We have an issue where a user of PAM could have PII or PHI data returned in their Unix sessions. We have been rolling out PAM to servers we host in EU. Our legal team has concerns about our ability to allow clients and our client patients access to see and remove any PII or PHI record of theirs as GDPR is requiring. We have started with turning session recording off completely with a command control rule for those client servers, just to get people using it and at least get basic auditing of who logged on a server. Our legal and compliance teams have asked us to get client approval to turn on the session recordings. If we could have the input keystrokes and not have a session recording of the output we would not have to get approval and would get more security benefits with being able to at least tell what commands a user ran. This request is to be able to have a command control which will disable the output / playback of a session but still capture input keystrokes.
by: Paul J. | over a year ago | Configuration
Comments
Thank you for the ENH Request. This is an interesting request, and I will be interested to see the feedback from our other PAM customers as GDPR is a very big subject now that we are less than 50 days away from it becoming the "law of the land" in Europe. My concern with the ENH is its potential to actually render the recording inadmissible as an evidentiary instrument. For those of you reading this, I would be very interested if you would please ask your legal teams about it and would be interested in the feedback if you do not mind posting to the comments when you vote.
Session recording, from a privilege management perspective, is a “business document” it is an artifact that documents what transpired within the “due course of business” that an organization may rely upon to make any number of business and / or operational decisions. Within all western culture legal systems, there is a concept of the Business Document for evidence purposes because it is what is generally used to address a hearsay objection in a court proceeding. Session recordings are like security camera footage. They are taken, but they may or may not be reviewed, and if they are reviewed they are generally under review within a specific context. One of their uses is for legal action purposes. Therefore there are certain elements around the chain of custody and non-repudiation standards that have to be met in both US and European law that make a piece of evidence acceptable for use. Therefore most organizations keep session recording in highly restricted access locations.
So let’s say for a moment that Micro Focus were to provide the ENH as described. PAM captures the inputs, but does not capture the outputs. Now suppose that it is appropriate to terminate an employee on the charge of “abuse of privilege”. I.e. the employee is using their access to elevated privileges to gain information / perform actions that are outside the scope of reasonable use. The employee denies the charge, and obtains legal counsel to protest. If the organization wanted to rely upon the session recording as a piece of evidence, then the employee’s legal representation would accurately claim that the organization only had half the story, and that the evidence does not support that the employee actually did, in fact, receive the privileged information. The objection would be raised on the grounds of inference, and the argument would be something along the lines of "just because you see part of the equation you are inferring that the employee actually got the information. With only one side of the equation and not the session recorded your inference is absent appropriate context". Thus the ENH introduces an additional objection that would otherwise not be present.
As I read the GDPR regulations and commentary – my understanding of the regulatory requirement is that
1. The consumer has “the right” to be forgotten
2. It is incumbent upon the service provider to demonstrate, and provide sufficient proof, that the information collected has been destroyed upon request of the consumer. My understanding is that this is within the context of the information storage system(s) where the data is stored, and it is also applicable usage of the data. i.e. I collected the data to find out your sports shopping habits, and analyze your patterns with that of other shoppoers to my store. Now that you have requested to "be forgotten", I can no long hold on to that information, nor can I, or any 3rd party, utilize your information in future analysis.
However, I believe any personal information that may be captured as a result of privilege management session recording would be considered out of scope. If it were not, then the organization would be forced to go back through all “business documents” where portions of the collected personal information may have been used within the “due course of business” for the act of making legitimate business decisions that would then have to be purged. Not only would this be a burden no company could realistically meet and maintain; It would also potentially leave gaping holes in the documentation of business decisions and acitivities that could well impact other regulatory requirements. Since the session recording is NOT for the sake of obtaining / retaining any potential PII covered under GDPR, nor would the recording be able to be used in business activity, I would think that any potential information that may be potentially captured within the session recording would be exclude from GDPR scope under the business document exception.
I'm not going to change the state yet, to Planned, because I want to see what you all have to say.