPR—it prevents this threat from becoming a reality.

Furthermore, through the use of machine learning and behavioral modeling, it’s possible to provide meaningful detection value using anonymized data. Personal data is obfuscated, then the obfuscated data is baselined, and anomalous activity is identified. For each such activity, a risk score is added. Once enough risky, abnormal behavior has been detected to provide reasonable suspicion, the incident can be established and the user’s data can be escalated to a Data Privacy Officer (DPO) to be unmasked and investigated.

Expect initial resistance

Change is hard. It seems reasonable that some EU countries will initially resist security monitoring. This isn’t necessarily GDPR driven, but may result from other stakeholder concerns such as German Work Councils and French unions.

GDPR states that security monitoring should be risk-based (Article 32). Using an adaptive risk-based approach such as advanced analytics is an effective approach versus a traditional SIEM based on static correlation rules. Because an adaptive, analytics-led approach doesn’t target a single individual for investigation until a significant reason exists to do so, organizations employing it tend to do far less speculative data searching—explaining this to a stakeholder almost always allays their concerns.