How to know and control who touches your data

Customer data is one of your organisation’s greatest but most sensitive assets. Protecting this data should be at the forefront of the security team’s mind. With GDPR coming soon, this becomes an even more pressing need.

By Shirley Siluk

Tue 7 Nov 2017 @ 12:57

Keeping your customer data secure and safe from malicious or even incompetent users is always good business. But it’s also imperative for complying with regulations, whether you’re in healthcare, insurance or financial services, or even simply because your customers use payment cards for their bills and fees.

Additional requirements for safeguarding customer data are now fast approaching with the EU General Data Protection Regulation (GDPR), which will be enforced from next May. Under the GDPR, any organisation collecting information about citizens in the European Union must take new steps to ensure that data is not only kept private and safe from breaches but processed in ways that are properly recorded and controlled.

In other words, once you have information about customers in your systems, you need to know where that information is stored, who has access to it, and—if anything in those records is changed—who changed it and when. This is known as ‘file integrity monitoring’.

How do you go about putting such processes in place?

First, it requires recognising what types of data are sensitive, and establishing policies to identify, categorise and properly handle such data. This includes specifying who is and isn’t allowed to access such information, as well as how that information may be shared, altered or deleted. For example, payroll data should be accessible only to employees who handle or approve such payments, and should not be shared or managed via unsecure, unencrypted or unapproved applications or devices.

Next, enforcing such data policies means verifying the identity of those with access privileges, and monitoring their actions to ensure those privileges are not abused. It also means keeping access privileges up to date to avoid ‘privilege creep’, where employees whose roles change might still retain access to data they should no longer have.

Finally, once access to information is properly categorised, controlled and monitored, you’ll need systems that can spring into action if any unauthorised activities threaten your sensitive data. These systems should include real-time alerts for when anything suspicious is detected. In addition, systems should feature automated responses for mitigation and forensics and reporting tools for follow-up investigations or audits.

Thanks to advanced analytics, algorithms and machine learning, file integrity monitoring today can provide deep insights into data access and user behaviour, with valuable details about who’s doing what to which files. Such monitoring tools can let you, for instance, create highly specific policies to watch certain users, for unauthorised attempts to launch a particular set of plug-ins.

File integrity monitoring solutions can also help address a number of other challenges, from identifying anomalies in users’ file access behaviour, to pinpointing malware-related registry changes on point-of-sale systems, to quickly obtaining forensic data to check whether sensitive files were leaked after a server compromise.

With support for pre-configured policies and other deployment tools, file integrity monitoring can be set up quickly to work across a variety of operating systems and devices. It can also be customised and fine-tuned to meet an organisation’s unique, granular data monitoring requirements.

Whether you’re looking to comply with existing regulations such as the Payment Card

Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA), or preparing for the enforcement of the GDPR next spring, an advanced file integrity monitoring solution can help you keep an eye on who’s doing what with your sensitive data today.

In addition, it can provide ongoing, automated support for tomorrow’s compliance and reporting requirements.