GDPR is placing a lot of demands on companies to protect the privacy of individuals. But what does that mean for identity management?
The European Union’s General Data Protection Regulation (GDPR) takes effect May 25 and aims to protect the identity of individuals. Unfortunately, its requirements are more complex than many realize, putting security teams potentially at increased risk of incurring huge penalties.
“There are two issues that should concern security teams. The first is to stop conflating ‘personally identifiable information’ with GDPR’s actual definition of a data subject, which can be simplified to ‘information which can lead to the identification of a natural person,’” said Gabriel Gumbs, VP of Product Strategy at STEALTHbits Technologies, a cybersecurity software company. “This conflation leads to the second issue security teams need to be acutely aware of: namely, that they will be expected to either have access to a professional data scientist, or employ them directly on security teams if they are to be accountable for protecting information that they may not even know could ‘lead to the identification of a natural person.’”
While companies around the world are scrambling to get a handle on precisely what personal data they have, how they use it and where they share it, it’s hard to think of every area that is affected, such as identity and access management (IAM).
“GDPR will definitely affect use of IAM technologies. It will further promote the use of strong authentication techniques to ensure users can prove who they are,” said Dr. Sarbari Gupta, president and CEO of Electrosoft, a security and IAM provider. “It will also promote the use of more access control techniques to ensure that user data is protected in a more granular fashion to control access to specific data by specific individuals.”
Gupta co-authored NIST Special Publication 800-157, “Guidelines for Derived Personal Identity Verification (PIV) Credentials,” which provides technical guidelines for the implementation of standards-based, secure, reliable, interoperable PKI-based identity credentials, among many others.
GDPR and IAM: What to Know
Here’s a list of some of the ways GDPR is likely to directly or indirectly affect IAM usage, based on trends security professionals are already detecting:
1) IAM takes on a bigger role. “IAM provides key technical controls to not only comply with GDPR, but also enable new opportunity to interact with customers. This includes consent capture and management, data level access governance,” said Baber Amin, market leader, Cloud Security Services at Ping Identity, an identity security company. “IAM solutions are also key to transparency and governance with respect to data access and rectification, data portability and data erasure, which are all key areas of GDPR. Expect IAM to play a key role moving forward.”
2) Honing IAM effectiveness. “It is somewhat fortunate that IAM is typically a pre-existing component of any given organization’s security infrastructure that does benefit from periodic polishing. But it is, arguably, difficult for many organizations to continually hone their IAM systems if the return value does not meet or exceed the time, money, and effort it requires,” said Ian McClarty, president and CEO of PhoenixNAP Global IT Services. “Therefore, if GDPR has any impact on IAM usage, it will be primarily as the additional justification businesses need to give this integral component the attention and prominence it so richly deserves.”
3) Deeper integration with other security products and an organizational shift. “We’re starting to see greater and greater interest in bringing the IAM solutions into the information security fold—which is having some interesting knock-on effects,” said Paul Lanzi, co-founder of Remediant, a privileged access management startup. “We’re actually starting to see organizational changes that reflect this shift, wherein the IAM team moves under the CISO and becomes a first-class part of the information security ecosystem. Tying IAM into the SIEM/UBA (security incident and event management/user behavior analytics) and incident response frameworks can have huge benefits for the timeliness of threat detection and response.”
4) IAM moves from alerts only to self-healing. “We’re seeing a shift away from simply reporting identity-related problems that the IAM stack discovers toward the IAM stack being responsible for some degree of automated response,” said Lanzi. “This kind of self-healing capability is dependent on two trends: bringing AI/ML to the authentication world and bringing IAM into the broader information security ecosystem. It is now expected that when the IAM solution finds an account with too much access, or with some other policy violation, that the IAM solution itself does something to actually solve that problem, rather than just have that violation listed on a report that won’t be read until the next audit.
“This kind of real-time detection/response, at the identity layer, is truly novel—and represents a compliance, user experience and security boon for information security teams,” Lanzi added.
5) IAM converges cyber and physical access management. “IAM will converge the cybersecurity and physical security domains over the next 12 to 60 months,” predicted C. Brock Rabon, cyber evangelist at KBRWyle, the global government services business of KBR, formerly a subsidiary of Halliburton. “Escalating costs in both markets will drive the need for users to have a single identity to attribute their access to resources and physical access. This will result in greater fidelity in both domains and physical security being absorbed into the cybersecurity domain.”
Re-evaluate your IAM products, services and protocols with an eye toward these expected impacts after GDPR comes into full force. Prepare for changes ahead and how you’ll want to leverage them.
“IAM—specifically, customer identity and access management—has become a prominent topic of the GDPR preparedness conversation,” said Sarah Squire, senior technical architect at Ping Identity.
“Since GDPR is all about knowing who is accessing a particular application or website, when they are doing so and whether they are authorized to do so, IAM serves as a tool to address these various compliance issues. As the GDPR implementation date inches closer, IAM is top of mind for those in charge of ensuring compliance at their organizations.”