Identity Is Power

You can quickly ensure your company’s technical compliance with the Law on the Protection of Personal Data with our Software-Based ID and Data Protection Solution.

Technical Compliance with the Law on the Protection of Personal Data

The most critical step in compliance is to figure out which data is in the nature of “Personal Data” among thousands of gigabytes of data stacks stored in your Company, and to ensure that such data is set apart from other data. The Data Classification Engine in our ID and Data Protection Solution ensures quick detection of personal data through rapid Data Classification. With SailPoint ID and Data Protection Software, protection and security of the personal data stored in your company is managed and reported from a unified platform in real time.

identity-icon-rgb-42px

What is personal data? How is Personal Data protected?

Enacted as part of the EU harmonization process, ‘the Law on the Protection of Personal Data’ defines personal data as ‘Any information relating to an identified or identifiable natural person’. The Law divides personal data into two categories; general personal data and special personal data (sensitive data).

The penalty stipulated for unlawful recording and processing of sensitive data is twice that of the penalty for such use of General personal data. Examples for General Personal Data include ID, bank account details, credit card details, Internet IP address details, photos and so on, while examples for Special personal data (Sensitive Data) include Health data, Legal Data, Criminal Records, Biometric Data (Fingerprint, Retina), Association/Foundation/Union membership, and Religious/Political/Philosophical views of a person.

Does your company collect or process personal data?

Processing of data” is defined in the Law on the Protection of Personal data as “any operation upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer or categorization.” Therefore, any record—from job applications to your company to customer records you have been retaining, e-mail correspondence or forms created on your websites—falls within the scope of processing of personal data in terms of Protection of Personal data. Companies will be able to process personal data upon the explicit consent of the individual in accordance with the general provisions stipulated in the Law on the Protection of Personal Data.

What Are the Obligations of Data Controller?

a) The obligation to delete, destroy or anonymize data requires that personal data that is processed legally shall be deleted, destroyed or anonymized either ex officio or upon request by the data subject in the event that the reasons necessitating their processing cease to exist, in accordance with Article 7 of the Law on the Protection of Personal Data.

b) The Obligation to Inform

As per Article 10 of the law, the Data Controller is obliged to inform the data subjects about the purposes for which Personal Data will be processed; the persons to whom this data might be transferred and the purposes for the same; the method and legal reason for collection of personal data. In other words, the data subject must be notified in writing about the abovementioned issues, where data is collected (e.g. via a form on your website).

c) Obligations Regarding Data Security

As per Article 12 of the Law on the Protection of Personal Data, the data controller shall take all necessary technical and organizational measures to provide an appropriate level of security in order to
• Prevent unlawful processing of personal data,
• Prevent unlawful access to personal data,
• Safeguard personal data.

As part of this obligation, all companies are required to take the necessary measures for granular data and access control, under the title of data controller.

As an example, let’s assume that a file named personaldata.doc stored within the company contains a customer’s general and special personal data.

You must keep the track of the personnel who created the aforementioned file, when they created it, and which personnel have access to it. Additionally, access to personaldata.doc must be controlled, with only authorized personnel being granted access thereto.

It should be possible to deny access for any unauthorized personnel. Where required, it should be possible to report access and read-write transactions for personaldata.doc with a timestamp on the basis of personnel.

Consultancy on the Law on the Protection of Personal Data

With SailPoint ID and Data Protection Software, the security of the personal data stored in your company is managed on a unified platform in real time. We have secured many organizations’ rapid compliance with the Law on the Protection of Personal Data with SailPoint. Call us now for your company’s compliance with the Law on the Protection of Personal Data!

bullseye-icon-RGB-42px

Need more help?

Please contact us for technical advice regarding our products and a free consultation.

TALK TO A SPECIALIST

see-icon-rgb-42px

When Identity Meets Data

Data is the foundation of trade in the modern world. It is the backbone of every business, regardless of sector or location. Data is everywhere in this day and age, when everything is connected to the Internet: data centers, corporate desktop systems, e-mails and even users’ personal mobile devices. Data enables us to share and store information about a great many corporate activities such as business activity plans, financial outcomes, trade secrets and programs for employees. Employees, contracting organizations, business partners and producer firms communicate with each other every day through data. Data can exist in many forms and be stored in a wide range of locations. However, failure to protect data can result in irreparable damage in terms of your company’s financial situation and reputation.

The creation process is different for individual sets of data. Certain data (e.g. corporate financial data, intellectual property, data controlled by law in a serious manner such as identifiable personal data) must be treated specially in order to minimize negative outcomes that could be caused by inappropriate on-site or off-site use of said data, as well as mitigating the risk of data theft. Securing access to data – especially sensitive data – is tedious, as data can be stored in a huge number of locations. Protection of sensitive data, which is referred by some to as an organization’s “Crown Jewels” (with reference to transferring certain precious assets to ensure continuity in the British Monarchy), can be particularly difficult. Organizations’ “jewels” require special attention, because such data is as precious as the British Crown Jewels.

Hidden Vulnerabilities in Data Protection

Unlike the physical jewels of the Kings and Queens, sensitive data protection is not merely based on ensuring physical security. Data is deemed precious in an organization if it can be accessed but such access should be granted to the right people only. Therefore, managing access to data is crucial to ensure the protection of such data against data theft or use by ill-intentioned person(s). It used to be possible to store sensitive data, including financial data or customer data, on platforms such as central processing units, ERPs or data centers where access can be controlled strictly. Organizations can make it easier to manage access to sensitive data stored on such systems by means of assigning well-known processes and tools (e.g. ID and access management solutions) to a third-party intermediary firm.

Unfortunately, structured systems are not the only places to store sensitive data. Unstructured data; i.e., data stored on files other than structured applications and databases in general, has become a growing issue for organizations all around the globe. Unstructured data is usually seen in the form of structured data within an application. However, an end-user later converts it to a format that is more appropriate for the kind of work involved. Think about how frequently you import sensitive financial data or customer data in your company to a table or document. Naturally, such data is easily shared with other employees, business partners or intermediary firms. It is obvious that data can be transferred from secure and controlled environments to unsafe environments in the blink of an eye.

Most businesses store such a huge volume of unstructured data on file servers, NAS devices, SharePoint websites and cloud data storage services that they are almost no longer aware of the amount of data they retain, nor of the location of such data or person(s) that can access it, in the required manner. Failure to manage unstructured data appropriately, in turn, leads to serious risks, the most critical being damage to reputation , as well as being subject to legal sanctions and penalties.

Remediating Vulnerabilities – Managing Access to Entire Data

What can be done to improve the protection of sensitive data? The answer to this question lies in developing an integrated approach for managing access to a company’s entire internal data, whether structured or unstructured, regardless of location, including data applications or files or data centers and the cloud. This is the point where traditional ID and access management solutions prove insufficient. These solutions do secure access to applications – which of course is important – but they do not protect sensitive data stored in unstructured files. Only an ID management solution addressing all applications and data can ensure secure access to your precious assets, regardless of where the data is stored, whether across structured applications and databases or unstructured files. Additionally, the aforementioned ID management solution should also take into account where sensitive data is stored and the means by which access is granted. Developing a comprehensive approach therefore helps organizations find out which person(s) has access to data, while supporting the preventive and detective control mechanisms required for restricting access to data and ID details, and ensuring fulfillment of growing legal obligations, especially SOX and GDPR.

Designing Preventive Controls for Real-Time Management

Once you have determined the location of sensitive data, and ensured that it is stored in the correct location based on the right access model, you then need to facilitate preventive controls required to make sure that only the right persons can access the relevant data. Access to sensitive data is highly restricted, and users need to be authorized to access the applications and files in order to perform their tasks. One may argue that this all sounds like taking the easy way out. However, do you know which of your data is of sensitive nature and which access privileges are available for any function in your organization?

Data management tools can facilitate this process by means of detecting internal sensitive data as well as collecting and reviewing permissions by showing “which persons have access to which data”. Access within the scope of identity governance can ensure that user access is in line with the corporate policies and job descriptions throughout their term of office in that company, while changes are applied too. Preventive controls ensuring users’ proper access to the right data include real-time sanctions during access requests, or automatic audit and approval procedures determined by executives, data subjects or application owners. Adopting a single, unified approach to granting access and applying real-time sanctions to ensure conformity to the principles regarding such access, means organizations can not only simplify the access granting processes, but they can also cement their attitude towards security.

Applying Detective Controls Across All Basesı

For anomalies requiring auditing, organizations need detective controls to review and monitor user access and activities. In other words, merely defining the access controls and then leaving them as is will not be sufficient. A large number of elements (users, applications, directories etc.) will constantly change in that environment, and there are times when policies and procedures are not strictly followed. Detective controls enable organizations to preemptively determine and fix issues before a critical vulnerability issue arises. Such controls may include, as examples, regular access reviews by supervisors and data subjects, as well as monitoring of user activity that may affect sensitive data. Every organization should detect, for their own good, dangerous activities such as cases where a former employee still has access to sensitive data stored on the cloud, even after their dismissal, or when a user downloads huge amounts of data from time to time.

As with preventive controls, a consistent and integrated approach to applying detective controls is one of the fundamental aspects of an efficient identity governance program designed to manage especially sensitive data stored on applications, databases and files.

Summary

One may believe that protection of sensitive data is daunting due to the difficulties mentioned above. Fortunately, there is a solution that helps organizations address the expanding amount of sensitive data they retain, and align access with the requirements of users needing to access that data. This solution is identity management. The key to success here lies in establishing a balance between security and convenience. Trade is based on granting easy and real-time access to data that needs to be processed. However, such convenience should be balanced with powerful control mechanisms to protect data from curious eyes. You can minimize risks and protect your organization from threats by adopting a comprehensive approach to access management.

access-icon-RGB-42px-90
  • IdentityIQ

    When Identity Meets Data

    Managing access to information in today’s dynamic, data-driven environment is a challenge—and one that demands much more from identity and access management (IAM) solutions than ever before. To be effective, these solutions must deliver access to all the applications and information that users need, when they need it, from wherever they need it, while ensuring enterprise security policies are consistently enforced. And they must provide the transparency and proof of strong controls required to satisfy audit and compliance requirements.

    SailPoint is a renowned leading organization in terms of identity and access management around the world. IdentityIQ is a rapid and reliable governance-based IAM solution that enables corporate users to maintain efficiency. IdentityIQ integrates compliance management and provisioning in a unified solution that leverages a common identity governance framework. Thanks to this approach, IdentityIQ consistently applies business and security policy and role and risk models across all IAM processes.

    IdentityIQ Compliance Manager enables companies to streamline compliance processes while lowering costs. Compliance Manager integrates access certifications, policy management and auditing reports, and automates compliance controls associated with a powerful identity governance program.

    Business-friendly Access Certifications
    Lowers the costs and workload required in the compliance process
    Streamlines adjustment, management and monitoring of user access reviews
    Streamlines access reviews with a focus on areas with higher risks
    Automates removal of redundant or inappropriate access rights

    Automated Policy Management
    Defines and rapidly deploys the applicable policies
    Automatically searches, detects and eliminates policy violations
    Mitigates risks and sorts policy application activities based on priority

    Audit Reporting and Analytics
    Streamlines preparation of audit reports by means of previously-defined reports and administration panels
    Ensures transparency of IAM data on corporate applications and applications on the cloud

    IdentityIQ Lifecycle Manager Delivers a business-oriented solution to manage changes regarding user access Delivers a rapid, reliable and cost-effective solution by combining self-service tools for the company, with automated user configuration driven by IT

    Self-Service Access Request
    Empowers users to manage access, without needing to contact the help desk
    Guides users easily throughout the access request process Applies policy controls proactively

    Automated Provisioning
    Triggers necessary access changes after detecting each of the lifecycle events
    Starts previously-defined business procedures or procedures structured by customers
    Automatically ensures access’s compliance with policies
    Organizes changes through provisioning connectors or manual tasks

    Integrated Password Managementi
    Eliminates the need to call help desk for password resets and changes, while enhancing security through the requirement of a strong password for all applications Blocks and synchronizes local password changes

    The IdentityIQ Governance Platform lays the foundation for both Compliance Manager and Life Cycle Manager by centralizing identity data and providing a single platform to model roles, policies, and risk. This governance-driven approach enables organizations to:

    See users, accounts and authorizations on all applications, as well as structured and unstructured sources, from a single screen for “big picture” visibility and control; Eliminate inconsistencies and redundancy by applying a common policy for all IAM activities; Improve focus on controls with rapid detection of risky areas for users and applications; Save time and money by leveraging a common workflow engine for data; Perform rapid deployment across platforms, databases, shared files, directories, hosts and data bases or company applications running on the cloud, through connectors included in pre-set packages.

    Identity Intelligence
    IdentityIQ transforms technical identity data scattered across multiple enterprise systems into centralized, easily understood and business-relevant information. Your organization can quickly identify risks, spot compliance issues and make the right decisions to improve effectiveness through identity intelligence. SailPoint pioneered Identity Intelligence solutions and is an internationally-renown industry leader in the provision of business-related information for effective identity and access management.

    IdentityIQ Allows Customers to: Reduce Inappropriate Access Risk, Enhance Efficiency, while Lowering Costs, Boost Auditing Performance, and Enhance User Satisfaction. The difference is clear: IdentityIQ is designed for the business user. It translates IT speak into actionable business information and simplifies user experience. IdentityIQ is ready for today’s complex hybrid IT environments and unifies identity management processes across cloud, mobile and in-house environments. SailPoint’s governance-based controls centralize visibility, improve compliance and minimize risk by uniformly applying controls across all IAM services, thus significantly lowering deployment costs.

  • SecurityIQ

    Data Access Management for Unstructured Data

    Management of unstructured data is a growing problem. The amount of data stored in file servers and NAS devices, collaboration portals, mailboxes and cloud folders has increased exponentially over the past few years. However, with no easy means to track, control and protect unstructured data, organizations face growing security and regulatory risks. As an internationally-renowned leader in ID and access management (IAM), SailPoint delivers SecurityIQ as a business-driven access governance solution that runs seamlessly with SailPoint’s IAM solutions so as to detect sensitive data that resides in organizations and control access to data, which helps organizations protect unstructured data.

    SecurityIQ enables organizations to centrally manage and control access to both structured and unstructured data, applying consistent administrative processes, policies and controls. Many companies with data remaining unmanaged and unprotected face critical risks. SecurityIQ identifies where sensitive data resides, determines who has access to such data and how they can use it, and ensures controls required to protect data, minimizing such risks. SecurityIQ provides proof of compliance during audits, helping organizations satisfy regulatory requirements and reducing the time spent on error diagnosis, forensics and data management tasks, which in turn boosts personnel productivity. It additionally eliminates existing challenges related to managing how users will access unstructured data throughout their term of office at the organization.

    Data Discovery and Classification
    Find Where Sensitive Data Resides In most organizations, sensitive information such as financial data, customer data, credit card details and personal health details can be found in hundreds of places—on file shares, on SharePoint sites, in cloud storage services and in email folders. SecurityIQ allows organizations to find and classify this sensitive data, so they can put the required control mechanisms in place to manage and protect it. SecurityIQ enables companies to: Review sensitive data on files by using keywords, special characters and regular expressions; Improve accuracy and eliminate false-positives by utilizing verification algorithms for common data types; Develop flexible methods where sensitive data can be classified through content- or behavior-based approaches; and data can be classified according to how it is used, through activity tracking.

    Data Discovery and Classification Permissions Management
    Unstructured data is impossible to manage and control without a complete understanding of how users are granted access. SecurityIQ automatically collects and analyzes effective permissions across in-house Windows file servers, NAS devices, SharePoint and Exchange, as well as cloud-based portals, including Office 365, Box, Dropbox and Google Drive. Full visibility across current access to the entire data of an organization can be achieved from a single management panel. It is possible to detect and deny redundant access (e.g. open sharing, sites, mailboxes etc.) to sensitive data. Activity tracking helps to mutually control current access, reporting and eliminating non-used authorization. Consistency between access management for internal unstructured data and the best practices can be achieved.

    Data Activity Tracking
    Discover Who Accessed Sensitive Files To prevent security breaches and information theft, or minimize the potential damage when an incident occurs, organizations need real-time tracking of users and their access to sensitive files or ability to change file permissions, and respond to violations in real-time. SecurityIQ captures activities for all users on the monitored resources, and enriches these activities with user and machine details obtained from directories, IAM systems, HR applications and any other data sources. SecurityIQ’s intuitive graphic interface and reports provide detailed forensic analytics and auditing on data usage, while providing solutions to the following issues: Complete Coverage Extend Your IAM Strategy SecurityIQ shares information with SailPoint IAM systems to provide comprehensive governance of access to unstructured data. By augmenting the volume of IAM data from structured systems with permission data from unstructured data targets, organizations can more quickly identify risks, spot compliance issues, and make the right decisions to strengthen controls. SecurityIQ provides centralized visibility across any data, whether structured or unstructured, and all applications and users within an organization. It adds unstructured data targets to preventive and detective controls, such as access certifications and task distinction policy sanctions. It automates configurations to revoke inappropriate access and access to unstructured data pools. It transfers to the IAM system the real-time activity data to mitigate risks and facilitate easier understanding of appropriate use patterns. SecurityIQ Allows Customers to: Mitigate Risk of Inappropriate Access, Improve Audit Performance, Reduce Operational Costs, Improve IT Staff Productivity. The difference is clear: SecurityIQ provides comprehensive detection, classification and monitoring of unstructured data, both in-house and on the cloud. SecurityIQ shares information with SailPoint’s IAM solutions seamlessly, centrally managing and controlling all organizational applications and data, whether structured or unstructured. SecurityIQ runs properly and seamlessly with the best classification practices achieved through breakthrough methods and rapid deployment connectors.

What is SailPoint?

As the fastest-growing, independent identity and access management (IAM) provider, SailPoint helps hundreds of global organizations securely and effectively deliver and manage user access from any device to applications residing in the data center, on mobile devices, and on the cloud. The company’s innovative product portfolio provides customers with an integrated set of core services including identity governance, provisioning, and access management delivered in-house or from the cloud (IAM-as-a-service).

Need more help?

Please contact us for technical advice regarding our products and a free consultation.

TALK TO A SPECIALIST

“Şirketimizdeki tüm akıllı telefon ve tablerin güvenliğinin sağlanması ve yönetimi için AirWatch kullanıyoruz.”

Murat Zobu

Migros Ticaret A.Ş.