Jon Tan

-March 29, 2017

Data Privacy in Philippines: A Quick Primer on Secure Access

National Privacy Commission of Philippines

National Privacy Commission of Philippines

Philippines recently formalised their Data Privacy Act, joining the ranks of most of its Asian counterparts who already have some form of data protection-related act in place. It’s now safe to say that Asia has caught up with the Organisation for Economic Cooperation and Development Privacy Principles. And with fines ranging up to USD$700,000 plus potential prison time, it’s time to take a serious view on we manage this as an industry.

As a business, you’re looking to equip yourself with four primary tools to help you tackle this – Virtual Private Network (VPN), Network Access Control (NAC), Single-Sign On (SSO) & a mobility management solution. Used in tandem, you’re going to ensure data is encrypted while in transit or at rest whether at the server or endpoint. You’ll also have full visibility and control of who can access the data, their identity, and whether while on premise or remotely through authorised or BYOD devices.

Some key excerpts from the Philippines Data Privacy Act:

SECTION 8. Encryption of Personal Data. All personal data that are digitally processed must be encrypted, whether at rest or in transit. For this purpose, the Commission recommends Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate encryption standard.

Passwords or passphrases used to access personal data should be of sufficient strength to deter password attacks. A password policy should be issued and enforced through a system management tool.

SECTION 18. Online Access to Personal Data. Agency personnel who access personal data online shall authenticate their identity via a secure encrypted link and must use multi-factor authentication. Their access rights must be defined and controlled by a system management tool.

VPNs integrated with SSO and EMM will help ensure the accessing endpoint is compliant, and that the identity of the user is verified while encrypting the communication channel between device/server. This ensures that the data that resides on the endpoint is securely contained within an encrypted sandbox.

SECTION 9. Restricted Access. Access to all data centers owned and controlled by a government agency shall be restricted to agency personnel that have the appropriate security clearance. This should be enforced by an access control system that records when, where, and by whom the data centers are accessed. Access records and procedures shall be reviewed by agency management regularly.

SECTION 20. Authorized Devices. A government agency shall ensure that only known devices, properly configured to the agency’s security standards, are authorized to access personal data. The agency shall also put in place solutions, which only allow authorized media to be used on its computer equipment.

NACs gives you complete network visibility and context on who connects to your network, what devices they use, and even when and where they can do so.

While guidelines and penalties differ between countries, all are clear that the onus lies with enterprises to do their due diligence on:

  • assurances for the safety and security of cyber information
  • protection of personal information in the network environment
  • protection of information systems and infrastructure
  • standards and technical regulations on information security

On a broad level, the acts share the same themes – on how the data must be encrypted, controlling who can access the information, and making sure they do so securely. In short, secure access.

If you’re looking to get started with a simple, integrated solution to deliver secure access and checks all the boxes above, do check out our recently launched Pulse Access Suite. You can also download a free trial copy of our solutions here.

References
Philippines Data Privacy Act
Singapore Personal Data Protection Act
Data Security and Cybercrime in Vietnam

Categories