If you missed part 1 or 2 of our GDPR blog series, you can find them here:
In this post, we will outline a practical approach for achieving GDPR compliance with the help of technology, specifically dynamic authorization. We’ll address how dynamic authorization can help you tackle critical GDPR requirements, including, but not limited to, access control based on user consent and data protection aspects, such as data minimization, data access, and data sharing.
Note: What is Dynamic Authorization? We’ll get there. Can’t wait? Check out our explainer video.
DATA PROTECTION CHALLENGES
Many organizations will face tough challenges in meeting GDPR requirements, mainly due to the complexity of their legacy applications and IT platforms that store Personal Identifiable Information (PII). In large organizations, these data stores and applications often reach to the hundreds or even thousands. Many of these applications are quite fragmented, due to age, development language, run-time environments etc. This makes management and governance practices quite difficult to implement. As a result, (and to fully comply with the regulation) organizations need to consolidate and modernize their application portfolio and IT platforms as well as their IT processes. The prioritization and funding for this effort needs to result from implementing a digital business strategy, not only for compliance reasons, but to also avoid being fined.
In the previous blog post, we discussed how the efforts of becoming GDPR compliant needs to be merged with the organization’s wider digital aspirations to become more consumer centric. Wisely implemented, this IT transformation can, in addition to establishing the foundation for privacy and compliance, also be the catalyst for many digital innovation projects.
GDPR AND DYNAMIC AUTHORIZATION
In a GDPR context, Dynamic Authorization supports establishing intimate trusted customer relationships by balancing privacy protection, risk management and security practices. This is achieved by enforcing a common, consistent and contextual sensitive access control model that balance the needs of the data owners (citizens, employees) and the needs of the data custodians (data controllers, data processors).
The dynamic access control mechanism can and should reflect all relevant factors that make up a decision to access any PII data. These factors include: user consent, risk score, data classification, user clearance level and/or training certifications and other contextual relationships that describe why a user is permitted or denied access to the data.
In a healthcare scenario, a patient can give and revoke consent to delegate access to his/her medication history or medial summary to a pharmacist or a doctor. In a financial scenario, a bank customer can give or even deny explicit access his/her bank data to a certain bank clerks.
IN SHORT – WHAT IS DYNAMIC AUTHORIZATION?
Dynamic authorization provides data and transaction protection capabilities. It supports contextual and fine-grained access control scenarios that deal with policy based access based on relationships between ‘attributes’ that that can relate to the who, what, when, where, how, and why a user is granted or denied access to a given information asset. These assets can span types of data such as: documents, applications, APIs, Microservices, database resources such as tables, rows etc.
Dynamic authorization is sometimes also known as ‘Externalized Authorization Management’, ‘permissions management’, ‘entitlements management’ and also as ‘Attribute Based Access Control’ (ABAC). At its core, it is a model to externalize and centralize authorization away from application business logic (code) and other IT services that expose data (API Gateways, Databases etc.). Axiomatics’ authorization solutions build on the XACML 3.0 standard, with the core architectural elements of: Policy Enforcement Points (PEP), Policy Decision Points (PDP), Policy Information Points (PIP) and Policy Administration Points (PAP).
Dynamic authorization brings context awareness to access control. This is particularly important if you are exposing business critical or sensitive PII data via your applications and APIs. It enables you to manage the actions individuals or services can carry out on information assets such as documents, transactions and records. Examples of this include:
- Create, read, update or delete a document
- View, execute or sign off a sensitive transaction up to a certain value limit
- Select, view, insert or delete data elements in a database
Dynamic authorization has many advantages over traditional access control mechanisms. Access policies are easy to manage, maintain, and audit. It makes access control checks more transparent and easier to adapt when faced with new business challenges or when regulations are introduced/changed.
AN ARCHITECTURAL POINT OF VIEW – SEPARATION OF CONCERN
The externalized dynamic authorization model adheres to the principle that software code should be decoupled based on the function it serves. This principle allows software developer and IT architects to focus on implementing business functionality and to reuse common building blocks for non-functional aspects such as authentication, authorization, logging, and data storage.
This model of externalizing authorization logic from the business applications is resource-efficient and scalable, as rules and policies can be applied across multiple protected services and components. Additionally, all access policies are stored, managed, maintained and enforced from one central point which ensures cost efficient development, implementation and maintenance of authorizations.
THE PATH TOWARDS A PERSONAL COMPUTING PARADIGM
It is not only the GDPR and PSD2 regulations that strives towards putting the end user in control of their own data. Recent evolution in technology such as Blockchain, Mobile devices, IOT and Identity/Access Management supports and drives new ways of providing users with the ability to control and use data where privacy, trust and strict end user control are required.
OAuth (Open Authorization) and UMA (User Managed Access) are two quite recent standards that address delegation of access and consent management. Together with OpenID Connect they form a very powerful solution towards a new ‘personal computing’ paradigm. UMA, is based on the OAuth protocol, and enables a data owner to provide and revoke access to data stored at a service provider. It also allows the end user to store and maintain consent to use that data.
Blockchain with its new and groundbreaking technology allows non-trusted parties to exchange information assets based on a distributed technology platform. The Bitcoin “crypto currency” is perhaps the most well-known application that is built on Blockchain technology and it allows users to exchange money between different parties. The data owner stores its personal data (money) locally in a non-changeable format and can pass on the data to a non-trusted party, thus giving away control of the data. Through cryptographic technology a distributed secure ledger of all transactions is kept which guarantees the integrity of the data.
This evolution of ‘Personal Computing’ is truly interesting and many organizations are embracing a point-of-view to allow the data (resource) owner to have control over their own data. However, this computing model requires a complete “inside-out” perspective and therefore entails for radical changes in IT architectures and design.
The GDPR time-frame is challenging as it is so organizations need to embrace this technology evolution step-by-step. Below, Axiomatics describe how organizations can implement a standards based ‘dynamic authorization’ solution as an important component to reach the necessary GDPR compliance controls. This solution can and should co-exist with other IT capabilities, structures and components.
GDPR REQUIREMENT – USER CONSENT
Consent means that the user (data owner) should give consent to the ‘data controller’ to use the data for certain and specific purposes (lawful and fair). The consent options need to be presented to the user in a way that enables the user to make conscious decisions when giving consent or not. It should also be possible to easily revoke consent for all or specific use of the data.
The consent management solution need to maintain the life-cycle of each user’s consents. As mentioned above UMA provide a consent management mechanisms and could potentially be a valid technology for this purpose. However, UMA works best in a federated model, where the consent deals with how to exchange data from a data controller to another party. The way GDPR outlines consent is more geared towards how data is used (the purpose) within the data controller itself and how the consents are managed and maintained.
iWelcome, a Dutch IDaaS company (www.iwelcome.com), provides such a consent management solution “as a service”. This solution supports a data controller’s requirement to manage the detailed user consents and stores these together with a “golden record” representing each user in a secure database.
By implementing a ‘dynamic authorization’ solution as part of a consent management strategy, an organization can achieve a consistent enforcement of access across all PII data stores and applications. In this scenario, the authorization solution make use of the consent data as contextual attributes as part of an authorization decision. In essence, the consent store is used as a custom Policy Information Point (OIO) in the XACML architecture.
The benefit of this approach is that end users can manage consent in one place and that the authorization engine dynamically evaluates these consent preferences (and others) in the decision-making process. It is important to point out that consents can be stored in any form and shape. All that is needed is that the consent management solution exposes these consents as either a DB table/view, an LDAP directory or as an API. It can be a UMA compliant solution but this is not a requirement.
GDPR REQUIREMENT – DATA PROTECTION
Another key requirement of GDPR is to apply strict ‘data protection’ controls as the name of the directive implies. Data protection is described in various ways and referenced in several parts of the law text. The term ‘Data Protection’ embraces several sub-areas that by themselves are quite challenging to implement. These areas include: Data minimization, Data encryption, Data pseudonymisation, Data transparency, Data accuracy, Data quality, Data access, Data sharing, Data portability, Data control. Fine-grained dynamic authorization supports several of these data protection topics. Below we have outlined how.
‘Data minimization’ is naturally thought of as “physical” data minimization. That is to physically minimize the data you store and have good data retention policies in place. In addition to this physical minimization, dynamic authorization can help minimize the data access points by providing “logical” data protection. By applying contextual and fine-grained access policies to large sets of data (can be distributed in multiple heterogonous sources) an organization can reduce the threat vectors to the data and make sure that is it only exposed to users who really need it. This follows the principles of Need-to-Know and Least privilege. This authorization model also adheres to both discretionary access control (defined by the subject i.e. consent) and mandatory access control (defined by the data controller).
‘Data encryption’ is mentioned in GDPR as one possible capability to protect and ‘pseudonymise’ data at rest and in motion. Dynamic authorization does not manage encryption of data but can be integrated in frameworks that do. In addition to encryption technology, an organization can implement dynamic authorization to mask data when users legitimate access the information. The Policy Enforcement Points in combination with a Policy Decision Point can apply data filtering policies to make sure that highly sensitive data is masked when leaving the data source and exposed in a user interface. Two simple ways to implement data masking would be to 1) make use of an API Gateway that can enforce access control on the down-bound API calls but also inspect the payload of the API response and apply masking to parts of the response content and 2) to apply a SQL proxy that intercepts SQL statements and evaluates authorization policies and then instructs the database to mask sensitive data in columns and cells.
‘Data transparency’, ‘Data accuracy’ and ‘Data quality’ include capabilities that allow the end user to view and correct data. The Dynamic authorization solution can enforce strict policies that expose the PII data to the end user and allows that he/she can read and update it. This enforcement may include the context of the user (time, place, device etc.) and the risks associated. That could mean evaluating the strength of the authentication mechanism used by the user and the location from where the user initiates the request. A normal usage is to make use of some kind of risk engine that calculates the risk and make the authorization use this information at run-time.
‘Data access, ‘Data sharing’ and ‘Data control’ are also areas where a dynamic authorization solution supports a very contextual and data driven relationship access control. By leveraging the full capabilities of the authorization model the PII data can be protected by policies that extend to the end users discretion. For instance, a citizen that is using a government agency’s service can delegate access to a spouse by assigning a delegation policy for the specific data. Another example is that a bank client can explicitly allow, or maybe even more importantly, deny access to funds and accounts to certain bank employees. A third example would be for a citizen to give consent that two government agencies can share data about a citizen through a secure API.
GDPR REQUIREMENT – RECORDS OF PROCESSING ACTIVITIES
As a result of implementing a dynamic authorization solution, an additional benefit is achieved. The central authorization solutions create and maintain an audit log of who has access the PII data. This authorization audit log, together with other logs such as logs from the applications, provides vital proof of ‘records of processing activities’ that can be used for internal or external auditors and security professionals in search of a reason for a data breach. This information can also be used to provide proof to the end user if requested by the user/client/citizen. Who has accessed my data?
GDPR REQUIREMENT – PRIVACY BY DESIGN AND BY DEFAULT
Security by Design is not a new concept. GDPR extends this concept to include ‘Privacy by Design’ and ‘Privacy by Default’. It applies to all services that handle PII data whether developed in-house or is acquired COTS (Common of the Shelf) software. It also applies to any software as a service solution delivered through a cloud service provider.
Adhering to this requirement is a huge task. Vendors of software solutions as well as Cloud providers need to rethink how their services are designed. Of course, it also put strong security and privacy requirements on organizations that develop custom applications.
For these organizations, the GDPR design principles need to be implemented both in the applications itself (by utilizing various data protection mechanism and importantly enable them by default) but also in the processes of developing and operating them. Security and privacy specialist (if they exist?) need to take an active part of both the development, procurement and the IT operations process.
Dynamic authorization can play an important role in conforming to these principles. PII access policies should be deployed using a top-down approach and applied to all systems and applications that store and maintain PII data. This top-down approach includes a strong governance process where the whole authorization life-cycle is incorporated.
With that we conclude how dynamic authorization can help supporting GDPR compliance efforts. We leave an open door to come back at a later time to address the subject of how dynamic authorization fits into an enterprise wide Identity Governance and Administration (IGA) framework since this on the top of minds in several organizations.