GDPR: Headache or Opportunity?

March 07, 2018

Phil Richards | Chief Security Officer | Ivanti

Simon Townsend | Chief Technologist | Ivanti

Join Phil Richards and Simon Townsend to get both an EMEA and Americas perspective on how technology solutions - Discovery, Patching, Application Control, Privilege Management and Service Management can help you minimize the headaches around GDPR. Attendees will learn:

  • How to navigate without a silver bullet
  • The importance of identifying PII data, protecting users, and securing endpoints
  • How to integrate, unify, orchestrate, and automate with service management
  • Ways to Implement solutions that reduce the pain associated with GDPR

It can be hard to see GDPR as anything more than a massive on-going headache. However, while GDPR requires companies to adjust how they handle data in many ways, it also helps organizations ensure overall compliance, protect against cybersecurity threats, manage their IT assets, and more. Register today and discover solutions to help you prepare for GDPR and accelerate your organization with fewer headaches.


Simon: Good morning. Thank you very much for joining today's webinar from Ivanti. Myself, Simon Townsend, is joined today by Ivanti CISO, Phil Richards. Phil, are you there? Phil, can you hear me?
Phil: Sorry about that, we were on mute. Welcome, everybody. Today, we're gonna be talking about GDPR, whether that's a headache or an opportunity. GDPR, of course, stands for Global Data Protection Regulation. And Simon is gonna give us an intro to the topic here a little bit.
Simon: Yeah, no problem. So, as I said, thanks very much for joining us this afternoon. We're gonna try and get through this in a relatively short but informative amount of time, and then make sure that we can answer any questions that you may well have along the way. If you do have questions, feel free to put them into the Q&A or the chat window, and we will try and answer them as we go along. But we'll also leave some time to cover those questions off at the end.
If you take a look at both myself and Phil, just as a way of a quick introduction. Phil is based out of Ivanti's head office in Salt Lake City in Utah. He is our CISO, and is responsible for all aspects of information security, including GDPR within our business. He came to Ivanti a year or so ago now, with a wealth of experience from both the security and the system architecture space.
I'm Simon Townsend, I'm based in the UK, and I'm predominantly responsible for all the technical side of our business in EMEA. I've been with the organization in one way or another about 15 years, and my specialty has historically been around endpoint management, desktop virtualization and endpoint security.
What we really wanna talk about today is how Ivanti is helping its customers with GDPR. There is a wealth of information out there at the moment around GDPR. Some of it admittedly is a little bit more complicated to understand than others. There are obviously both official documentation but also a wealth of knowledge has been made available particularly in the last six to 12 months from a number of different sources. But I'm hoping that most of you that are on this call appreciate when GDPR is coming into force, as in May this year. The fact that it is there to protect something known as personal identifiable information or PII data, that it applies not just to those states that are part of the EU, but any organization that is holding or processing information of people that are in the EU.
Who it can apply to? What the difference is between a data controller and a data processor whether or not you need to employ a Data Protection Officer? Many of you would have read about the fact that the fines surrounding GDPR could be anything between 2% and 4% of your annual turnover, which compared to a lot of data protection instances that are put in place, let's say within the UK or in Germany, those fines are under GDPR are significantly higher than what we've seen in the past.
You're probably already also aware of the fact that it takes...that you've got a 72-hour period to process data or respond to a breach when a breach of data takes place. And also the fact that a lot of you on this call may well be from IT, but this isn't...GDPR isn't just an IT problem, it's a business problem, and for that reason it also needs to incorporate and involve various different parts of your business, all the way from HR, all the way up to the board, but also including things like legal and legal counsel as well.
So, you know, there's a lot to try and consume and a lot to understand about who and when it applies to, and how you may or may not get a fine, how you should try and protect data, how you should try and design with security in mind. But what we really wanted to do today is actually speak to you in terms of how we can actually help. In my...
Phil: Hey, Simon.
Simon: Yes.
Phil: This is Phil again. Just real quickly, on this slide there's a couple of relatively new developments that I think are important to highlight here, on the where section. Obviously, this covers data subjects or individuals who are members of the European Union, the regulation calls them data subjects. That being said, the current list of countries that are going to have laws in those countries that are compliant with GDPR by the May 25th deadline is now down to two. So there's only two countries right now that look like they're gonna be ready on time to have GDPR, to have their own national GDPR legislation ready, and that is Germany and Austria.
The rest of the European Union countries are working hard to get those laws through their own legislative process, but it's looking like that's going to be somewhere in the neighborhood of three to six months later before the rest of those countries have local laws that are compliant with GDPR.
The other piece to kind of talk through is this time to respond. I know that everybody has seen this, or a lot of people have seen the 72 hours as a time to respond. That is specifically if you are a data processor or if you are the main custodian of data subject, of European Union subject data yourself. If you are a third-party, so maybe your company is processing data subjects on behalf of a data processor, then the law specifically says you don't have a timeframe that requires you to respond. You have to respond as soon as reasonable or as soon as practical, but it does not spell out a timeframe. So 72 hours, if you're one step removed from your data subject, but there's no timeframe specified if you're two or more steps removed from your data subject. So just a couple of clarity, points of clarification there.
Simon: They're good points to raise Phil, because as we've seen over the last couple of months, some of the things are still very much I won't say we work in progress, but they are moving, some of these are...
Phil: Absolutely. Right. Yeah, there are some moving parts in this space. And obviously as your organizations are becoming aware of and putting in place a data privacy program, you need to be aware of how the landscape is changing as you're putting that program together.
Simon: Yeah. I think that leads me quite nicely on to something that we could talk about very briefly, Phil, which is actually GDPR as a whole. A lot of the customers that I talk to, they seem to have this date of May 2018 stuck in their minds, that they have to become compliant by that day, and that anybody that is not compliant by that day is gonna get a 4% fine of their annual turnover. This isn't about being compliant by a particularly date as such. This is about changing behaviors, changing processes, changes how the business work, implementing systems. It's not gonna finish in May, this is gonna be work in progress for a lot of organizations throughout 2018, 2019 and onwards. Do you agree?
Phil: You're absolutely right. The intent from behind the legislation is not to provide a deadline by which everybody has to be "compliant," but that is the beginning of the time period, the beginning of the time when your organization is responsible to treat data subjects, private data in a different way than that that maybe you've done in the past. And to your point, you're exactly right, it's all about developing processes and developing disclosure rules and those kind of things, so that in an ongoing kind of a way you can appropriately account for the data of your data subjects.
Simon: Yeah, yeah, yeah. And I think the other thing I'll add on there is, again, a lot of organizations I speak to, and we're gonna cover up some of this in a second as well, a lot of the organizations I'm speaking to are worried about, how do they secure their data, what steps can they take to secure their data. Because a lot of the focus are based on what happens when a breach takes place, and the fact they've only got this 72-hour period depending on who they are, and they've got to collect all that information and present it.
But a lot of GDPR is not about what happens post-breach, a lot of GDPR in the first instance is just about making sure that we are responsibly storing and not sharing with other third-parties people's data, and that also people have got access to their data when they request it as well. So it's's as much about privacy as it is about security, would you agree with that?
Phil: Yeah. In fact, one of the main components or one of the more important ideas in the GDPR legislation is this concept of privacy by design. The whole idea behind privacy by design is that you design your systems to account for privacy rather than having privacy be an afterthought, something, "Oh, we have to take care of the data," as well as do all the rest of the functionality. You have to actually bake privacy considerations into your design.
And part of what that means is, the regulators are going to do not look favorably upon configuration options that allow an organization to configure software in such a way that discloses or does not adequately secure private data. For example, if you have a website and one of the configuration options is whether or not the transport is encrypted. The regulators might look at that as not following the privacy by design or secure by design mantra, and you might, you know, experience some difficulty, because you have that as a configuration option. They would prefer that you design it so that it must be secure.
Simon: Yeah, yeah. Good. Good, good, good. Right, so that's... Let's talk quickly, at very high level before we go into some of the detail, just in terms of how Ivanti can help. Ivanti are independent software vendors, probably the easiest way to summarize it. We have a portfolio of solutions that really helps people bring together three key areas: service management, IT operations, and security. So we've got software technologies, products and a portfolio of solutions that allow organizations to operate in those three areas.
But with regard to GDPR, what we really...and to be very specific I suppose for the purpose of this webinar, is we really wanna talk about a couple of key areas that we are currently helping organizations with when it comes to GDPR compliance, and that is in with discovery, with securing endpoints and therefore securing personal identifiable information through patching, app control and privilege management. And then lastly, how service management plays a part in this as well.
And those are really the five key areas that we wanted to cover off today. There are some additional areas that we can help in. We've got some very powerful automation tools. We've got some unified endpoint management tools. We've got some identity solutions as well, which can all assist in achieving GDPR compliance. But I think it's fair to say, there is no silver bullet, there is no one vendor out there from a technology point of view that's gonna solve the GDPR problem. And again, it isn't just a technology problem, it's about changing people, processes and technology as well. So they're the five things that myself and Phil would really like to cover up today.
Before we go into that, I think it's probably worth just looking at something else in the market. And I'm hoping many of the people in the webinar are aware of the critical security controls that are from the Center for Internet Security as well because I think we'll reference this Phil, won't we? As we go through the next couple of slides we'll sort of reference and come back to where we sit within this list of prioritized controls.
But this is a published list, it's version 6 of the list. I believe in the next two weeks they're actually going to announce version 7, the 2018, version 7 edition of this list. But this is a prioritized list that the CIS publishes in terms of steps that an organization should take to try and protect themselves, design with security in mind, prevent things like ransomware attack and various malware attacks, etc.
And what we really want to focus on or refer back to in this webinar is those top five. If you noticed, number eight on that list is putting things like malware defenses in place, so that would be typically things like your antivirus solution, making sure that you've got an antivirus solution in place. But what you'll notice is, is that it is prioritized and at the top of that list, the first recommendations the CIS make, and there are various different agencies, central government organizations, the FBI, the UK's Center for Cyber Security, the equivalent in Germany for instance, they're all saying very, very similar things, and that is really that you need to be on top of your inventory, of what devices you've got, what applications you've got. You need to make sure that you've got a secure configuration on those devices, so implementing things like application control, making sure that you've got the ability to do vulnerability assessments, and do patching, and then also make sure that users and administrators have got the right level of admin privileges.
And I think across the board, across the globe, those five things seem to be quite common, best practice, basic steps that is being recommended in today's world against...from a cyber security point of view. Would you agree Phil?
Phil: Yeah, Simon, you're exactly right. The first five, and as you mentioned a couple times, these are prioritized. And so that means that the top five, those first five controls are considered to be more important, more essential than the controls underneath it. And this might be a little, not very intuitive because you'll notice as Simon mentioned, there are things that we would consider kind of important controls, like email and browser protections, which is number seven, and malware defense is number eight, they don't show up in the top five. And so, you know, a lot of people look at that top five and say, "Why is it so important to make sure you know what software you have and what hardware you have in your environment?" So I kind of want to talk a little bit about that, about how critical it is.
I was working at a previous company, and we had regulators show up at our offices, and those regulators were really focused on at the time our patching solutions, they wanted to make sure that we had adequate patch protections against all of our several thousand servers that we had. And so I had a regulator come into my office and say, "So the first question is, are you patching your solutions, your systems?" Now we had spent quite a bit of time and effort making sure that our patches were rolling out and that we had a process to patch all of our systems, and that all of our systems were current. So I knew what the right answer for that question was, which was, "Yeah, we're patching our systems."
The next question that he asked took us the better part of a week to be able to answer adequately, and that question was, "How do you know? How do you know that you're applying all the right patches to your systems? How do you know that you're not missing some systems? You've got several thousand servers." And a lot of those servers were virtual servers, coming up and down from our development organization. So those servers can be can provisioned and decommissioned within minutes of each other, not hours. "So how do you know that you're capturing the patching requirements for all of those machines? Are you patching for the operating system or are you patching for all the software that's running on those servers? How do you know what software is running on those servers?"
It's the "how do you know" question really that these first controls tend to focus on. The short answer for the audit though I was going under was, "I know that I'm patching all of my servers because I have an accurate and active inventory of all of my systems. We have solutions in place that detect when new servers come online, and we add them to the inventory. We have solutions that detect when servers get decommissioned, and so we remove them from the inventory. We have other solutions that run as agents on our servers, and so we determine what software is running on those machines. So I know what software is on those machines. And by knowing what software is on the machines, I can patch the applications that are running on those machines."
Those first two items end up being very critical when you're administering a large or even a medium-sized organization that has you know a lot of workstations or a lot of servers or a lot of virtual environments, that kind of thing. You need to be able to have control of what that inventory is and what it looks like. And by the way, it changes very fast and very frequently, and because of those changes you need to have an automated solution in place.
Simon: Yeah, yeah, yeah, yeah, good. All right, so we're going to come back to those CIS controls throughout, I think, and quite nicely, I think, following on from that example, Phil, is the importance of discovery, right? It's very common for organizations to retrospectively panic or go back and do a level of discovery when perhaps an order is taking place, so software, asset management is an example.
Phil: Exactly, yeah. So discovery ends up being really nice to kind of answer that "how do you know" question, because I don't have to... One of the problems with static inventory, it used to be back in the 90s or the early 2000s, that you could keep an inventory of your servers by simply knowing what servers got purchased and which servers got put into your datacenter. You can't do that anymore, because a machine that gets purchased might be the gateway to creating hundreds of virtual instances or virtual servers in your environment. Some of those servers will go up and come down in a matter of hours or minutes, and you as an administrator need to be able to have the ability to kind of keep the organization or demonstrate that you can keep the organization aware of those new assets that come into and out of scope on a very frequent basis.
Simon: Yeah, yeah. And that would be, I mean, that's the same, devices, applications, to your point, virtualized environments, cloud-based environments. I mean, the whole estate ultimately is more agile, more dynamic than it's ever been before. And so, you know, one of the things that we pride ourselves on is some of the toolsets we've got around discovery. Ivanti has been around in one shape or form for probably over 25 years, and one of the core components that we have always offered around our client management tools product, which has continued to evolve, is around discovery. And so we have the ability to very easily enable organizations, enable the business to do device-based discovery, software asset discovery, and then start to rationalize that information and actually start to make sense and provide insight into a lot of that information.
And instead of, you know, an organization taking quite a low maturity, sort of like an angle on how they do asset management by recording it in spreadsheets, dare I say, this really gives us the ability to proactively start to do this, what I would term proactive asset management. The ability to not only do it retrospectively, go back and discover things as and when they pop up, to Phil's point, when a virtualized environment pops up well when a new machine comes online or new application is brought into the environment unknowingly, perhaps through another business unit or shadow IT there I say, but also in addition to that to start to manage those assets in a far more productive way, so your procurement systems are also linked into these systems as well. When...
Phil: Simon, I want to talk a little bit about discovery and the importance of the type of discovery that our solutions at Ivanti have. There's a number of other products on the market that also perform asset discovery. And, by and large, those products perform discovery from an agent perspective. And essentially what they do is they perform what's known as an NMAP Ping scan across the network, which is a good way to identify… it's an active way to identify devices.
As many of you are aware, oftentimes you'll bring up a server and deliberately turn ping off, you want that particular server to not respond to ping requests. And these solutions that are doing active scanning might not discover some of those servers or some of those assets if they're not responding to ping or if they're not responding to SYN requests or things like that. Those active tools are valuable and important but they can't be the entire end of your discovery capability.
At Ivanti, our discovery tools have a total of 14 different methods by which they gather server information, including passive scans. So when your machine, for example, sends out an ARC request which it needs to do every time it tries to attach somewhere on the network, our discovery solution will find that and identify your server based on that kind of activity. So we have a combination of active and passive scanning techniques that are used to identify new devices as they're coming onto and going off of the network.
Simon: Yeah. And with regard to GDPR specifically, Phil, I mean, we are talking here about being able to demonstrate that you have got a level of control and visibility into your environment at all times. So the...
Phil: Exactly. One of the things that we're essentially saying to the auditors, assuming we get auditors coming into our environment is, "I know that we're taking care of the customer data because I can demonstrate where that customer data resides, I can show you the servers that it's on and I have a process by which I gather and collect new information about servers as they come onto and roll off of our environment. And that is part and parcel to making sure that we're adequately caring for the customer data." It's not the whole thing. Obviously I can't say, "I have an inventory therefore I'm GDPR compliant." But part of the solution is, "I keep an active inventory which is dynamic, and it changes as my environment changes."
Simon: Yeah, yeah. And again, I think this is just, for a lot of organizations that I'm working with at the moment, this is the first step towards compliance, right? It's a case of we need to make sure that we know what devices we've got, what applications we've got, what data is contained within those applications, who's accessing some of that information, where it's being accessed from. And I think the toolset that we've got goes a considerable amount of way to helping organizations have that level of discovery and visibility.
Phil: Yup.
Simon: Good. Security, you've mentioned a few times secure by design, people talk around protecting personally identifiable information. What do we want to say on security, Phil?
Phil: When it comes to this concept of secure by design, part of what they're looking for is a solution, but not even really a solution but a mindset and a paradigm where your environment provides the right level of security. You know, assuming that you've got that data subject, personally identifiable information into their environment, the whole idea is making sure that your IT environment contains adequate security that demonstrates to the European Union that you care about and are making the right kind of investment in data subject, data protection and data privacy.
Kind of a larger overview perspective, that's what they're looking for. You are warehousing data subject, private data, and you need to be paying adequate attention to how that data gets secured.
Simon: Okay, okay. So in terms of how do we help, the first thing we have the ability to do, and I'm gonna reference back to the top five critical security controls again, it specifically calls out the ability to do vulnerability assessment and patch management. And I think we saw, sadly far too many times in 2017, for instance last year with things like WannaCry, that far too many organizations, far too many of our endpoints and systems that weren't up to date and weren't patched, and have known vulnerabilities became a target of the WannaCry outbreak.
And so one of the things that we have the ability to do is the ability to patch, understand what vulnerability exists within the environment. Again, part of that is the discovery phase, so being able to understand what machines you've got switched on in your environment that haven't been patched and do have known vulnerabilities, and whether they're critical ones or not. And the ability to automate that patching, the ability to actually start to achieve a level of cyber essential certification, for instance, so you can actually patch within a one- or two-week window as opposed to being a fairly manual task that can take weeks if not months for some organizations.
And it's important there not just to patch the operating system, or dare I say just the Microsoft tools and applications that exist, but a lot of the third-party applications that exist as well, because a lot of the DCs exist for those, right?
Phil: You're exactly right. Microsoft vulnerability represent somewhere in the neighborhood of 30% to 40% of the vulnerabilities that show up in, you know, across the vulnerability database, that's a significant amount of vulnerabilities. But that means that 60% to 70% of those vulnerabilities, if you're only patching operating system or Microsoft specific things, 60% to 70% of your vulnerabilities are not being patched, typically that goes through vendors such as Adobe and Google and Oracle. Oracle because of not only the Oracle database but also because of the Java infrastructure.
Those vulnerabilities are also very significant in the environment, they're easy to identify and they're easy to exploit. There's also a large number of open source solutions that require patching on a purely frequent basis. OpenSSL is one of those components that if it's not patched frequently, vulnerabilities are catastrophic in that space and can lead to break-ins fairly quickly.
And you need to have a solution that takes into account all of those things. Microsoft SCCM is a fantastic tool if you only use Microsoft software and if you only use Microsoft operating systems. If you have anything else running on your environment it will largely ignore those tools unless you have an Ivanti plugin to SCCM, or you're using a different Ivanti patch product, that kind of thing. The point is, taking care of patching your infrastructure requires looking at and making modifications to your operating system component and the applications that are running underneath those operating systems.
Simon: Yeah, yeah. And so again, I mean, sure it's one of the top five CIS critical security controls. Many people would argue that this is just getting the basics done. I mean, we should all really be taking a preventative approach and making sure that we patch our systems. I think a lot of organizations that I speak to struggle because of time and money, and because there is more than just Microsoft applications and systems out there now. I mean, you know, people they don't just wanna patch Windows, they wanna patch Mac, they wanna patch Linux. And to your point, they don't just wanna patch the Microsoft applications but also the third-party ones.
So, you know, from a solution point of view, arguably thanks to some innovation during 2016 and an acquisition in fact during the start of 2017, arguably we are the market leader in patch and third-party patch solutions now. But from a GDPR point of view, again, this comes down to two areas in my mind, Phil. First of all, being able to demonstrate that at any moment in time, should a breach have occurred or not, that you have got visibility over your environment, you can understand what vulnerabilities are out there, and then demonstrate that you've got the ability to patch those in a timely manner. Correct?
Phil: Well, let's go back to that 72-hour notification period. One of the requirements under GDPR is, if you do have a breach, you're required to notify the European Union Data Council within 72 hours, assuming you're talking about being the main data processor for European Union data subjects. One of the things that they're going to talk about is, "Okay, you've suffered a breach. Talk to me about what kind of controls you have in place to address that kind of activity."
One of the things that the European Union will do is to assess whether or not they believe you were taking adequate care of data, subject data. By the way, the EU data notification process is a public process, so that means that if you were not taking adequate care of the environment post-breach, that information will become publicly available, you were breached and you did not have adequate controls in place to prevent that kind of a breach. That reputation risk should be enough to frighten anybody into realizing that patching is a pretty important part of your GDPR structure.
Simon: Yeah, yeah. And again, it doesn't...I think the point, in fact, the title of this webinar, GDPR, is it a headache, for instance? I mean, patching in itself is directly has been a headache for many organizations. I think part of what we do when we're talking to our customers and they're utilizing our solutions, we try and remove some of that pain associated with patching, but also save a whole host of time and money, right?
Phil: Yeah. And I can tell you as a consumer of these products, as well as somebody who is, you know, is obviously on the sales side of the product, from a consumer perspective, patching can be a very difficult nut to crack or a very difficult situation to remedy for a lot of organizations. One of the nice things about Ivanti software is it really targets this problem in particular and gives you a very robust, holistic solution across your operating systems and across your operating environment, and makes this very difficult problem to solve even though most companies know that they should have solved it long ago, it makes the solution for this problem quite straightforward, which is not something that can be said for a lot of tools out there. This can be a very difficult problem. Ivanti has done a fantastic job of making it manageable.
Simon: Yeah, yeah. The other thing, going back to those top five, is around deploying a secure configuration or implementing what some might refer to as application, whitelisting or application control. If you look at a lot of the malware, ransomware attacks, phishing attacks that we've seen dramatically increase over the last 12 to 18 months, a lot of those include or utilize a payload that ultimate will they execute something on the system that either then steals or encrypts the data, holds an organization to ransom, tries to steal personal-identifiable information.
And so application control, application whitelisting, again, is one of those recommendations where people at the CIS is basically saying, "Look, you know, we need to be able to protect these users and protect the endpoints from these malware, phishing attacks, ransomware attacks that are taking place." And, you know, that's something else that we're quite proud that we can achieve. I mean, Phil, you you've had some experience again of trying to implement application whitelisting control in the past, right?
Phil: Yeah, you know, Simon, one of the things that's real interesting, as you mentioned this is a CIS top five control, so it's a very important control. But the malware that's come out over the past 18 months and two years has almost entirely not tried to masquerade as some legitimate piece of software. It used to be that malware always tried to masquerade as something legitimate on your machine.
Most malware today doesn't even bother trying to masquerade as something legitimate because most organizations do not have application control running within their environment, so they don't have any ability to block anything that's obviously malicious. I could type... For most organizations, l can create a piece of software called BadGuyMalware.exe, and it would execute and run just fine.
So this is a problem that... The problem here is that there's a lot of organizations that aren't putting app control in place. And the thing that I really like about this, about the solution, is the dynamic nature. And, Simon, I'm hoping that you can talk a little bit about the dynamic nature of the way application control works. But that is from a consumer perspective but it's really nice. I don't have to worry about a static list of executables that are allowed or not allowed on my environment, because that static list gets old, probably, you know, seconds after it gets deployed to the workstations.
Phil: Yeah, yeah. I think on that point, if you take a look at the default box of tools that have been around for many, many years, software restriction policies, ad blocker type of policies that are built into Windows that can do application whitelisting out of the box. The challenge is that every single one of the authorized executables that you need to run needs to be listed. And so if I take a look at my Windows Surface device that's running Windows 10 in front of me now, there's probably 52,000 different executables that I need to be able to execute to get the operating system up and running and the applications running. And I'm talking about MSI files, .EXEs, BB scripts, DLL files, OCX files.
I mean, you scan the Windows System 32 directory, you scan Program Files. There are thousands of files. And trying to implement a traditional list of authorized executables across your environment, it just takes too much time and money to do. You will end up employing tens of people to try and stay on top of that. Every time you patch, every time there's a Windows update, every time there's a new application, the list needs to be updated. And what we do...
Phil: Oh, it's an updating headache, you're absolutely right.
Simon: It is. It is. And what we do with our solution is we offer a number of unique ways in which we can ease the burden of that list. We can look at certificates, so we can trust applications that come from people like Microsoft or Google. Sure, we can put a sure digital fingerprint on the files and check it in that way. But our default method is actually to look at who is, what's known as the trusted installer, the person that is actually delivering software down to the environment.
And so out of the box is a very simple example, if you're using a technology like Ivanti Endpoint Manager or SCCM to deploy your applications. The method in which the applications are being installed becomes the check that we do to see whether it was an authorized executable. And it gives us a very simple way to deploy an application, control a configuration, that prevents user-introduced and unknown executables coming into the environment. So when Simon Townsend is logged on, as I am today, and I receive something via a phishing attack or comes in via a web drive, via a USB key, whatever it might be, because I'm introducing the file into the environment, by default we actually prevent that from executing. And it gives us a rather unique way of implementing application control.
And there's a whole number of different...I'm gonna call it dials but configuration settings that you can stand up to tailor that to different user needs. You know, you're going to have some users who might need local… the ability to install applications. You might have some users who are just task-based workers, and you can control them. You might have some mobile workers that, as their context changes, their levels about protection control can change. And, you know, into that then comes conversations around compliancy, and whether certain users can run certain types of applications in certain locations. Again, another good way of demonstrating GDPR compliance as an example.
So app control is a very key area of what our technology can offer people, and it does prevent and protect some of these attacks that we've seen over the last 12, 18 months, specifically that are trying to attack that personally-identifiable information that could be held on a system.
And lastly, from a security point of view, admin rights. Phil, there are far too many organizations who sadly, but understandably, have given users local admin privileges on their devices.
Phil: Yeah, that's true. There are multimillion dollar solutions out there that try to do nothing other than remove admin rights from the lion share of the users. But we have a solution that simplifies that. And the thing I like about this is, our solution, the Ivanti solution is actually deployable to developers. As you're aware, developers do require admin rights to do significant portions of their job. But they don't require all the admin rights, they require rights to do, perform specific types of tasks. And Ivanti's admin rights management solution pinpoints those types of activities that developers as well as system administrators and other folks in the organization do require as part of their work and allows them to have those capabilities. It also has allowed the capability to elevate privileges for one-time tasks maybe that those individuals might need to do on an infrequent basis, that kind of thing.
This bottom bullet that you have here, granular control is absolutely essential to providing an admin right management capability that has staying power that is able to work throughout the entire organization. And again, admin right management is one of the CIS top five along with inventory control and application control. The reason why this is so important is because one of the ways that malware spreads is it leverages the privileges that the user has to be able to identify other machines, escalate its own privileges.
There's a specific kind of attack called pass-the-hash attack, and that attack is dependent on having administrative rights on a local machine. So a lot of these pieces of malwares replicate based on inappropriate admin rights being given to that application to be able to run.
Simon: Yeah, yeah. And I think that something like patching last year would have been an example of something that used elevated admin privileges to spread and to do what it did, you know, in comparison to say something like WannaCry which, as we all know, really utilized a payload and executable and a vulnerability.
So you can really start to see how, combined, a system that is patched and up-to-date and has got application control in place, and has got a admin privilege solution in place, starts to really reduce the attack surface and the surface area that could be used in some of these more recent examples that we've seen in the last 12, 18 months.
Phil: Simon, you're exactly right. Those examples that you were just citing earlier would be either completely arrested or certainly significantly curtailed in an environment if those three relatively basic controls were implemented within an organization. It's very hard for that software to get a foothold if all the systems are patched, if there's very little admin privilege being used, and if the application whitelisting and blacklisting is in place to disallow rogue applications. It's really, really hard for modern malware and modern ransomware to get a hold in that kind of environment.
Simon: Okay, good. All right, so let's switch gears a little bit. We've spoken about discovery and the importance of discovering devices and applications, we've talked about patching, whitelisting, privilege management, they were really the top five. Further down that list of CIS controls, it did start to talk about change control, request management, etc. And that was really from a pure security point of view, but when we talk about GDPR, in my mind, one of the areas I think that gets overlooked is the part in which true service management could play in helping the workflows and the processes and the change that needs to happen from a business point of view, not just from an IT point of view to achieve GDPR compliance. And that really brings us onto sort of like the final section here around service management, right?
Phil: Yeah, Simon, you're exactly right. Service management is kind of like the process glue or the process veneer over all of the individual application, security controls that we've been talking about. And the thing that's really nice about this is from a GDPR audit perspective, auditors love if you have not only solutions in place but you have repeatability in place. The nice thing about service management is it demonstrates repeatability. Not only do I have, you know, the right kind of protections in place but I can demonstrate because I have a service management workflow, that I use them on a frequent basis. I can deploy patches as part of a change control mechanism. I can make sure that applications are provisioned to users through our service request, which is part of the service management process. As we identify issues and problems within our environment, I tackle them through our incident management process and our problem management process.
All of those things demonstrate that I'm keeping logs and keeping accurate records of these things, and that I have a repeatable process for how I manage that kind of stuff. That gives auditors a great deal of comfort, and it also should give organizations a great deal of comfort that the solutions that they have in place are in fact being followed by the rank and file people who are tasked with, you know, the day-to-day operation of those activities within the IT organization.
Simon: Yeah, yeah. I mean, if you go to, or if you've ever seen any of our corporate presentations, you'll know that we talk about this concept of the unification of IT or unifying IT. And service management and our service management solutions really play a key part in that as does things like automation. But to Phil's point, you know, security tools, unified endpoint management tools, defined management tools, MDM solutions, patching solutions, they've been very siloed for far too many years, and something like GDPR ultimately spans across not just the IT organization but across the business. And I really do think that service management plays a key part in being able to bring a lot of that together.
You know, two examples I can give real quick is, if I'm a user now, if I'm a consumer now and I decide to call up an organization after May of this year, and I say, "Hey, I'd like to know what personal-identifiable information you've got on me." That organization needs to process that request. That request needs to be recorded, the data needs to be found, it needs to be presented back to me, Simon Townsend, and I may then decide, "Hey, I don't like the fact you've got my Twitter handle. I don't like the fact that you're storying my mobile phone number." And I can raise another request to have that data, PII data, removed.
That whole process, that whole workflow and the request that needs to be managed but it also needs to be automated, and it needs to be audited, and I think Service Management plays a very key part in that. Even more so, if a breach was then to take place in six months' time and sadly some data had been lost or stolen, then you need to be able to demonstrate that you did actually delete Simon Townsend's data six months ago before that breach took place, because, I mean, ultimately, that would that would be a very difficult scenario and situation for someone to be in it if someone had six months prior to the breach requested their information was deleted and that process hadn't taken place.
Phil: Yeah, you're right. Simon, this is a key component to being able to demonstrate to your data subjects as well as to the auditors and the regulatory bodies that as an organization you are providing the right level of care for the private data that you're the custodian over.
Simon: Yeah, yeah, yeah. So, I mean, from an Ivanti point of view, just as a little bit of background, in January 2016, LANDESK and HEAT merged to become Ivanti. That immediately meant that we had a combined service management installed base of somewhere in the region of 5,000 - 5,500 customers, we're recognized in the Gartner Magic Quadrant for our service desk and true service management solutions.
But, you know, regardless of whether you'll utilizing Ivanti service management tools or whether you're using another third-party, our belief here is, you know, service management is a key component of GDPR, and also linking in some of those other things that we've mentioned like discovery, like patch, application control, they should actually be part of the service management mesh or framework that you're putting in place, right? The more you can start to unify part elements of your IT, the quicker you are gonna be able to respond to personal identifiable information requests, and also respond to a breach should a breach take place.
So, lastly, it's worth noting that Ivanti have got a technology called Xtraction that we make available to all of our customers. For many of our customers they're entitled to this in one way or another free of charge, for other customers it is a chargeable piece of technology. But Xtraction gives us the ability to create dashboards based on other datasets. So, information coming from SCCM, information coming from SolarWinds, information coming from ServiceNow, information coming from Ivanti security or service management products, for instance. We have the ability to create customizable dashboards, analysts dashboards, interactive or read-only dashboards that can actually start to present some of this information.
So the final thing we really wanted to talk about was, how do we start to pull all of this information together? If service management is providing the workflow and the process engine if you like, that is helping with GDPR compliance. Xtraction gives us immediate visibility, real-time visibility into what's going on in our estate across a number of different areas. So as an example, you know we can report, in the top left-hand corner of the dashboard, where we are with relation to vulnerabilities or our patch status or our patch window. We can monitor application requests, we can monitor privilege management requests, we could see how many devices have been discovered, how many machines have come offline and have come online. And we can couple that with other datasets from other third-party tools as well.
So Xtraction really gives us that visibility, an ongoing visibility into not just the solutions and the technologies that we've already spoken about, but others as well. And I think Xtraction was just worth calling at the end here, wasn't it, Phil?
Phil: Yeah, I completely agree. Having adequate visibility from a reporting perspective is really important. And the reason for that is because the things that you fix or the things that you remediate, or the things that you improve are the same things that your organization measures, that's just a paradigm that I've seen to be true all the time, virtually everywhere I've been, you improve and fix the things that get measured. So you wanna make sure you're measuring the right stuff, because that's what's going to be fixed. And having a tool, a strong tool that has machine learning, AI capabilities, and the ability to kind of take cross-sectional cut at your data is really important.
Simon: Good.
Phil: I know that we're running up against the top of the hour, but we do have a couple of few questions that I was hoping we get a chance to get to.
Simon: Let's do it.
Phil: All right. And so let's go through a couple of these. Shawn asked, "Who is required to comply with GDPR?" That's a great question. And the short answer is, virtually anybody who is selling product in the European Union, who is storing European Union individuals, we call data subjects, if you're storing their data. So if you have, if you're selling to a company and one of the contacts in that company lives in Europe, then you're storing that person's data, then you're required to be compliant to GDPR.
So, anytime that you're storing data subject information within the European Union, you're required to be GDPR compliant. Now, the level to which you need to be compliant and the degree of formality changes depending on how involved and how large the organization is, but rest assured you need to be complied if you've got that kind of data.
Let's see. One of the other questions that came up which I think is a good thing for us to talk about is this one, "Under GDPR, do you need to appoint a DPO if processing data is not your core activity?" DPO stands for data protection officer. And there's some room for interpretation in the regulation. I think Ivanti's interpretation is that, if you're holding data subject information, private data, you need to have a data protection officer. The level at which that person resides within the organization is something that you can make some modifications on. You can have a data protection officer that is, you know, a temporary or a part-time employee, all the way up to somebody who represents the C-level within the organization depending on how much data you have.
One of the other questions really talks about a specific type of data within the GDPR called special data. Special data is data that is particularly sensitive for your opinion in data subjects, and that includes things like racial or ethnic origin, political opinions, religious beliefs and that kind of thing. It goes all the way to health data, gender and sexual orientation kind of issues as well. Any of that kind of data if you're storing at that become special data and requires an extra layer of more sensitive protection in order to be GDPR compliant.
Simon: So, Phil, let me... Any more questions just before… I was gonna finish up on one question I had for you actually. But anymore questions you wanna cover?
Phil: Fire away. I think that's kind of our list of questions here.
Simon: Okay, okay. So just to finish up then, Phil, you're obviously the CISO for Ivanti, GDPR is something that we've been working on for compliance, something we've been working on for some time and we'll continue to do so internally and externally for our customers. Do you see it as a headache or do you see it as an opportunity?
Phil: I think that our customers should see it as an opportunity. This is a chance for an organization to put in place the types of controls that we all know and probably needed to be there well in advance of this anyway. Quite honestly, I'm looking at it as an excuse to be able to say, "Hey, look, now we have to be compliant for this, so let's go ahead and bite the bullet and do what we know we should be doing, we should have been doing all along," that kind of thing. And I think organizations should be looking at it that way, as an opportunity to put the kind of controls in place that they know they should be putting in place.
Simon: Yeah, yeah, and I think that's the right answer and probably a good place to end. So if you want more information, there's a microsite on all around GDPR. Keep your eye out for additional datasheets and information around GDPR that we're going to be bringing to market over the course of the next weeks and months. If you wanna get in touch with myself or Phil, please feel free to reach out to your local, regional contact at Ivanti.
And with that, I'd just like to say thank you very much to Phil for joining me on this webinar. And thank you to all of you for attending and staying with us for the duration. I hope you found it informative. If there are any more questions then please do get in contact, and we'll do our very best to answer them for you. Thank you very much.