One of the requirements of the European Union's Global Data Protection Regulation (GDPR) is the implementation of appropriate data security measures to protect an EU resident's personal data, which is any data directly referencing a person, or data that can be used to indirectly identify a person. This includes first/last names, email addresses, physical addresses, and other similar types of data. In addition, there are "special categories" of data, or sensitive personal data that need to be protected at a higher level. This includes things like religious affiliation, health records, political opinions, racial or ethnic origin.
Identity and access management can help protect personal data by ensuring:
Authorization—Only users who need to access the data can, in fact, access it.
Authentication—Users who access information are who they say they are at the time of access.
Certification—There is a continuous process of access reviews and certifying proper authorization controls, given the constant flux of users who need access to information. (Consider the handling of new hires, transfers, promotions, terminations, and additions of users resulting from mergers and acquisitions.)
Auditability—The organization has the ability to effectively govern authorization, certification and authentication.
While minimizing identity risk can help achieve the goal of protecting personal data, it's also important to deliver access that's both convenient and secure in the process. User convenience and productivity are vital considerations because you don't want to frustrate your employees or consumers, or impede productivity on the way to compliance. Here are some identity and access management capabilities that balance security and convenience:
Risk-based multi-factor authentication—The appropriate level of authentication is based on the impact of rogue access to the application and data, and the current risk associated with the access request. Users need to step up only if the risk is high.
Flexible and modern authentication options—Organizations can create policies to accommodate classic security needs, address various user types and provide a variety of modern, mobile-enabled authentication options. Some examples are push notification, biometric authentication such as fingerprint or face verification, one-time passcode using mobile, hardware and software tokens, and SMS.
Another important consideration is getting the line of business involved in access decisions. After all, they really know who should have access to what information to get the job done. Key capabilities to enable business-driven access decisions include:
- Empowering the business with proper authorization driven by business needs
- Providing a single view of the user across identity stores (on-premises and in the cloud) to enable holistic decisions
- Providing risk-based access certifications to prioritize action on access violations based on what has the largest impact on the business, so the line of business can take action on what matters most
- Making information for certifying access reviews easy for business users to understand and act on, to reduce the risk of errors and avoid rubber-stamping
- Providing reporting capabilities to meet compliance requirements
Finally, information sharing between technologies for compliance across the organization can drive value beyond achieving compliance. When the GRC team is evaluating the overall risk posture and sensitive data assets, for example, they can take into account information from identity and access management tools (such as the number of orphaned accounts an application has, or instances of excess access) as they make decisions about raising the risk level and taking action. Similarly, the identity team can benefit from information provided by GRC tools about application criticality and data classification, which can be used within the context of certification reviews and access policy decisions.
A strong, comprehensive identity and access management program is an important tool for meeting the goal of protecting personal data—starting at the front door.
# # #
When it comes to GDPR, it's important to control access to personal data. Download this new infographic and see how the RSA SecurID® Suite, including RSA SecurID® Access and RSA® Identity Governance and Lifecycle, is designed to work as part of an integrated approach to tackle the requirements of GDPR.
Author: Ayelet Biger-Levin
Category: RSA Fundamentals, Blog Post
Keywords: Compliance, Data Privacy, GRC, GDPR