Interset and the General Data Protection Regulation (GDPR)

When you’re in the business of insider threat detection, GDPR looms large.


As a company in the security analytics space focused on measuring the normal and abnormal behavior of users, servers, systems, machines, servers, files, IP addresses and more, Interset is acutely aware of the importance and impact of the General Data Protection Regulation (GDPR).

Interset’s security analytics platform is designed to quickly spot the signs of data breaches typically hidden underneath a flood of alerts and events. Distilling billions of events into the threats that matter enables the timely detection of the signals of a data breach, which is critical to GDPR compliance.

Officially taking effect on May 25, 2018, GDPR was designed to protect individual privacy by specifying how businesses must secure any and all personally identifiable information. To comply with GDPR requirements, businesses must first have the ability to understand how their customer data is used, stored, and shared. This can be a difficult task because tracing the path of data within an organization is complex.

Interset’s threat detection platform focuses on insider threats and is conveniently positioned to support businesses in their GDPR efforts by ensuring that data is not being compromised by accidental or intentional sharing. Interset can help enterprises manage information needed for data breach detection and reporting, and the product itself also adheres to GDPR guidelines.

The following is a short summary of how Interset supports GDPR.

Consent

“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data…” (Article 7, EU GDPR, “Conditions for Consent”).

With the Interset threat detection platform, consent for data collection and monitoring is typically handled by an employment agreement, since our product is utilized to protect enterprise data. In addition, a named-user blacklist can be implemented at the ingest layer to allow for opt-out.

Right to Access

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data…” (Article 15, EU GDPR, “Right of access by the data subject”).

Interset enables a data subject report that can be exported on demand as human-readable PDF or as a raw data extract through Interset’s REST API. The PDF information that Interset provides is presented in an unobfuscated, easy-to-understand, visual format.

Right to Erasure, or “Right to be Forgotten”

“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies…” (Article 17, EU GDPR, “Right to erasure”).

Interset’s threat detection platform enables named data subjects to be removed from its HBase and Elasticsearch storage layer through automated scripts.

Data Portability

“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided…” (Article 20, EU GDPR, “Right to data portability”).

All Interset data is stored in open, portable, and non-proprietary databases (HBase/HDFS and Elasticsearch) that can be moved between instances if required.

Privacy by Design and by Default

“Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects” (Article 25, EU GDPR, “Data protection by design and by default”).

The Interset threat detection platform was designed from the ground up to enable privacy due to the large volume of data being processed. Pseudonymization using secured, one-way hashing of sensitive fields is a built-in component of Interset’s platform. Most importantly, Interset’s hundreds of models were all designed to follow the principle of data minimization—all Interset models require only the minimum set of columns required for statistical processing, and columns not required for models are always optional. Interset’s R&D team also follows secure development lifecycle practices, including security architecture, independent, third-party security testing, and code analysis.

For more information on how Interset’s threat detection platform adheres to GDPR and helps enterprises meet GDPR requirements, please contact us at securtyai@interset.com.