Hello everyone. My name is Christian. I'm looking forward to our baby now with title sub protection or how to double secure internal company secrets at bio I'm responsible for the product management of access and password management. And I focus on using our solution to customers. Usually I would welcome everyone to ask question during my presentation, due to the shortness of the time, I would prefer that you ask me any question afterwards, please feel free to network with me on LinkedIn or sync. So let's get started. Access management is usually differentiated in various areas.
For example, access to networks, servers, and applications here, such topics as multifactor authentication is used to secure access to systems with sensitive data. However, most companies do not regulate access to unstructured data that is thought on the supply service by combining various factors today, I would like to have a closer look on this topic, how to double secure internal company circuits on file service.
The requirements for access management listed here naturally applied to all areas, but especially activity documentation and identification of highly sensitive data are still troublesome for most companies regarding director and documentation companies can perhaps get an overview of who currently has access to which director within the company. But as soon as there are listed structures with authorizations based on listed active directory groups.
So over few becomes very tedious and historical data are not even available for most customers like who had access to which directory six months ago, or who has approved or revolved. So specifieds when it comes to identification of highly sensitive data directors containing such data are generally not visible on the outside.
However, this can also mean that employees who manage the access to this data are not even aware of the special conditions. That's the need to be protected, but here in particular, several conditions should be met to allow access to such data.
But what process that enables activities to be documented in sensitive data to be by at the same time while accessing only allowed if various criteria has been met, that is why I would like take up the topic of ensuring processing on the next slide and use the example of an employee joins to a new department to explain the whole process.
In our example, the employee changes from department a to department B. This change causes the need to have access to several directories that are not accessible for all employees. And there's also a directory named details, which contains extremely sensitive data.
I would like to, I would like to describe the problem that arise from this using a small example that happened to me sometimes ago as an external coworker, I needed access to a few special folders. I went to the it admin and asked to set up this access for me. So it was not a problem.
He just asked me to go to the managing director so that he could send him a short open email. So I went to the manager and he did it right away. The next day I had to access fights I needed, but then it turned out that I had no only that I had not only received access fights to the special Porwal, but unfortunately also to all folders, as soon as this was noticed, as the precaution all rights, very worked for me so that I no longer had access to the data I had already stored. One day later, everything was fine.
Again, besides the effort that was, and the amount of waiting time for me, the process for also a violation of the current data protection regulations, even it was unintentional.
The procedure I have just described is certainly not the rule, but is also not an exception. As long as the person who assigns the rights as the person who can make a technical assessments, project manager, department, head supervisor, and so on is not the same person, sub situations can always happen. And this is exactly where automated access management comes in. The workflow itself is very simple.
The user has no access to a directory. He can submit a request of an access management solution, which then goes to the person responsible and no longer to the it he desk agent.
As soon as he approves the request with one click the software independently, initiates the access and then informs the user and all those responsible by email about the approval. This process is also documented and can be audited at any time. In this context, the question arises this how no longer required exercise are promptly developed.
This issue is still an unsolved problem in many companies, especially if no automated access management is the news. And so that are still manually assigned by ITT. In the following process, we assume that automated access management such as our bio solution access manager is already news. In this case, there are technically responsible persons, so-called data responsibilities for the respective directories who are in charge for the approval and rewarding their access. As already mentioned, this is the best way to decide who really need access.
In our case, the person responsible has already approved all existing requests who can see on the right side. And our employee automatically receives the required access sites with one exception.
However, and that is the directory named details, which with extreme sensitive data, the access is already marked as approved on, but another organizational step is missing, which was defined as our requirement for accessing this data.
The missing step is the successful participation in a training course called Sage protect training. This even is not a constructed example, but this procedure is also executed by some of our customers. In this case, the individual data responsible does not meet an overview of who has completed the training because this topic is a matter of other departments.
For example, HR, after completing the training, HR takes the training, graduate into special groups whose memberships is required for being able to access certain directors in the company at all. Of course, these assignments would also be possible in the access management solution. How do you technically bring the two organizational topics approval by a data responsible on part participation in training courses together, this is achieved by defining data categories. You can see on the right side, different definitions are stored for each category as in how example, who can have access.
However, other definitions are also possible. For example, put and so-called re-approval take place or should the data be automatically deleted after defined period of time. So respective definitions apply to each directory to which such a category has been assigned here. The employee receives final access to our director list after competing the training and admission to the active directory groups by HR. This process is documented and can therefore be audited at any time.
In this context, it is also important that such that such an assignment of rights requires regular refuses.
Even if, if it's protected by two organizational measures, especially regarding extreme sensitive data, regular refuse, not take too long here. You can also define in the access manager, Edward intervals, such a re should be carried out for this purpose. The system provides regularly to the data responsible reminding them to check better. The science authorizations still need the current requirements like our described the employee leaves, department a who take care of the rewarding of Heights. If there is no real time, re-approval the software can be used to automatically revoke rights.
The data is then still available, but access is only possible after assigning lights in such situations. An automated access management system is very helpful. The system offers a possibility to define time limit access into working automatically after a scheduled time. That means less work for the data responsible until working happens just in time.
It's come to a short summary. Some protection is always based on various factors and important point is better.
Access is very sensitive data to very sensitive data is regulated and secured in larger environments with many employees have fully automated access management systems is indispensable. Otherwise the company quickly loses track of who has access to what, or if a claim occurs who have, who have had rights in the past and who had, have had approved or revoked these rights, the approval of access rights should be done by the technical data responsible on that. Shouldn't be the it staff.
Another point is a data classification and the conent identification of highly sensitive data only then suitable protective measures for such data. Be have it out.
Of course, the good employee training is also necessary to raise awareness to the issues of data protection and sub protection. If you can bring various factors together, technically we have achieved how to double secure internal company secrets stop. And I would say thank you for your attention.
If so, any question, please feel free to contact me into networking tool.
