In our previous entry, we talked about how General Data Protection Regulation, or “GDPR”, enables EU citizens to control their data profiles, or “digital footprint”. In essence, the many rights provided by the GDPR means that the subject (the citizen) becomes the owner of any data collected. Should the subject then choose to exercise those rights and ownership, the data collector or processor must be able to comply. The sanctions for failing to do so are severe, and many legal experts believe come 2018, the extent of those rights and obligations will be further established with a number of precedent-setting court cases. As vaguely ominous as that might sound, your business should not end up as the test case. The best ways to avoid trouble and embrace digitalization opportunities with GDPR are outlined here.
GDPR is a European regulation that affects many organizations. The interpretation of the regulation needs to be done by legal experts. However, it is obvious that good security practices, procedures, and technology need to be applied in order to be able to comply with the regulation. IT must come to the business side’s rescue and support this compliance effort through technology and repeatable procedures.
“Data Protection” leads many security professionals to think of the famous security triad Confidentiality-Integrity-Availability (CIA) as well as other well-known and established security principles such as ‘Least Privilege’, ‘Need-to-Know’, and ‘Separation-of-Duty’. These concepts are still very relevant, but for GDPR, additional approaches need also to be applied.
Security and secrecy is not the answer to comply with GDPR and protect privacy. Nor is technology the sole answer. But as proven many times before, technology can help solve challenges that sometimes seem invincible.
THE NEED TO SOLVE PRIVACY, TRUST, AND RISK ISSUES
The law does not explicitly state that ‘privacy’ is the end goal of the regulation, but that is how we should view it. We need to take a serious outside-in perspective at how we deal with protection of sensitive data when processing client and employee data.
Besides the privacy aspect, this outside-in perspective needs to embrace other very important areas such as trust and risk. These three components should form the basic foundation for how organizations deal with building trusted relationships with both clients and employees. It is a matter of corporate culture and strategy.
The massive work that has to be conducted to get in control of the processing and storing of personal data across an organization’s IT systems can seem daunting. There are often hundreds (and sometimes thousands) of systems, databases, and spreadsheets that store sensitive PII (Personal Identifiable Information). Different technical integration mechanisms and processes deal with information flows across these systems and there is often quite poor ‘master data management’ strategies and procedures in place to deal with data quality and data flow issues. The first approach will be to catalog all the information enterprises hold and classify that information according the regulations requirement of specific, explicit and legitimate use of the data. Clear procedures for data capture and data retention is a foundation for the data handling of PII data.
CONNECTING THE DIGITAL DOTS
So how can one become successful? Of course, there is value in good planning, focus, management buy-in, a stepwise approach etc. just like in any other project. But as for the question of success or failure there is often one key success factor. Timing. In GDPR terms, timing spells ‘Digitalization’ or ‘Digital Innovation’.
To a Chief Digital Officer, GDPR may look like a giant roadblock, but this is not the case. By getting these two strategic and major initiatives (digital innovation and compliance) to share the same values and priorities both initiatives can gain and real business results can be achieved.
Digitalization is all about building more intimate relationships with customers by applying new technologies for IOT, big data, analytics, mobile solutions and APIs, etc etc. to break away from competition by serving customers faster, better, and more accurate than before. The connection with GDPR is that these digital initiatives need to implement the principles of ‘Privacy by Design’ and ‘Privacy by Default’ to minimize data exposure and the risk of being a breach.
Therefore, it is necessary that every new digital development project needs to implement the stipulated GDPR principles and directions. By acting on these new projects now, an organization will gain more secure services as well as avoiding trying to apply data protection when the services are already in use and even more data needs to be protected. Security and privacy should not be applied as an afterthought. It needs to be architected in the design and the build process of these new services.
TECHNOLOGY AND ACHIEVING ‘PRIVACY BY DESIGN’
Security and technology play an important part in building intimate and trusted relationships with customers and employees in 2017 and going forward. Applicable technologies span across several IT domains and some technologies are new and some are proven since years back.
Some of the applicable technologies include encryption, data masking, data loss prevention, logging, firewalls of various kinds, API Management/Security tools but also very specifically Identity and Access Management (IAM) technology. IAM tools are tools that deal with the identity of the user and how access to services, information and transactions can be provided to the right user at the right time in a convenient and secure way.
‘Consent’ is a very important part of GDPR where the user can and should provide consent to the data controller to process and store data about the user. This consent need to be very specific and should handle the “micro” aspects of providing consent.
Examples of new and very interesting IAM technologies include identity management standards like OAuth, OpenID Connect (OIDC) and UMA (User Managed Access). OAuth and OIDC plays important parts in establishing identities across technical boundaries and securing users’ access to APIs that expose sensitive data to mobile clients and external users. UMA is a technology that allows to put the end user in control of personal data. UMA in combination with OAuth can be used to handle ‘user consent’ in a very modern and lightweight way suitable for API and Mobile scenarios.
Another very important “enabler” of data protection is dynamic and fine-grained authorization. This type of authorization plays a vital role in the process of complying with the data protection aspects of GDPR and to establish trusted relationships with users. Dynamic authorization enables an organization to define access rules that deals with under which circumstances a user can access sensitive data. In GDPR terms this includes handling ‘data minimization’, ‘data transparency’ and ‘data sharing’ and in the end ‘data control’ for the end user. More on this topic below.
Identity Governance tools help out by making sure that internal (most often) users and external users are handled in an effective way and that the identity data is accurate and updated in places where the data needs to go e.g. corporate LDAP directories, security software and business applications. These administrative governance tools should also deal with aspects of the ‘privileged’ IT administrators. These users often have access to an organization’s most sensitive data. Sometimes without the administrator even knowing it. This causes a tremendous threat vector for any malicious external or internal perpetrator that can pose as the administrator if the administrator’s account is compromised. Privileged Account Management tools can enable lock-down of sensitive accounts on system, provide password check-in/check-out and keystroke logging to be able to do forensic analyses.
GDPR outlines ‘encryption’ as one potential technique to handle “data pseudonymisation”. Encryption protects the data from illegitimate access on the disk and when in motion. In addition to encryption there are other “data masking” tools that can scramble data when sensitive data is moved outside a secure production database into environments not covered with the same rigorous protection as the production systems i.e. test and development environments.
Stay Tuned: In our next post, we will conclude GDPR: A Driver for Digitalization. Learn about Dynamic Authorization and how it can help complete your GDPR compliance plan and digital initiatives. This Week: visit us at European Identity and Cloud Summit 2017 Tuesday for The Future Role of Identity in Digital Transformation, featuring Gerry Gebel of Axiomatics and Wednesday, May 10, at 15:30-16:30 (3:30 -4:30 p.m. EST), Gerry and Dan Blum will host a session highlighting best practices in enterprise authorization and strategies for building an enterprise authorization framework. The session, “Next Generation Identity Based Security – on-Site and in the Cloud – II” will also cover trends in identity-based security models.