Identity Is Power
You can quickly ensure your company’s technical compliance with the Law on the Protection of Personal Data with our Software-Based ID and Data Protection Solution.
You can quickly ensure your company’s technical compliance with the Law on the Protection of Personal Data with our Software-Based ID and Data Protection Solution.
The most critical step in compliance is to figure out which data is in the nature of “Personal Data” among thousands of gigabytes of data stacks stored in your Company, and to ensure that such data is set apart from other data. The Data Classification Engine in our ID and Data Protection Solution ensures quick detection of personal data through rapid Data Classification. With SailPoint ID and Data Protection Software, protection and security of the personal data stored in your company is managed and reported from a unified platform in real time.
What is personal data? How is Personal Data protected?
Enacted as part of the EU harmonization process, ‘the Law on the Protection of Personal Data’ defines personal data as ‘Any information relating to an identified or identifiable natural person’. The Law divides personal data into two categories; general personal data and special personal data (sensitive data).
The penalty stipulated for unlawful recording and processing of sensitive data is twice that of the penalty for such use of General personal data. Examples for General Personal Data include ID, bank account details, credit card details, Internet IP address details, photos and so on, while examples for Special personal data (Sensitive Data) include Health data, Legal Data, Criminal Records, Biometric Data (Fingerprint, Retina), Association/Foundation/Union membership, and Religious/Political/Philosophical views of a person.
Does your company collect or process personal data?
Processing of data” is defined in the Law on the Protection of Personal data as “any operation upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer or categorization.” Therefore, any record—from job applications to your company to customer records you have been retaining, e-mail correspondence or forms created on your websites—falls within the scope of processing of personal data in terms of Protection of Personal data. Companies will be able to process personal data upon the explicit consent of the individual in accordance with the general provisions stipulated in the Law on the Protection of Personal Data.
What Are the Obligations of Data Controller?
a) The obligation to delete, destroy or anonymize data requires that personal data that is processed legally shall be deleted, destroyed or anonymized either ex officio or upon request by the data subject in the event that the reasons necessitating their processing cease to exist, in accordance with Article 7 of the Law on the Protection of Personal Data.
b) The Obligation to Inform
As per Article 10 of the law, the Data Controller is obliged to inform the data subjects about the purposes for which Personal Data will be processed; the persons to whom this data might be transferred and the purposes for the same; the method and legal reason for collection of personal data. In other words, the data subject must be notified in writing about the abovementioned issues, where data is collected (e.g. via a form on your website).
c) Obligations Regarding Data Security
As per Article 12 of the Law on the Protection of Personal Data, the data controller shall take all necessary technical and organizational measures to provide an appropriate level of security in order to
• Prevent unlawful processing of personal data,
• Prevent unlawful access to personal data,
• Safeguard personal data.
As part of this obligation, all companies are required to take the necessary measures for granular data and access control, under the title of data controller.
As an example, let’s assume that a file named personaldata.doc stored within the company contains a customer’s general and special personal data.
You must keep the track of the personnel who created the aforementioned file, when they created it, and which personnel have access to it. Additionally, access to personaldata.doc must be controlled, with only authorized personnel being granted access thereto.
It should be possible to deny access for any unauthorized personnel. Where required, it should be possible to report access and read-write transactions for personaldata.doc with a timestamp on the basis of personnel.
Consultancy on the Law on the Protection of Personal Data
With SailPoint ID and Data Protection Software, the security of the personal data stored in your company is managed on a unified platform in real time. We have secured many organizations’ rapid compliance with the Law on the Protection of Personal Data with SailPoint. Call us now for your company’s compliance with the Law on the Protection of Personal Data!
When Identity Meets Data
Data is the foundation of trade in the modern world. It is the backbone of every business, regardless of sector or location. Data is everywhere in this day and age, when everything is connected to the Internet: data centers, corporate desktop systems, e-mails and even users’ personal mobile devices. Data enables us to share and store information about a great many corporate activities such as business activity plans, financial outcomes, trade secrets and programs for employees. Employees, contracting organizations, business partners and producer firms communicate with each other every day through data. Data can exist in many forms and be stored in a wide range of locations. However, failure to protect data can result in irreparable damage in terms of your company’s financial situation and reputation.
The creation process is different for individual sets of data. Certain data (e.g. corporate financial data, intellectual property, data controlled by law in a serious manner such as identifiable personal data) must be treated specially in order to minimize negative outcomes that could be caused by inappropriate on-site or off-site use of said data, as well as mitigating the risk of data theft. Securing access to data – especially sensitive data – is tedious, as data can be stored in a huge number of locations. Protection of sensitive data, which is referred by some to as an organization’s “Crown Jewels” (with reference to transferring certain precious assets to ensure continuity in the British Monarchy), can be particularly difficult. Organizations’ “jewels” require special attention, because such data is as precious as the British Crown Jewels.
Hidden Vulnerabilities in Data Protection
Unlike the physical jewels of the Kings and Queens, sensitive data protection is not merely based on ensuring physical security. Data is deemed precious in an organization if it can be accessed but such access should be granted to the right people only. Therefore, managing access to data is crucial to ensure the protection of such data against data theft or use by ill-intentioned person(s). It used to be possible to store sensitive data, including financial data or customer data, on platforms such as central processing units, ERPs or data centers where access can be controlled strictly. Organizations can make it easier to manage access to sensitive data stored on such systems by means of assigning well-known processes and tools (e.g. ID and access management solutions) to a third-party intermediary firm.
Unfortunately, structured systems are not the only places to store sensitive data. Unstructured data; i.e., data stored on files other than structured applications and databases in general, has become a growing issue for organizations all around the globe. Unstructured data is usually seen in the form of structured data within an application. However, an end-user later converts it to a format that is more appropriate for the kind of work involved. Think about how frequently you import sensitive financial data or customer data in your company to a table or document. Naturally, such data is easily shared with other employees, business partners or intermediary firms. It is obvious that data can be transferred from secure and controlled environments to unsafe environments in the blink of an eye.
Most businesses store such a huge volume of unstructured data on file servers, NAS devices, SharePoint websites and cloud data storage services that they are almost no longer aware of the amount of data they retain, nor of the location of such data or person(s) that can access it, in the required manner. Failure to manage unstructured data appropriately, in turn, leads to serious risks, the most critical being damage to reputation , as well as being subject to legal sanctions and penalties.
Remediating Vulnerabilities – Managing Access to Entire Data
What can be done to improve the protection of sensitive data? The answer to this question lies in developing an integrated approach for managing access to a company’s entire internal data, whether structured or unstructured, regardless of location, including data applications or files or data centers and the cloud. This is the point where traditional ID and access management solutions prove insufficient. These solutions do secure access to applications – which of course is important – but they do not protect sensitive data stored in unstructured files. Only an ID management solution addressing all applications and data can ensure secure access to your precious assets, regardless of where the data is stored, whether across structured applications and databases or unstructured files. Additionally, the aforementioned ID management solution should also take into account where sensitive data is stored and the means by which access is granted. Developing a comprehensive approach therefore helps organizations find out which person(s) has access to data, while supporting the preventive and detective control mechanisms required for restricting access to data and ID details, and ensuring fulfillment of growing legal obligations, especially SOX and GDPR.
Designing Preventive Controls for Real-Time Management
Once you have determined the location of sensitive data, and ensured that it is stored in the correct location based on the right access model, you then need to facilitate preventive controls required to make sure that only the right persons can access the relevant data. Access to sensitive data is highly restricted, and users need to be authorized to access the applications and files in order to perform their tasks. One may argue that this all sounds like taking the easy way out. However, do you know which of your data is of sensitive nature and which access privileges are available for any function in your organization?
Data management tools can facilitate this process by means of detecting internal sensitive data as well as collecting and reviewing permissions by showing “which persons have access to which data”. Access within the scope of identity governance can ensure that user access is in line with the corporate policies and job descriptions throughout their term of office in that company, while changes are applied too. Preventive controls ensuring users’ proper access to the right data include real-time sanctions during access requests, or automatic audit and approval procedures determined by executives, data subjects or application owners. Adopting a single, unified approach to granting access and applying real-time sanctions to ensure conformity to the principles regarding such access, means organizations can not only simplify the access granting processes, but they can also cement their attitude towards security.
Applying Detective Controls Across All Basesı
For anomalies requiring auditing, organizations need detective controls to review and monitor user access and activities. In other words, merely defining the access controls and then leaving them as is will not be sufficient. A large number of elements (users, applications, directories etc.) will constantly change in that environment, and there are times when policies and procedures are not strictly followed. Detective controls enable organizations to preemptively determine and fix issues before a critical vulnerability issue arises. Such controls may include, as examples, regular access reviews by supervisors and data subjects, as well as monitoring of user activity that may affect sensitive data. Every organization should detect, for their own good, dangerous activities such as cases where a former employee still has access to sensitive data stored on the cloud, even after their dismissal, or when a user downloads huge amounts of data from time to time.
As with preventive controls, a consistent and integrated approach to applying detective controls is one of the fundamental aspects of an efficient identity governance program designed to manage especially sensitive data stored on applications, databases and files.
One may believe that protection of sensitive data is daunting due to the difficulties mentioned above. Fortunately, there is a solution that helps organizations address the expanding amount of sensitive data they retain, and align access with the requirements of users needing to access that data. This solution is identity management. The key to success here lies in establishing a balance between security and convenience. Trade is based on granting easy and real-time access to data that needs to be processed. However, such convenience should be balanced with powerful control mechanisms to protect data from curious eyes. You can minimize risks and protect your organization from threats by adopting a comprehensive approach to access management.
When Identity Meets Data
Managing access to information in today’s dynamic, data-driven environment is a challenge—and one that demands much more from identity and access management (IAM) solutions than ever before. To be effective, these solutions must deliver access to all the applications and information that users need, when they need it, from wherever they need it, while ensuring enterprise security policies are consistently enforced. And they must provide the transparency and proof of strong controls required to satisfy audit and compliance requirements.
SailPoint is a renowned leading organization in terms of identity and access management around the world. IdentityIQ is a rapid and reliable governance-based IAM solution that enables corporate users to maintain efficiency. IdentityIQ integrates compliance management and provisioning in a unified solution that leverages a common identity governance framework. Thanks to this approach, IdentityIQ consistently applies business and security policy and role and risk models across all IAM processes.
IdentityIQ Compliance Manager enables companies to streamline compliance processes while lowering costs. Compliance Manager integrates access certifications, policy management and auditing reports, and automates compliance controls associated with a powerful identity governance program.
Business-friendly Access Certifications
Automated Policy Management
Audit Reporting and Analytics
IdentityIQ Lifecycle Manager Delivers a business-oriented solution to manage changes regarding user access Delivers a rapid, reliable and cost-effective solution by combining self-service tools for the company, with automated user configuration driven by IT
Self-Service Access Request
Integrated Password Managementi
The IdentityIQ Governance Platform lays the foundation for both Compliance Manager and Life Cycle Manager by centralizing identity data and providing a single platform to model roles, policies, and risk. This governance-driven approach enables organizations to:
See users, accounts and authorizations on all applications, as well as structured and unstructured sources, from a single screen for “big picture” visibility and control; Eliminate inconsistencies and redundancy by applying a common policy for all IAM activities; Improve focus on controls with rapid detection of risky areas for users and applications; Save time and money by leveraging a common workflow engine for data; Perform rapid deployment across platforms, databases, shared files, directories, hosts and data bases or company applications running on the cloud, through connectors included in pre-set packages.
IdentityIQ Allows Customers to: Reduce Inappropriate Access Risk, Enhance Efficiency, while Lowering Costs, Boost Auditing Performance, and Enhance User Satisfaction. The difference is clear: IdentityIQ is designed for the business user. It translates IT speak into actionable business information and simplifies user experience. IdentityIQ is ready for today’s complex hybrid IT environments and unifies identity management processes across cloud, mobile and in-house environments. SailPoint’s governance-based controls centralize visibility, improve compliance and minimize risk by uniformly applying controls across all IAM services, thus significantly lowering deployment costs.
Management of unstructured data is a growing problem. The amount of data stored in file servers and NAS devices, collaboration portals, mailboxes and cloud folders has increased exponentially over the past few years. However, with no easy means to track, control and protect unstructured data, organizations face growing security and regulatory risks. As an internationally-renowned leader in ID and access management (IAM), SailPoint delivers SecurityIQ as a business-driven access governance solution that runs seamlessly with SailPoint’s IAM solutions so as to detect sensitive data that resides in organizations and control access to data, which helps organizations protect unstructured data.
SecurityIQ enables organizations to centrally manage and control access to both structured and unstructured data, applying consistent administrative processes, policies and controls. Many companies with data remaining unmanaged and unprotected face critical risks. SecurityIQ identifies where sensitive data resides, determines who has access to such data and how they can use it, and ensures controls required to protect data, minimizing such risks. SecurityIQ provides proof of compliance during audits, helping organizations satisfy regulatory requirements and reducing the time spent on error diagnosis, forensics and data management tasks, which in turn boosts personnel productivity. It additionally eliminates existing challenges related to managing how users will access unstructured data throughout their term of office at the organization.
Data Discovery and Classification
Data Discovery and Classification Permissions Management
Data Activity Tracking
What is SailPoint?
As the fastest-growing, independent identity and access management (IAM) provider, SailPoint helps hundreds of global organizations securely and effectively deliver and manage user access from any device to applications residing in the data center, on mobile devices, and on the cloud. The company’s innovative product portfolio provides customers with an integrated set of core services including identity governance, provisioning, and access management delivered in-house or from the cloud (IAM-as-a-service).
“Şirketimizdeki tüm akıllı telefon ve tablerin güvenliğinin sağlanması ve yönetimi için AirWatch kullanıyoruz.”
Migros Ticaret A.Ş.