gdpr compliance with varonis - gdp… · varonis whitepaper: gdpr compliance with varonis 3...

1VARONIS WHITEPAPER: GDPR Compliance With Varonis

WHITEPAPER

GDPR Compliance With Varonis

VARONIS WHITEPAPER: GDPR Compliance With Varonis 2

ContentsOverview 3

Basic Identification 6

Identification and Risk 9

Prevent 12

Maintaining Least-Privileged Access 16

Minimize Sensitive Data 17

Right to be Forgotten 19

Monitor 20

Other Considerations 24

Get a GDPR Readiness Assessment 26


Overview

On May 25, 2018, the EU General Data Protection Regulation (GDPR) will finally go into effect. It will be the most dramatic change in EU data security and privacy law in over 20 years. Building on the existing Data Protection Directive, the GDPR will enhance existing data security and privacy protections and adds some significant new requirements, including 72-hour breach notification and mandatory fines.

The GDPR is not a completely new model for data security but instead builds on ideas from Privacy by Design (PbD) and other data security principles. Broadly speaking, you could say that GDPR simply turns IT practices and data security ideas into law. In fact, the GDPR (see article 40) will eventually allow companies (or in EU-speak, data controllers) to show compliance to GDPR through compliance with existing data standards, say ISO 27001 or PCI-DSS.

Is there an approach to data security that could encompass many different standards and laws, including GDPR, and that could be the basis of your organization’s program?

Data security researchers (see, for example, NIST’s CIS Framework) generally organize data standards into broader categories. Here are three that usually show up on these lists.

1. Detect – Identify or spot vulnerabilities by analyzing file systems, directory services, account activity, and user behavior. Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

2. Prevent/Protect - Limit the potential damage of future breaches by locking down sensitive and stale data, reducing broad and global access, and simplifying permissions.

3. Sustain – Maintain a secure state by automating authorization workflows, regular entitlement reviews, and the retention and disposition of data. Monitor unusual user and system behaviors.

https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf


Of course, the GDPR is not an explicit data compliance standard with hundreds of sub-controls. Instead, its requirements are in the form of articles, offering general goals that have to be achieved, but not saying how to achieve them. For more detailed insights into the GPDR, we recommend reading our white paper, EU General Data Protection Regulation:The New Rules for EU Data Security.

With this categorization scheme, we now we have a formula for organizing the key GDPR requirements and a plan of attack:

Detect

Sustain

Protect

Security of Processing (Article 32)

Impact Assessment (Article 35)

Notification of a personal data breach to the authority (Article 33)

Communication of a personal data breach to the data subject (Article 34)

Data Protection by Design and Default (Article 25)

Right to Erasure (Article 17)

Records of Processing (Article 30)

DatAdvantage

GDPR Patterns

DatAlert

DatAdvantage

DataPrivilege

Data Transport Engine

DatAnswers

GDPR Article Varonis Product(s)

https://info.varonis.com/wp-eu-regulation-en

https://info.varonis.com/wp-eu-regulation-en


To summarize the three-step plan to meet GDPR: identify assets at risk, protect those assets by maintaining appropriate permissions and employ other privacy by design principles, and finally monitor these assets for threats.

There’s actually a fourth step, which is that you feedback what you’ve learned from the detection/monitoring phase back to the first step. In other words, you fine-tune the first three steps based on what you learned monitoring for threats or other weaknesses.

At Varonis, we take a data-centric view of data security. Through our products, specifically DatAdvantage, DataPrivilege, DatAlert, and our Data Classification Engine, we’re able to protect and eliminate or reduce the risk of theft to part of the IT system where it makes most sense to focus security efforts – not at the perimeter, which can be bypassed, but on the data itself.

Let’s now walk through the plan.


In order to understand your potential vulnerabilities and risk, it makes sense to do an inventory of your system, looking for specific assets and risk. For Varonis, users, groups, and folders are the raw building blocks used in all our risk reporting.

As a first step in complying with the GDPR, you’ll want to review basic file system asset and account information. The following reports generated by DatAdvantage can be of great help.

With DatAdvantage’s 4g report, Varonis lets security staff quickly discover folders containing sensitive GDPR personal data, which is often scattered across corporate file systems. This is great way to begin the process of risk reduction.

Behind the scenes, the Varonis Data Classification Engine has already scanned files using special filters that can identify patterns for personal data identifiers—phone number, account number, and rate the files based on the number of hits.

Basic Identification

Classification Results (Selected Rules) Hit Count Risk%Files with

Hits

Scan

Priority

GDPR UK (258/258), GDPR Belgium (120/120), GDPR Poland (120/120), American

Express (122/122), DE Personal Data Protection (120/120), MasterCard (175/175),

PCI Data Security Standards (PCI-DSS) (743/743), DE Landline Phone Numbers

(120/120), Visa (322/322)

2100 5.69 6 252

GDPR UK (134/134), GDPR Belgium (100/100), GDPR Poland (100/100), American

Express (102/102), DE Personal Data Protection (100/100), MasterCard (102/102),

PCI Data Security Standards (PCI-DSS) (446/446), DE Landline Phone Numbers

(100/100), Visa (322/322)

1394 3.77 2 254

▲ DatAdvantage 4g shows data classification results


To help specifically in identifying GDPR personal data, Varonis introduced GDPR Patterns. It lets organizations discover GDPR personal data — from national identification numbers to IBAN to blood type to credit card information. This means that you’ll be able to generate different reports on GDPR personal data: including permissions, open access, and last time is was accessed or “staleness”.

Which GDPR data is no longer needed?

For folders, report 4f provides access paths, size, number of subfolders, and the share path. By setting a last access time search criteria, one can also produce a list of folders that have rarely used -- "stale data". As we’ll see in the next section, this information helps in minimizing data security risks.

Where is GDPR data overexposed?

Also very useful is the 4b report. It shows the permissions for a given directory, optionally breaking out groups on the ACLs. It also provides recommendations for group membership permission. If the access controls for a known critical data set are to be inspected and adjusted quickly, the 4b report will serve that purpose best.

The previous reports provide some core identification information that then can be used in the remediations in the Protect phase. As a reminder, the GDPR legislates common IT security practices -- "implement appropriate technical and organizational measures". DatAdvantage reports on widely exposed sensitive data, true group membership lists, and stale data and user accounts will help the IT group implementing these measures.

https://www.varonis.com/products/gdpr-software/


While the basic reports provide a good starting point, IT security staff will need to dig deeper into the file system in order to identify sensitive or critical data that can be a source of risk.

Generally, they’re looking for personally identifiable information (PII) or, personal data, as it’s referred to in the GDPR, such as email addresses, phone, driver’s license, and national identification numbers.

As we all know from major breaches over the last few years, poorly protected folders — folders or directories with permissions that are for more generous than they need to be — is where the action is for hackers. Once they get in, hackers simply leverage the access permissions for the account they’ve taken over.

To help you dig deeper beyond the 4g report, the DatAdvantage 4a report is the go-to report for finding globally exposed GDPR-style data within specific files.

▲ Figure 3 DatAdvantage 4a report shows files with sensitive data that is globally available.

Access Path User/GroupCurrent

Permissions

Total Hit Count

(Inc. subfolders)Classification Results

rojects11.txt (1)Abstract\

EveryoneFMRWX 10

GDPR UK (2/2), MasterCard (2/2), DE Personal

Data Protection (5/5), Visa (1/1)

C:\share\84\ProjectData.txt (1)Abstract\

EveryoneFMRWX 113

GDPR Belgium (16/16), GDPR Poland (16/16), DE

Personal Data Protection (17/17), Mastercard

(5/5), PCI Data Security Standards (PCI-DSS)

(16/16), DE Landine Phone Numbers (16/16),

Visa (11/11)

Identification and Risk


There’s significant risk in having GDPR personal data in files accessible to everyone in the organization. DatAdvantage’s 4a report shows you these files. It is also possible to configure the 4a report to display only folders that contain globally accessible GDPR personal data.

It can be used instead of the 4g report (from above) to provide a more focused initial overview of your environment. By the way, as you become more familiar with DataAdvantage’s flexible reporting filters, you’ll likely find your own approach in your organization’s GDPR security program.

We now have folders that are a potential source of data security risk.

What else do we want to identify?

Users that have accessed this folder is a good starting point.

There are a few ways to do this with DatAdvantage, but let’s just work with the raw access audit log of every file event on a server, which is available in the 2a report. By adding a directory path filter, you can narrow down the results to a specific folder.

▲ Figure 4 DatAdvantage 2a report shows folders containing GDPR personal data.

Date User Name File Server Access Path Event TypeEvent

Count

46806

7/6/2015 corp.local\Alice Tanner Corpfs02b C:\Share\legal\Corporate\Finance All event types 9



7/10/2015 corp.local\Alice Tanner Corpfs02bC:\Share\legal\Corporate\Distrobution Agreements\

DISTRIB (TEXIM EUROPE) V1 REVI.txtAll event types 1

1/7/2016 corp.local\Alice Tanner Corpfs02b C:\Share\legal\Corporate\CLA USES File opened 1


Stale user accounts are another overlooked scenario that has potential risk. Essentially, user accounts are often not disabled or removed when an employee leaves the company or a contractor’s temporary assignment is over.

For the proverbially disgruntled employee, it’s not unusual for this former insider to still have access to his account after leaving the company. Or for hackers to gain access to a no-longer used third-party contractor’s account and then leverage that to hop into their real target. In the Protect phase, we'll cover how Varonis can let you quickly disable these accounts.

A full risk assessment program would also include identifying external threats—new malware and new hacking techniques. It’s a separate function from data asset identification. With this new real-world threat intelligence, you then re-adjust the risk levels you’ve initially set and then re-strategize. You’re doing this on a continual basis since it’s an endless game of cyber cat-and-mouse with the hackers.


The second phase of the Varonis GDPR methodology involves restructuring permissions, locking down or reducing overly exposed personal data, and identifying data owners to ensure that the proper preventive controls are in place. This eliminates areas of high risk, reduces the potential surface area of attacks, simplifies the environment, and begins involving stakeholders outside of IT Security.

In this phase, you’re also supporting a key GDPR principle, minimization: taking the file and account information and looking for ways to minimize who has access to personal data and reducing the sensitive data.

Let’s see how we can do that in the Prevent phase.

One of the critical controls in this area is limiting access to only authorized users. This is easier said done, but we’ve already laid the groundwork above.

The guiding principles are least-privileged-access and role-based access controls. In short: give appropriate users just the access they need to do their jobs or carry out roles.

Since we’re now at a point where we are about to take a real action, we’ll need to shift from the DatAdvantage Reports section to the Review area of DatAdvantage.

DataAdvantage provides graphical support for helping to identify data ownership.

If you want to get more granular than just seeing who’s been accessing a folder, you can view the actual access statistics of the top users with the Statistics tab in DatAdvantage.

Prevent


This is a great help in understanding who is really using the folders. The ultimate goal is to find the true users, and remove extraneous groups and users, who perhaps needed occasional access but not as part of their job role.

The key point is to first determine the folder’s owner — the one who has the real knowledge and wisdom of what the folder is all about. This may require some legwork on IT’s part in talking to the users, based on the DatAdvantage stats, and working out the real-chain of command.

Once you use DatAdvantage to set the folder owners, these more informed power users, as we’ll see, can independently manage who gets access and whose access should be removed. The folder owner will also automatically receive DatAdvantage reports, which will help guide them in making future access decisions.

There’s another important point to make before we move on. IT has long been responsible for provisioning access, without knowing the business purpose. Varonis DatAdvantage assists IT in finding these owners and then assisting them with minimizing or limiting access and then formally managing the granting of access.

Another way DatAdvantage assists data owners is through its automated recommendation engine. Owners often find these recommendations helpful because they can easily spot users that have changed roles, no longer need access, etc. The 4b report from the last section would be helpful here since it lists ACL recommendations.

The DatAdvantage Work Area tab also directly provides similar information.


Anyway, once the owner has done the housekeeping of restricting and removing unnecessary users and groups, they’ll then want to put into place a process for permission management.

Data standards and laws, such as GDPR, recognize the importance of having security policies and procedures as part of an ongoing program – i.e., not something an owner does once a year.

Varonis has an important part to play here as well.

▲ DatAdvantage 4g shows data classification results


How do ordinary users whose job role now requires them to access a managed folder request permission to the owner?

This is where Varonis DataPrivilege enters the scene. Regular users will interact with DataPrivilege to request access to a managed folder, and then DataPrivilege manages the workflow process.

Maintaining Least-Privileged Access


The owner of the folder has a parallel interface from which to receive these requests and then grant or revoke permissions. The goal here is to automate the workflow for enabling access permissions to be limited to those who truly need it.

Another way to maintain least privilege access is to disable stale or inactive accounts. They can be a potential security risk. For these accounts, DatAdvantage lets you directly disable them through its online interface, thereby saving you the extra step from having to go into a directory service, say Active Directory!


Minimization is an important theme in security standards and laws. These ideas are best represented in the principles of Privacy by Design (PbD), which has good overall security advice: minimize the sensitive data you collect, minimize who gets to see it, and minimize how long you keep it.

In the case of GDPR these ideas are directly mentioned in “Data Protection by Design and Default” (Article 25).

We’ve already seen how DatAdvantage can help minimize who gets access. Another PbD principle is to reduce security risks by deleting or archiving unnecessary or stale sensitive data embedded in files.

This makes incredible sense, of course. Stale GDPR personal data can, for example, be consumer identifiers collected in short-term marketing campaigns, but now residing in rarely used spreadsheets or management presentations.

Your organization may no longer need it, but it’s just the kind of monetizable data that hackers love to get their hands on.

Minimize Sensitive Data

https://blog.varonis.com/privacy-design-cheat-sheet/


DatAdvantage can find and identify file data that hasn’t been used after a certain threshold date. Can the DatAdvantage 4f report (from the previous section) be adjusted to find stale data that is also GDPR personal data?

Yes.

You need to add the “hit count” filter and set the number of sensitive data matches to an appropriate number.

The next step is to use the Data Transport Engine (DTE) available in DatAdvantage (from the Tools menu). DTE allows you to create a rule that will search for files to archive and delete if necessary.

The rule’s search criteria mirrors the same filters used in generating the sensitive data reports in the previous section. The rule is doing the real heavy-lifting of detecting and removing the stale, sensitive data.

Since the rule can also be saved, it then can be rerun again to enforce the retention limits. Even better, DTE can automatically run the rule on a periodic basis so then you never have to worry about stale GDPR personal data in your file system.


Varonis can also help to meet another GDPR requirement, the “Right to Erasure or Right to be Forgotten” (Article 17).

Under the GDPR, consumers have the right to request the deletion of personal data related to them. This requirement covers not only removal of personal data from structured databases but also within file systems.

While it’s possible add to new classification rules to find a specific customer— say using name or account number search criteria—requesting deletion, an easier way to meet the right to erasure is through Varonis DatAnswers. It’s our intelligent search engine for scanning files.

Just as you would enter keywords into say Google, you can use DatAnswers to find the files where personal data of a customer requesting erasure is located. And then you can quarantine and adjust the file’s data.

Right to be Forgotten


No data security strategy is foolproof, so you need a secondary defense based on detection and monitoring controls: effectively you’re watching the system and looking for unusual activities that would indicate hacking.

Varonis DatAlert has a unique role to play in breach detection because its underlying security platform is based on monitoring file system activities.

By now everyone knows (or should know) that phishing and injection attacks allow hackers to get around network defenses as they borrow existing users’ credentials, and fully-undetectable (FUD) malware means they can avoid detection by virus scanners.

So how do you detect the new generation of stealthy attackers?

No attacker can avoid using the file system to load their software, copy files, and crawl a directory hierarchy looking for sensitive data to exfiltrate. If you can spot their unique file activity patterns, then you can stop them before they remove or exfiltrate the data, or at least limit the data exposure

We can’t cover all of DatAlert’s capabilities but since it has deep insights into all file system information and events, and histories of user behaviors, it’s in a powerful position to determine what’s out of the normal activity range for a user account.

We call this user behavior analytics or UBA, and DatAlert comes bundled with a suite of UBA threat models. You’re free to add your own, of course, but the pre-defined models are quite powerful as is. They include detecting crypto intrusions, ransomware activity, unusual user access to sensitive data, unusual access to files containing credentials, and more.

Monitor

https://blog.varonis.com/i-click-therefore-i-exist-disturbing-research-on-phishing/

https://blog.varonis.com/sql-injection-identification-and-prevention-part-1/

https://blog.varonis.com/malware-coding-lessons-people-part-learning-write-custom-fud-fully-undetected-malware/

https://blog.varonis.com/introducing-varonis-uba-threat-models/


All the alerts that are triggered can be tracked from the DatAlert Dashboard. IT staff can either intervene and respond manually or set up scripts to run automatically — for example, automatically disable accounts.

The GDPR breach notification requirements (Articles 33, 34) requires the supervising authority to be notified of the nature of the breach, the categories of data and number of records exposed, as well as measures taken to address the breach incident

DatAlert can provide all this information as well as remediate the breach through automated scripts.


Here are a few examples of some of the threat models that can be detected and acted on:

Threat Model Description

Abnormal behavior: Access to an unusual number of idle GDPR files

Abnormal behavior: Unusual number of GDPR files with denied access

Abnormal behavior: Unusual number of GDPR files deleted or modified

Abnormal service behavior: Access to atypical folders containing GDPR data

A statistically significant increase was detected in number of idle GDPR files opened by the user, compared to his behavioral profile. Idle files are files the user did not create, did not modify as part of his access, and previous to this alert has not accessed them for a long time (though other users may have accessed them recently). This may indicate an attacker is searching for sensitive data assets to which he has access, in order to exfiltrate the data.

A statistically significant increase was detected in the number of GDPR files a user failed to access. This may indicate an attacker is searching for and trying to gain access to various data assets in order to exfiltrate data.

A statistically significant increase was detected in GDPR files deleted or modified by the user, compared to his behavioral profile. This may indicate an attacker is attempting to damage or destroy critical data assets, as part of a denial-of-service attack.

A service account accessed folders containing GDPR data it had not accessed previously. Service accounts can be expected to perform the same actions repeatedly; therefore, a behavioral change is suspicious. Attackers may impersonate a service account and exploit its privileges.


To help meet GDPR’s 72-hour window for providing information to the data authorities, DatAlert lets you fine tune the threat behaviors to focus just on GDPR personal data. In other words, you can get alerts for, say, unusual file access to a folder containing phone or national ID numbers.

▲ Figure 9 DatAlert can be configured to trigger on threats affecting GDPR personal data.


It’s important to keep in mind that the GDPR is not a security standard. It provides guidance – of course, enforced by the EU regulators – to help ensure that personal data is protected.

GDPR asks you to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” – see Security of Processing (Article 25). The GDPR also says you need a process for “regularly testing, assessing and evaluating the effectiveness of technical and organisational measures”.

In other words, data security is something you do on a continual basis. We’ve shown in this whitepaper how Varonis software can help you in a GDPR data security program. We didn’t cover all of Varonis’s capabilities, and if you want more details, you can refer to our Varonis Operational Plan. Ask our sales staff for a copy.

Many large organizations have likely been relying on existing data security standards, such as PCI DSS or ISO 27001, and have already implemented many of the detailed security controls in these standards.

If that’s the case, you’ll now need to focus these controls more specifically on the protection of GDPR personal data.

The GDPR offers through its approved “codes of conduct” – see Article 40 – a way to gain “credit” for existing compliance.

Article 40 says that standards associations can submit their security controls, say PCI DSS, to the European Data Protection Board (EDPB) for approval. If a company then follows an officially approved “code of conduct”, then this can dissuade regulators from taking actions, including issuing fines, as long as the standards group — for example, the PCI Security Standards Council — has its own monitoring mechanism to check on compliance.

Other Considerations


The GDPR, though, goes a step further. It leaves open a path to official certification of the data operations of a company, or as the GDPR refers to it, a controller.

In effect, the regulators have the power (through article 40) to certify a controller’s operations as GDPR compliant. The EU regulators can also accredit other standards organization, such as PCI or ISO, to issue directly these certifications as well.

The certifications will expire after three years at which point the company will need to re-certify.

These certifications are entirely voluntary, but there’s obvious benefits to many companies. The intent is to leverage the private sector’s existing data standards, and give companies a more practical approach to compliance with the GDPR’s technical and administrative requirements.

The EDPB is also expected to develop certification marks and seals for consumers, as well as a registry of certified companies.

We’ll have to wait for more details to be published by the regulators on GDPR certification.


Live DemoSet up Varonis in your own environment and see how to stop ransomware and protect your data.

info.varonis.com/demo

Data Risk AssessmentGet your risk profile, discover where you’re vulnerable, and fix real security issues.

varonis.com/gdpr-ra

Get a GDPR Readiness Assessment

Varonis is aFantastic Solution

https://www.gartner.com/reviews/market/UserandEntityBehaviorAnalytics/vendor/varonis

https://info.varonis.com/demo

http://varonis.com/gdpr-ra

gdpr compliance with varonis - gdp… · varonis whitepaper: gdpr compliance with varonis 3...

Documents