Information doesn’t have prices

Since years, nations use their very specials agencies (NSA, DGSE, KGB, etc.) to obtain a maximum of information on their ennemies or on their friends (we never know…).

If we pay attention to companies and the war their are making to be successfull, we can notice information is essential for them too: have information on competitors, on customers or even on themselves! And those informations are data.

Companies have always wanted to protect their criticals data (manufacturing secrets…), but digital evolution makes complex IT environments (Cloud, BYOD…). Companies datas are now more exposed to cyberattacks than ever. If data thef or lost do not exposed to the same risks, their consequences can be really serious.

What is the competent AUTHORITY doing?

We all have, citizens and companies, an information to protect: our personal data. In 1978 in France, these data were taken into account and protected by the French Data Protection and Freedom of Information Law (Loi Informatique et Liberté). Forty years later (we can notice the reactivity!), Europe takes the problem head on by strengthening personal data protection with the General Data Protection Reglementation (GDPR) the 25th of may 2018.

A strengthening which is not without risks for professionals who don’t want to take care of it. Fines, which can reach 4% of the worldwide company turnover, are here to perduade companies to play the game. The goal of this new dynamic is to inverse the power balance between customers and companies, whose access, modifications, portability and delete rights of the companies Information System, are now more stricts.

In practice, GDPR brings such changement into companies than some seems lost in front of the compliance mountain. To be able to daily respond to the GDPR new requirements is not so easy for companies whose are not data management specialists.

A BASTION, one of the GDPR responses BRICK

There are data management solutions responding technically and legally, to some GDPR requirements. Here I want to explain the Bastion solution.

A Bastion is comparable to an airlock where users and targeted servers meet. Through this airlock we can know in real (or deferred) time who do what, when, where et how. The goal is to detect and block potentials attacks thanks to a dynamic web interface very intuitive (at least for Wallix, the technology I am using).

As required by GDPR, answer traceability needs and security breach with a Bastion:

  • subcontractors and collaborators access control
  • privileged accounts and risky users management
  • password policies creation
  • work session record and watching from the web interface (in real or deferred)
  • connections tracking
  • set up access rules and alerts on targeted events
  • analyze SSH streams
  • statistics, activities reports and metadata export
  • delegate administration

 

Thanks to the information control offered by a Bastion, it is possible to set up a security policy that meets traceability needs through users control and authentication on servers, as well as the protection needs by preventing risks of security breaches.

Beyond the Bastion, information control also requires a better knowledge of both personal and professional data content.

About the author

Stan

Membre actif de la cyber sécurité en entreprise, c’est afin de limiter ma présence sur internet que j’ai choisi l’anonymat pour partager avec vous des actualités sécuritaires, des bonnes pratiques à suivre et des conseils pour vous protéger vous, votre entourage et votre entreprise.

View all articles