Key Manager Plus is now GDPR-ready
Key Manager Plus is now GDPR-ready

The European Union's General Data Protection Regulation (GDPR) comes into force on May 25, 2018. The GDPR stands to be one of the most comprehensive frameworks of its kind and is a true game changer for organizations not just within the EU, but all over the world. It has created a stir among security professionals and has set them on their endless quest for various strategies and solutions in an effort to make their organizations comply with the law. There is no single strategy that can help organizations comply with the GDPR, but however, purpose of the regulation remains very clear: to strengthen personal data protection for EU citizens and residents.

According to the GDPR, the term personal data refers to any information which directly or indirectly helps identify a 'Data Subject' (i.e., a natural person). Article 4 of the GDPR defines personal data as follows:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Key Manager Plus comes under the scope of GDPR as it collects, stores and processes the following personal data.

  • User name
  • SSH user name
  • SAN
  • Resource name
  • Landing server name
  • Key name
  • Issuer
  • IP address
  • Instance name
  • Host name
  • Domain name
  • Domain controller
  • DNS name
  • Description
  • Data center
  • Common name
  • Certificate template
  • Certificate authority
  • AD user name

With customer data privacy as our foremost priority, we now have the following enhancements incorporated to help you exclusively meet the privacy standards set by the EU GDPR.

1.Provision to control the exposure of personal data in reports

Key Manager Plus now includes provisions to control the extent to which personal data is exposed in canned reports. Administrators can choose to 'mask' or 'hide' certain Personally Identifiable Information (PII), and thereby can replace those specific personal data with random fictious characters or entirely hide them in reports generated from Key Manager Plus or in scheduled reports email notifications that carry those personal data. 

2.Password protection for exports

Administrators can now enable password protection for exports, thus enforce an additional layer of security for various files (certificates, certificate private key, certificate signing request, PDF and CSV reports, SSH public key, SSH private key, keys secured in keystore) exported from Key Manager Plus. Key Manager Plus currently offers two levels of password protection:

  • Global password - A uniform password applicable for all users when exporting files from Key Manager Plus.
  • User password - In addition to the global password, administrators can also allow users to set their own separate passwords to be used when exporting files from Key Manager Plus.

3.Administrator acknowledgement of data transfer for third-party integrations

Key Manager Plus has now made it mandatory for administrators to acknowledge the transfer of personal data when setting up integration with third parties—such as certificate requests from Let's Encrypt and other trusted third-party CAs, integration with ServiceDesk Plus' CMDB—where there is flow of personal data from Key Manager Plus.

4.Provisions to purge audit trails

Key manager Plus includes options to purge audit trails, thus giving administrators the privilege of erasure of personal data that are no longer required in relation to the purposes for which they were originally recorded.

5.Database level encryption of sensitive personal information

Key Manager Plus offers encryption of sensitive personal data at the database-level. This not only helps administrators ensure anonymity and privacy of user data, but also guarantees data integrity, meaning cyber criminals would be unable to decipher or manipulate the user data even during circumstances of any security attack.

6. Provision to manage non-user email addresses

While scheduling operations such as SSH resource discovery, certificate discovery, vulnerability scan, and report generation, Key Manager Plus allows the administrator to send the scheduled tasks' completion statuses and license expiry notifications to email addresses of users who do not have an individual Key Manager Plus account. A complete list of all such external IDs are duly maintained in Key Manager Plus to assist authorized administrators to keep a track on non-user email addresses being used in Key Manager Plus and also delete them if needed.

Disclaimer:

This report is provided based on ManageEngine, a division of ZOHO Corp's understanding of the EU GDPR requirements. ZOHO Corp. is not an auditor or legal authority, and you should consult your corporate auditor or legal representative for guidance.

The information provided in this report is not a substitute for the advice of a legal counsel. There is no warranty that the information contained in this report is complete or error-free. This report was generated using information provided in 'Chapter 3: Rights of the data subject' in the General Data Protection Regulation (GDPR) (EU) 2016/679 made by the European Parliament and Council. The main objective of the report is to outline the list of provisions provided in Password Manager Pro to enable an organization to uphold the rights of their data subjects and protect their personal data that is processed within the solution.