Complying with Privileged User Regulations: How One Firm Met GDPR, ISO 27001 in Salesforce

Securing personal data is at the core of the EU’s General Data Protection Regulation (GDPR). Cloud applications, and Salesforce in particular, are rife with personal data. And while Articles 25 and 32 of the GDPR dictate how personal data should be handled, the regulation stops short of explicitly prescribing how to meet those requirements. The question remains — how can you protect data from privileged user abuse or misuse and comply with privileged user regulations?

In this video, Mark Bowling, Consulting ISO for United Capital Partners, chats with Imprivata FairWarning’s Business Information Security Officer LaDon Williams about how the financial services firm achieved GDPR compliance by focusing on the ISO 27001 framework.

Transcript of “Cloud Compliance Considerations for GDPR”

LaDon Williams, Business Information Security Officer, Imprivata FairWarning: At the core of GDPR is actually securing personal data. Salesforce, in particular, is rife with personal data. And while the EU spells out how that personal data should be handled — in Article 25, which is data protection by design and default, which speaks to the appropriate organizational and technical measures that need to be in place, and Article 32, security of processing — you know, it doesn’t necessarily explicitly state what needs to be done to meet these requirements. And I know, Mark, I know you’re extremely well-versed in ISO, and it does lay out a more prescriptive level of instructions as to how you can implement these measures to still be in compliance with GDPR. Can you kind of start to walk us through some of those controls that do link to GDPR?

Mark Bowling, Consulting ISO, United Capital: So we’ve touched on two of the controls — Article 25, data protection by design and by default; Article 32 is security by processing.

I’m just going to hit on some of the data rights. European Union residents have a right to access personal data. They have a right to rectify inaccurate data, they have a right to the erasure of data — that’s been interpreted as the right to be forgotten — the right to restrict processing of their data. They have a right that their data would be portable at their selection, the right to opt in or out of automated decision-making, and, finally, the right to lodge a complaint. These are the rights that the GDPR statute gives EU residents.

And so what we are doing is, we have to create what I call an “internal control framework.” So internal controls come in three kinds – there are detective controls, there are preventive controls, and then there are corrective controls. So the preventive controls prevent bad people from doing bad things, the detective controls identify when bad people are doing bad things, and, finally, the corrective controls give the enterprise the ability to correct it after the fact when the bad person does a bad thing.

So let’s start right here at the top with ISO A.7.2. So, during employment — and we’ll have to drill down a little into the ISO standard, and there’s two elements here with the ISO standard under A.7. And just broadly, A.7 is “human resources security,” 7.2 would be during employment activity, so “during employment,” 7.2.1 is “management responsibilities,” and you go down to 7.2.3, they address the disciplinary process. So before you can take a disciplinary process and exercise your management responsibilities, you need to have evidence that misconduct may have occurred by one of the employees.

Moving onto the next bullet, you have user access management. So, fundamentally, what user access management — these are user access controls, and specifically to the point we want to address today, we have 9.2.3, which is “management of privileged access rights,” and 9.2.5, “review of user access rights.” And once again, we’re trying to hit mainly on privileged user access and potential misconduct that can be identified by the actions of those privileged users.

Going back to A.12.4, “logging and monitoring,” this allows you to monitor and log not just user activities, but privileged user activities — those who have escalated privileges. There are a couple different levels of privileged users — you have the true administrative level, root level, super users, and then we have what we consider power users with escalated privileges. Because we capture all those logs, though, as per A.12.4, now we’re able to do what I call “after-the-fact auditing and monitoring,” A.12.7.

Finally, we have A.16.1 — and that’s kind of the flip side of the auditing. This is the corrective action, the corrective control that I was talking about. So you have a critical incident impact Salesforce — your Salesforce instance. You may lose customer data, you may have to identify the attribution of that loss of data, and so now you have those audit logs, and after the fact, you have the ability to utilize those audit logs to address attribution and to identify what truly happened.