Access to In-scope Resources

Description

Visibility into who is accessing in-scope resources is key to your GDPR efforts. Splunk allows easy analysis of that information.


Use Case

Compliance

Category

GDPR

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

Data Sources

Web Proxy

   GDPR Relevance

Impact:

Along with authorization and legitimate reason for use, accessing resources requires an audit trail that helps identify whether a user accessed a critical asset, and whether that user’s activity during the login session included viewing sensitive data.

Within a GDPR context, in-scope applications will store and process personal data. Organizations must ensure that access to those applications is not only authorized and motivated by a legitimate reason to access / handle / process the associated personal data, but also maintain a record of which users accessed those in-scope applications, and whether personal data was viewed. Maintaining such an audit trail is an industry best practice and can be considered an effective security control, as required by Article 32. This is applicable to processing personal data from the controller, and needs to also be addressed if contractors or sub-processors from third countries or international organizations access and transfer personal data (Article 15). In the event that a Supervisory Authority executes powers to place an organization within the scope of a privacy audit, the organization must demonstrate compliance (Article 58) – in such a scenario, it is critical to be able to show evidence of the actual scope of impact from any successful attempt(s) to access or handle personal data. If the organization faces a personal data breach and individuals are impacted, those individuals have the right to demand compensation for material and non-material damage caused by the breach. The organization must prove that they have understood and addressed the risk appropriately and deployed proper countermeasures (Article 82). Capability to demonstrate that best practice was adhered to – that is, that an audit trail was recorded of any given user’s login activity to an in-scope application, and whether they viewed personal data – can help mitigate potential impact to the organization.

   How to Implement

Implementation of this capability will vary from system to sytem. Tracking access via firewall connections is a popular approach, though you could also use application logs which would provide more granular access. Splunk recommends working with you auditor, and Splunk Professional Services for any complicated situations.

   Known False Positives

No known false positives at this time.

   How To Respond

This search is typically used to track access, rather than something that would be sent directly to anyone to review.

   Help

Access to In-scope Resources Help

This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Firewall logs (onboarded in accordance with our Data Onboarding Guides), during which someone uses Workday. Our live search looks for the same behavior using the standardized sourcetypes for Palo Alto Networks or the Common Information Model, and you can look for any destination where you have sensitive data including your cloud providers, databases, and more.

SPL for Access to In-scope Resources

Demo Data

First we bring in our basic demo dataset. In this case, anonymized Palo Alto Networks logs. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Next we filter for access to PII data (Workday though you can apply to any other sources).
Finally, we format just the data that users want to see.

Live Data

First we bring in our basic dataset, Palo Alto Networks logs, filtered for access to PII data (Workday, though you can apply to any other data sources).
Finally, we format just the data that users want to see.

Screenshot of Demo Data