GDPR compliance with Varonis

1VARONIS WHITEPAPER: GDPR Compliance With Varonis
WHITEPAPER
GDPR Compliance
With Varonis

VARONIS WHITEPAPER: GDPR Compliance With Varonis 2
Contents
Overview 3
Basic Identification 6
Identification and Risk 9
Prevent 12
Maintaining Least-Privileged Access 16
Minimize Sensitive Data 17
Right to be Forgotten 19
Monitor 20
Other Considerations 24
Get a GDPR Readiness Assessment 26

Overview
On May 25, 2018, the EU General Data Protection Regulation (GDPR)
will finally go into effect. It will be the most dramatic change in EU data
security and privacy law in over 20 years. Building on the existing Data
Protection Directive, the GDPR will enhance existing data security
and privacy protections and adds some significant new requirements,
including 72-hour breach notification and mandatory fines.
The GDPR is not a completely new model for data security but instead
builds on ideas from Privacy by Design (PbD) and other data security
principles. Broadly speaking, you could say that GDPR simply turns IT
practices and data security ideas into law. In fact, the GDPR (see article
40) will eventually allow companies (or in EU-speak, data controllers)
to show compliance to GDPR through compliance with existing data
standards, say ISO 27001 or PCI-DSS.
Is there an approach to data security that could encompass many
different standards and laws, including GDPR, and that could be the
basis of your organization’s program?
Data security researchers (see, for example, NIST’s CIS Framework)
generally organize data standards into broader categories. Here are
three that usually show up on these lists.
1. Detect – Identify or spot vulnerabilities by analyzing file systems,
directory services, account activity, and user behavior. Develop the
organizational understanding to manage cybersecurity risk to systems,
assets, data, and capabilities
2. Prevent/Protect - Limit the potential damage of future breaches
by locking down sensitive and stale data, reducing broad and global
access, and simplifying permissions.
3. Sustain – Maintain a secure state by automating authorization
workflows, regular entitlement reviews, and the retention and
disposition of data. Monitor unusual user and system behaviors.

Of course, the GDPR is not an explicit data compliance standard with
hundreds of sub-controls. Instead, its requirements are in the form
of articles, offering general goals that have to be achieved, but not
saying how to achieve them. For more detailed insights into the GPDR,
we recommend reading our white paper, EU General Data Protection
Regulation:The New Rules for EU Data Security.
With this categorization scheme, we now we have a formula for
organizing the key GDPR requirements and a plan of attack:
Detect
Sustain
Protect
Security of Processing (Article 32)
Impact Assessment (Article 35)
Notification of a personal data breach
to the authority (Article 33)
Communication of a personal data breach
to the data subject (Article 34)
Data Protection by Design and Default (Article 25)
Right to Erasure (Article 17)
Records of Processing (Article 30)
DatAdvantage
GDPR Patterns
DataAlert
DatAdvantage
DataPrivilege
Data Transport Engine
DatAnswer
GDPR Article Varonis Product(s)

To summarize the three-step plan to meet GDPR: identify assets at
risk, protect those assets by maintaining appropriate permissions and
employ other privacy by design principles, and finally monitor these
assets for threats.
There’s actually a fourth step, which is that you feedback what you’ve
learned from the detection/monitoring phase back to the first step.
In other words, you fine-tune the first three steps based on what you
learned monitoring for threats or other weaknesses.
At Varonis, we take a data-centric view of data security. Through our
products, specifically DatAdvantage, DataPrivilege, DatAlert, and
our Data Classification Engine, we’re able to protect and eliminate or
reduce the risk of theft to part of the IT system where it makes most
sense to focus security efforts – not at the perimeter, which can be
bypassed, but on the data itself.
Let’s now walk through the plan.

In order to understand your potential vulnerabilities and risk, it makes
sense to do an inventory of your system, looking for specific assets and
risk. For Varonis, users, groups, and folders are the raw building blocks
used in all our risk reporting.
As a first step in complying with the GDPR, you’ll want to review basic
file system asset and account information. The following reports
generated by DatAdvantage can be of great help.
With DatAdvantage’s 4g report, Varonis lets security staff quickly
discover folders containing sensitive GDPR personal data, which is
often scattered across corporate file systems. This is great way to begin
the process of risk reduction.
Behind the scenes, the Varonis Data Classification Engine has already
scanned files using special filters that can identify patterns for personal
data identifier—phone number, account number, and rate the files
based on the number of hits.
Basic Identification
Classification Results (Selected Rules) Hit Count Risk%
Files with
Hits
Scan
Priority
GDPR UK (258/258), GDPR Belgium (120/120), GDPR Poland (120/120), American
Express (122/122), DE Personal Data Protection (120/120), MasterCard (175/175),
PCI Data Security Standards (PCI-DSS) (743/743), DE Landline Phone Numbers
(120/120), Visa (322/322)
2100 5.69 6 252
GDPR UK (134/134), GDPR Belgium (100/100), GDPR Poland (100/100), American
Express (102/102), DE Personal Data Protection (100/100), MasterCard (102/102),
PCI Data Security Standards (PCI-DSS) (446/446), DE Landline Phone Numbers
(100/100), Visa (322/322)
1394 3.77 2 254
▲▲ DatAdvantage 4g shows data classification results

To help specifically in identifying GDPR personal data, Varonis
introduced GDPR Patterns. It lets organizations discover GDPR personal
data — from national identification numbers to IBAN to blood type to
credit card information. This means that you’ll be able to generate
different reports on GDPR personal data: including permissions, open
access, and last time is was access or “staleness”.
Which GDPR data is no longer needed?
For folders, report 4f provides access paths, size, number of subfolder,
and the share path. By setting a last access time search criteria, one
can also produce a list of folders that have rarely used -- "stale date". As
we’ll see in the next section, this information helps in minimizing data
security risks.
Where is GDPR data overexposed?
Also very useful is the 4b report. It shows the permissions for a given
directory, optionally breaking out groups on the ACLs. It also provides
recommendations for group membership permission. If the access
controls for a known critical data set are to be inspected and adjusted
quickly, the 4b report will serve that purpose best.
The previous reports provide some core identification information
that then can be used in the remediations in the Protect phase.
As a reminder, the GDPR legislates common IT security practices
-- "implement appropriate technical and organizational measures".
DatAdvantage reports on widely exposed sensitive data, true group
membership lists, and stale data and user accounts will help IT group
implementing these measures.

While the basic reports provide a good starting point, IT security staff
will need to dig deeper into the file system in order to identify sensitive
or critical data that can be a source of risk.
Generally, they’re looking for personally identifiable information (PII) or,
personal data, as it’s referred to in the GDPR, such as email addresses,
phone, driver’s license, and national identification numbers.
As we all know from major breaches over the last few years, poorly
protected folders — folders or directories with permission that are
for more generous than they need to be — is where the action is
for hackers. Once they get in, hackers simply leverage the access
permissions for the account they’ve taken over.
To help you dig deeper beyond the 4g report, the DatAdvantage 4c
report is the go-to report for finding globally exposed GDPR-style data
within specific files.
▲▲ Figure 3 DatAdvantage 4a report shows files with sensitive data that is globally available.
Access Path User/Group
Current
Permissions
Total Hit Count
(Inc. subfolders)
Classification Results
rojects11.txt (1)
Abstract
Everyone
FMRWX 10
GDPR UK (2/2), MasterCard (2/2), DE Personal
Data Protection (5/5), Visa (1/1)
C:share84ProjectData.txt (1)
Abstract
Everyone
FMRWX 113
GDPR Belgium (16/16), GDPR Poland (16/16), DE
Personal Data Protection (17/17), Mastercard
(5/5), PCI Data Security Standards (PCI-DSS)
(16/16), DE Landine Phone Numbers (16/16),
Visa (11/11)
Identification and Risk

There’s significant risk in having GDPR personal data in files accessible
to everyone in the organization. DatAdvantage’s 4a report shows you
these files. It is also possible to configure the 4a report to display only
folders that contain globally accessible GDPR personal data.
It can be used instead of the 4g report (from above) to provide a
more focused initial overview of your environment. By the way, as
you become more familiar with DataAdvantage’s flexible reporting
filters, you’ll likely find your own approach in your organization’s GDPR
security program.
We now have folders that are a potential source of data security risk.
What else do we want to identify?
Users that have accessed this folder is a good starting point.
There are a few ways to do this with DatAdvantage, but let’s just work
with the raw access audit log of every file event on a server, which is
available in the 2a report. By adding a directory path filter, you can
narrow down the results to a specific folder.
▲▲ Figure 4 DatAdvantage 2a report shows folders containing GDPR personal data.
Date User Name File Server Access Path Event Type
Event
Count
46806
7/6/2015 corp.localAlice Tanner Corpfs02b C:SharelegalCorporateFinance All event types 9
7/10/2015 corp.localAlice Tanner Corpfs02b
C:SharelegalCorporateDistrobution Agreements
DISTRIB (TEXIM EUROPE) V1 REVI.txt
All event types 1
1/7/2016 corp.localAlice Tanner Corpfs02b C:SharelegalCorporateCLA USES File opened 1

Stale user accounts are another overlooked scenario that has potential
risk. Essentially, user accounts are often not disabled or removed
when an employee leaves the company or a contractor’s temporary
assignment is over.
For the proverbially disgruntled employee, it’s not unusual for this
former insider to still have access to his account after leaving the
company. Or for hackers to gain access to a no-longer used third-
party contractor’s account and then leverage that to hop into their real
target. In the Protect phase, we'll cover how Varonis can let you quickly
disable these accounts.
A full risk assessment program would also include identifying external
threats—new malware and new hacking techniques. It’s a separate
function from data asset identification. With this new real-world threat
intelligence, you then re-adjust the risk levels you’ve initially set and
then re-strategize. You’re doing this on a continual basis since it’s an
endless game of cyber cat-and-mouse with the hackers.

The second phase of the Varonis GDPR methodology involves
restructuring permissions, locking down or reducing overly exposed
personal data, and identifying data owners to ensure that the proper
preventive controls are in place. This eliminates areas of high
risk, reduces the potential surface area of attacks, simplifies the
environment, and begins involving stakeholders outside of IT Security.
In this phase, you’re also supporting a key GDPR principle,
minimization: taking the file and account information and looking for
ways to minimize who has access to personal data and reducing the
sensitive data.
Let’s see how we can do that in the Prevent phase.
One of the critical controls in this area is limiting access to only
authorized users. This is easier said done, but we’ve already laid the
groundwork above.
The guiding principles are least-privileged-access and role-based
access controls. In short: give appropriate users just the access they
need to their jobs or carry out roles.
Since we’re now at a point where we are about to take a real action,
we’ll need to shift from the DatAdvantage Reports section to the
Review area of DatAdvantage.
DataAdvantage provides graphical support for helping to identify
data ownership.
If you want to get more granular than just seeing who’s been accessing
a folder, you can view the actual access statistics of the top users with
the Statistics tab in DatAdvantage.
Prevent

This is a great help in understanding who is really using the folders.
The ultimate goal is to find the true users, and remove extraneous
groups and users, who perhaps needed occasional access but not as
part of their job role.
The key point is to first determine the folder’s owner — the one who
has the real knowledge and wisdom of what the folder is all about. This
may require some legwork on IT’s part in talking to the users, based on
the DatAdvantage stats, and working out the real-chain of command.
Once you use DatAdvantage to set the folder owners, these more
informed power users, as we’ll see, can independently manage who
gets access and whose access should be removed. The folder owner
will also automatically receive DatAdvantage reports, which will help
guide them in making future access decisions.
There’s another important point to make before we move one. IT has
long been responsible for provisioning access, without knowing the
business purpose. Varonis DatAdvantage assists IT in finding these
owners and then assisting them with minimizing or limiting access and
then formally managing the granting of access.
Another way DatAdvantage assists data owners is through its
automated recommendation engine. Owners often find these
recommendations helpful because they can easily spot users that have
changed roles, no longer need access, etc. The 4b report from the last
section would be helpful here since it lists ACL recommendations.
The DatAdvantage Work Area tab also directly provides
similar information.

Anyway, once the owner has done the housekeeping of restricting and
removing unnecessary users and groups, they’ll then want to put into
place a process for permission management.
Data standards and laws, such as GDPR, recognize the importance of
having security policies and procedures as part of on-going program –
i.e., not something an owner does once a year.
Varonis has an important part to play here as well.
▲▲ DatAdvantage 4g shows data classification results

How do ordinary users whose job role now requires then to access a
managed folder request permission to the owner?
This is where Varonis DataPrivilege enters the scene. Regular users will
interact with DataPrivilege to request access to a managed folder, and
then DataPrivilege manages the workflow process.
Maintaining Least-Privileged
Access

The owner of the folder has a parallel interface from which to receive
these requests and then grant or revoke permissions. The goal here is
to automate the workflow for enabling access permissions to be limited
to those who truly need it.
Another way to maintain least privilege access is to disable stale or
inactive accounts. They can be a potential security risk. For these
accounts, DatAdvantage lets you directly disable them through its
online interface, thereby saving you the extra step from having to go
into a directory service, say Active Directory!

Minimization is an important theme in security standards and laws.
These ideas are best represented in the principles of Privacy by Design
(PbD), which has good overall security advice: minimize the sensitive
data you collect, minimize who gets to see it, and minimize how long
you keep it.
In the case of GDPR these ideas are directly mentioned in “Data
Protection by Design and Default” (Article 25).
We’ve already seen how DatAdvantage can help minimize who gets
access. Another PbD principle is to reduce security risks by deleting or
archiving unnecessary or stale sensitive data embedded in files.
This make incredible sense, of course. Stale GDR personal data
can, for example, be consumer identifiers collected in short-term
marketing campaigns, but now residing in rarely used spreadsheets or
management presentations.
Your organization may no longer need it, but it’s just the kind of
monetizable data that hackers love to get their hands on.
Minimize Sensitive Data

DatAdvantage can find and identify file data that hasn’t been used
after a certain threshold date. Can the DatAdvantage 4f report (from
the previous section) be adjusted to find stale data that is also GDPR
personal data?
Yes.
You need to add the “hit count” filter and set the number of sensitive
data matches to an appropriate number.
The next step is to use the Data Transport Engine (DTE) available in
DatAdvantage (from the Tools menu). DTE allows you to create a rule
that will search for files to archive and delete if necessary.
The rule’s search criteria mirrors the same filters used in generating the
sensitive data reports in the previous section. The rule is doing the real
heavy-lifting of detecting and removing the stale, sensitive data.
Since the rule can also be saved, it then can be rerun again to enforce
the retention limits. Even better, DTE can automatically run the rule on
a periodic basis so then you never have to worry about stale GDPR
personal data in your file system.

Varonis can also help to meet another GDPR requirement, the “Right
to Erasure or Right to be Forgotten” (Article 17).
Under the GDPR, consumers have the right to request the deletion
of personal data related to them. This requirement covers not only
removal of personal data from structured databases but also within
file systems.
While it’s possible add to new classification rules to find a specific
customer— say using name or account number search criteria—
requesting deletion, an easier way to meet the right to erasure is
through Varonis DatAnswers. It’s our intelligent search engine for
scanning files.
Just as you would enter keywords into say Google, you can use
DatAnswers to find the files where personal data of a customer
requesting erasure is located. And then you can quarantine and adjust
the file’s data.
Right to be Forgotten

No data security strategy is foolproof, so you need a secondary
defense based on detection and monitoring controls: effectively you’re
watching the system and looking for unusual activities that would
indicate hacking.
Varonis DatAlert has a unique role to play in breach detection
because its underlying security platform is based on monitoring file
system activities.
By now everyone knows (or should know) that phishing and injection
attacks allow hackers to get around network defenses as they borrow
existing users’ credentials, and fully-undetectable (FUD) malware
means they can avoid detection by virus scanners.
So how do you detect the new generation of stealthy attackers?
No attacker can avoid using the file system to load their software,
copy files, and crawl a directory hierarchy looking for sensitive data to
exfiltrate. If you can spot their unique file activity patterns, then you
can stop before they remove or exfiltrate the data, or at least limit the
data exposure
We can’t cover all of DatAlert’s capabilities but since it has deep
insights into all file system information and events, and histories of user
behaviors, it’s in a powerful position to determine what’s out of the
normal activity range for a user account.
We call this user behavior analytics or UBA, and DatAlert comes
bundled with a suite of UBA threat models. You’re free to add your
own, of course, but the pre-defined models are quite powerful as is.
They include detecting crypto intrusions, ransomware activity, unusual
user access to sensitive data, unusual access to files containing
credentials, and more.
Monitor

All the alerts that are triggered can be tracked from the DatAlert
Dashboard. IT staff can either intervene and respond manually or
set up scripts to run automatically — for example, automatically
disable accounts.
The GDPR breach notification requirements (Articles 33, 34) requires
the supervising authority to be notified of the nature of the breach,
the categories of data and number of records exposed, as well as
measures taken to address the breach incident
DatAlert can provide all this information as well as remediate the
breach through automated scripts.

Here are few examples of some of the threat models that can
be detected and acted on:
Threat Model Description
Abnormal behavior:
Access to an unusual
number of idle GDPR files
Abnormal behavior:
Unusual number of GDPR
files with denied access
Abnormal behavior:
Unusual number of GDPR
files deleted or modified
Abnormal service behavior:
Access to atypical folders
containing GDPR data
A statistically significant increase was detected in number
of idle GDPR files opened by the user, compared to his
behavioral profile. Idle files are files the user did not create,
did not modify as part of his access, and previous to this
alert has not accessed them for a long time (though other
users may have accessed them recently). This may indicate
an attacker is searching for sensitive data assets to which
he has access, in order to exfiltrate the data.
A statistically significant increase was detected in the
number of GDPR files a user failed to access. This may
indicate an attacker is searching for and trying to gain
access to various data assets in order to exfiltrate data.
A statistically significant increase was detected in GDPR
files deleted or modified by the user, compared to his
behavioral profile. This may indicate an attacker is
attempting to damage or destroy critical data assets, as
part of a denial-of-service attack.
A service account accessed folders containing GDPR
data it had not accessed previously. Service accounts
can be expected to perform the same actions repeatedly;
therefore, a behavioral change is suspicious. Attackers may
impersonate a service account and exploit its privileges.

To help meet GDPR’s 72-hour window for providing information to
the data authorities, DatAlert lets you fine tune the threat behaviors to
focus just on GDPR personal data. In other words, you can get alerts
for, say, unusual file access to a folder containing phone or national
id numbers.
▲▲ Figure 9 DatAlert can be configured to trigger on threats affecting GDPR personal data.

It’s important to keep in mind that the GDPR is not a security standard.
It provides guidance – of course, enforced by the EU regulators – to
help ensure that personal data is protected.
GDPR asks you to “implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk” –
see Security of Processing (Article 25). The GDPR also says you
need a process for “regularly testing, assessing and evaluating the
effectiveness of technical and organisational measures”.
In other words, data security is something you do a continual basis.
We’ve shown in this white paper how Varonis software can help you
in a GDPR data security program. We didn’t cover all of Varonis’s
capabilities, and if you want more details, you can refer to our Varonis
Operational Plan. Ask our sales staff for a copy.
Many large organizations have likely been relying on existing data
security standards, such as PCI DSS or ISO 27001, and have already
implemented many of the detailed security controls in these standards.
If that’s the case, you’ll now need to focus these controls more
specifically on the protection of GDPR personal data.
The GDPR offers through its approved “codes of conduct” – see Article
40 – a way to gain “credit” for existing compliance.
Article 40 says that standards associations can submit their security
controls, say PCI DSS, to the European Data Protection Board
(EDPB) for approval. If a company then follows an officially approved
“code of conduct”, then this can dissuade regulators from taking
actions, including issuing fines, as long as the standards group — for
example, the PCI Security Standards Council — has its own monitoring
mechanism to check on compliance.
Other Considerations

The GDPR, though, goes a step further. It leaves open a path to official
certification of the data operations of a company, or as the GDPR refers
to it, a controller.
In effect, the regulators have the power (through article 40) to certify
a controller’s operations as GDPR compliant. The EU regulators can
also accredit other standards organization, such as PCI or ISO, to issue
directly these certifications as well.
The certifications will expire after three years at which point the
company will need to re-certify.
These certifications are entirely voluntary, but there’s obvious benefits to
many companies. The intent is to leverage the private sector’s existing
data standards, and give companies a more practical approach to
compliance with the GDPR’s technical and administrative requirements.
The EDPB is also expected to develop certification marks and seals for
consumers, as well as a registry of certified companies.
We’ll have to wait for more details to be published by the regulators on
GDPR certification.

Live Demo
Set up Varonis in your own environment and see how
to stop ransomware and protect your data.
info.varonis.com/demo
Data Risk Assessment
Get your risk profile, discover where you’re vulnerable,
and fix real security issues.
varonis.com/gdpr-ra
Get a GDPR
Readiness Assessment
Varonis is a
Fantastic Solution

GDPR compliance with Varonis

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to GDPR compliance with Varonis

Similar to GDPR compliance with Varonis (20)

Recently uploaded

Recently uploaded (20)

GDPR compliance with Varonis