Balance between information security and privacy
Control and documentation of privileged users
The Data Protection Regulation (DSGVO) integrates data protection rules into the complex mix of IT and security processes.
The interpretation of the Data Protection Regulation results in requirements for information security and privacy, also in the context of system administration. Therefore regular reviews, assessments and evaluation of the effectiveness of technical and organizational measures are demanded. This is leading to an establishment of an Information Security Management System. An important component to any of such systems is the access protection (access management). A special aspect is the control and documentation of the work of privileged user.
It is necessary that IT Systems can be maintained(System Administration by privileged users), but also it must be ensured that both working and recording of the work are compliant with data protection law. This includes:
– protection against data flow and manipulation of data
– traceability of activities through documentation (guarantees burden of proof in case of reporting or Audit required by law)
-access and usage control (restrict the user groups to the necessary amount)
What does a remote Access system for privileged users has to offer? :
– Secure communication and separable security zones in untrusted and trusted (S)
– Access Control by Design and Default (AC)
– Documentation by Design and Default (DOC)
– Handling Detection (HN)
– Date Flow Control Including Copy & paste (DF)
– Reporting who, when and how granted access and to whom (R)
Depending on the status of the data (for example, in processes that affect the retention, or in the case of PCIDSS) a guaranteed two-man rule (4AP) has to be ensured.
The goal is to implement a compliance-oriented and auditable Remote Access Service (RAS) solution for privileged users.
Overview of the basic technologies:
The table below lists basic technologies for remote access and evaluates them.
The possibilities of management, cost and availability are ignored. (See column above)
Desktop sharing tools do not offer any functions which provide reliable evidence data. Also a smooth work is often not possible and always requires two users for one task.
End2end Encryption provides protection only in case of man-in-the-middle attacks, but nothing further. VPN together with Jumpservers provides a safe solution with access control, but contains no evidence of interaction with systems and data. Agent-based solutions provide much information, but are complex in their basic methodology.
Although a combination of each method provides a good base, it is also complex due to the variety. Solutions that have all aspects of access by privileged users in focus cover all requirements of the Data Protection Regulation.
ANMATHO AG – Your reliable partner
As an integration partner for VISULOX, remote access system for privileged users, ANMATHO AG provides support by our experts from consulting to implementation to ongoing management.
Our experience in information security and information technology, as well as our experience in the implementation of compliance requirements offers you the secure success for implementation of your VISULOX.