How PAM supports your GDPR compliance

Time’s running out for GDPR compliance. From May 2018, enforcement will begin on the most widespread changes to privacy since the Data Protection Act – and now is the time to look at your business and see whether you’ll be on the right side of the Information Commissioner’s Office.

Every business is affected. If you hold or process any personally identifiable information – from names and addresses to login details – you’ll need to demonstrate your compliance with the new regulations. And it’s not just customer data. You’ll even need to track your use of personal information related to your employees.

There’s a lot to consider and, sadly, no silver bullet. But if you’re trying to make sense of your obligations, there’s one important place to start – the privileged account passwords that keep personal data safe.

Your privileged passwords and GDPR

GDPR is a wide-reaching and comprehensive rethink of how businesses handle personal data. It’s surprising how simply improving the way you manage privileged account passwords can have a huge impact on your compliance efforts.

Privileged Account Management (PAM) helps you understand your current position and what needs to change. In a landscape where it’s hard to find every account on your network, PAM makes auditing passwords easier with fast detection.

Enforcing technical security
GDPR Article 32 outlines the need for ‘security of processing’, which involves maintaining technical security that keeps personal data safe and confidential. Of course, that’s the entire function of your account passwords – but it’s not enough to set it and forget it.

By consolidating your passwords in one location, encrypting them, and automating how your security policies are enforced, PAM helps you implement a rule of least privilege which maximises the level of security your passwords really offer.

Reporting on compliance
Investing in GDPR compliance is of little use unless you can report on it and demonstrate that you’re meeting your obligations. While privileged accounts typically lack visibility, accountability and a detailed audit trail, a PAM solution acts as a point of control and visibility for every interaction with a password.

Responding to and disclosing a breach
Finally, GDPR sets strict requirements for disclosing a breach of personal data. In most cases, you’ll be expected to notify data subjects within 72 hours.

With PAM, you’re able to see where, when and how personal information has been accessed. This is crucial in two key ways:

Finding the relevant records for data subjects that need to be contacted

Making immediate changes to eradicate the threat and reduce your risk of repeated exposure through the same route

Thycotic Secret Server 10.4 and GDPR

By improving your technical security, reporting ability, and visibility over password misuse, PAM can be a valuable asset in achieving GDPR compliance. And with the release of Thycotic Secret Server 10.4, you can go further with features designed with GDPR compliance in mind.

The latest version of Thycotic Secret Server includes the Secret Server Software Development Kit (SDK), a way to remove hardcoded credentials from applications. Instead, local applications use token-based API calls to retrieve the latest login details as necessary.

Thycotic Secret Server 10.4 also includes innovative Privilege Behaviour Analytics, a real-time solution that uses machine learning to intelligently understand how privileged accounts are used – and alert you instantly if unusual behaviour is detected.

Need practical advice on GDPR compliance?

Watch Thycotic’s exclusive webinar and step-by-step guide with cybersecurity expert Joseph Carson.

Written by