Is 90 days of audit data enough for GDPR compliance?
GDPR is fast approaching and will come into effect on May 25, 2018. While countless online articles suggest that many companies are unprepared for the new data protection regulations, it is becoming increasingly impossible to ‘not know’ about GDPR, or have at least some understanding of what it entails.
Despite the 160-odd requirements which make up the regulations, the most prominent headlines tend to be focused on the unprecedented fines, and the super-short timelines for reporting data leaks or breaches. It’s daunting, but there is still plenty of time to review your practices, and get prepared. Office 365 has various features to help tenants achieve GDPR compliance, including auto-label policies for classifying data, DLP policies for PII (Personally Identifiable Information), and the Compliance Manager dashboard. You can find out more about the features and services available for information protection, compliance with GDPR, as well as other regulatory policies, here. You can also find out more about managing GDPR compliance in Office 365 using the Compliance Manager, Teams and Planner in this recent Petri article.
Under the General Data Protection Regulation, organizations that experience a data breach are obliged to notify authorities within 72 hours of its occurrence.
The problem with this is twofold:
One area of the Office 365 Security and Compliance Center that can help you comply with this requirement is the Office 365 Audit log. The tool logs user and service activities for SharePoint Online, OneDrive for Business, Exchange Online, Teams, Azure Active Directory, and Sway. Once enabled (and this bit is important – find out more here), the Audit Log will show you a full view of events which can be searched and refined.
The amount of data available through the audit log is both a blessing and a curse, depending on how you approach it. Even in a relatively small tenant, the log holds a vast amount of information, and a large percentage of this is your regular, non-threatening, run of the mill Office 365 activity. To effectively drown out the noise, you need to familiarise yourself with filtering – to remove any irrelevant service-generated events for example, and get to grips with the search functionality, and terms that could deliver the detail you’re looking for.
Here are some search terms for GDPR-relevant activities that Microsoft give:
Downloaded file, accessed file, shared file, copied file, accepted access request, accepted sharing invitation, created sharing invitations.
It’s worth noting that these terms are all SharePoint and OneDrive operations, which is only a small part of relevant activity that should be monitored across Office 365 for GDPR. There are other search terms available in the audit log to address other workloads.
If you find that the audit log is too unwieldy for your needs, there are alternative services available, which offer additional functionality. Radar for Security & Audit is a third-party SaaS application which collects and presents audit data in a comprehensive timeline view, that is easily segmented or filtered down for clearer detail, and better visualisation. Custom filters and searches can be saved, so that a specific ‘view’ can be quickly applied, there is intelligent on-event alerting, and an option to schedule or save reports which need to be generated regularly.
The 90-day limit
Another important limitation of the Audit Log is the options for data retention. Microsoft retains audit data for 90 days, and then it is removed from the system. In order to keep the data for longer, you need to buy Office 365 Advanced Security Management (ASM), which is included in an E5 licence, or available as an add-on to other subscription levels ($3 per user/ per month). This service stores data for up to 180 days, and offers other security management services in addition to audit storage. Alternatively, you can look to third-party tools, like Radar for Security & Audit. This application offers advanced search and filtering capabilities, pre-configured audit reports, on-event alerting, and stores data for a year by default. It is also possible to extend storage beyond a year, if required.
So, is 90 days enough? Incident discovery is a difficult practice, and something that companies have been notoriously bad at in the past. In 2015, Business Insider claimed that ‘on average, it takes 229 days – that’s almost eight months! – before a company realizes it’s been hacked.’ 229 days for incident detection is a monumental problem for GDPR, but 2015 was a long time ago, right? With advances in technology, education, and awareness – surely this number has reduced? Last year, the Verizon Data Breach Investigations Report (DBIR) stated that ‘typical time-to-compromise continues to be measured in minutes, while time-to-discovery remains in weeks or months’ suggesting that while speed may have improved, detection is still not fast enough.
In May this year, when GDPR comes into play, companies will have to create better incident detection strategies, if they want to maintain compliance and avoid hefty fines. An agile, proactive approach to this can be built from the two requirements we noted earlier: a strong, repeatable strategy for incident detection and discovery, as well as unrestricted access to all relevant data. By creating a combination of these two elements, it is possible to reduce detection time, and create an environment where all the answers you need reside within your reach.
In the next blog on this topic we’ll take a closer look at the capabilities available in Radar for Security & Audit that enable fast, effective threat detection and discovery, and support GDPR compliance.