New data privacy laws are making an impact on individuals and businesses alike, and loss of data due to a breach can have significant impacts on organizations worldwide. Naturally, those laws also impact the software we buy and the security we put in place, but what do privacy laws really mean to security practitioners?
From a security standpoint, the wide-ranging privacy laws in place around the world may not be of particular interest. But in an era of identity-related breaches, security practitioners must think carefully about the impacts of data privacy requirements on security. Increasingly, that means that security teams need to be concerned about identity and identity transfer.
Identity models
There are two basic identity models: centralized and federated. The centralized identity model is when there is a one to one relationship between an account and a web or application interface. This exchange of usernames and passwords should be protected using basic protocols, such as HTTPS, SSL, and TLS.
The federated identity model is familiar to most users, because they provide a single sign-on experience for multiple accounts using common logins, such as Google, Facebook, and Microsoft, among others. All of them allow end users to log in once to access different resources using technologies such as Security Assertion Markup Language (SAML), OAuth, and OpenID to authenticate and pass privileges. The federated authentication model reduces the barrier for users to sign up for new sites and services and enables authentication across multiple platforms.
In security, however, it can be true that the easier something is to use, the less secure it is. In this case, both models have some significant limitations. The identities aren’t unique — often the email address, login identifier, and phone number can be reassigned. Because the identities are issued by private entities, no one “owns” the identity. The identity data may be lost in a data breach and identities may be revoked. Finally, identities aren’t portable. Currently, no standard exists to exchange identities universally, so these identities aren’t truly portable.
What is identity portability?
Identity portability sounds great, in theory, particularly to end users who are tired of creating and storing secure credentials for all the apps they use. Often, the idea of creating a single set of credentials to log into multiple services is appealing. But identity portability is not a good practice from a security perspective, and many organizations are not going to trust that an identity has been thoroughly vetted according to their standards. To solve these issues, organizations and individuals alike need a way for users to control and manage their credentials in digital form in a way that allows for greater identity portability while maintaining security standards.
At the same time, organizations must protect their users’ identity, secure identity data, and require (and enable) appropriate authentication, while users need to use the best tools available to them to protect their own identity.
What individuals need to know about identity data & access
You need to recognize that you have a digital identity with access to every service you use. That includes your bank, your credit card company, your health insurance carrier, Amazon, LinkedIn — every site, application, or service that you set up a username and password on to enable you to access or use it. To manage your identity data, you should classify these identities. What are the accounts you need to use daily? What accounts are for limited time use? What accounts contain privileged information? Understanding these different types of identities is important, and identifying the ones that enable access to your banking and healthcare identities is critical.
Consider those accounts the ones that you need to protect most carefully and set up authentication protocols that are in line with the importance of that identity data. Could someone steal your healthcare information and commit medical fraud? Could they steal your financial information to steal your identity? At a minimum, you need to use multifactor authentication (MFA); the method you use should align to how carefully you need to protect the identity data.
The following are the most common authentication options:
- Email codes and text or call one time passwords (OTPs) are better than nothing, but they are more vulnerable to hackers than other methods.
- Biometric verification (such as fingerprint identification or facial recognition) is convenient, but you should not use them alone or instead of passwords.
- Authentication apps (such as Microsoft, Google, Apple, and LastPass) provide another authentication option, entering a verification code from an app on a device or computer that changes every thirty seconds. In some cases, it notifies you if someone is trying to access your account.
- Physical keys (such as the Yubico Security Key) provide the highest level of security possible, because access to the account is blocked unless you have both the password and access to the physical key.
While this puts a lot of emphasis on the responsibility of individuals to protect their identity information, it’s important to note that organizations play a role here as well. Many organizations do not offer MFA, or they only offer email/text/call codes. Integrating stronger security options into their identity authentication processes can help individuals better manage access to their identities.
Handling identity information when consumers move
Improving users’ identity management options is not the only thing organizations need to think about, however. Data privacy laws are so complex that it’s essential for businesses to understand where their employees and consumers live and what laws privacy laws apply to their identity data. Not only that, but they also need to track when people move, where they move to, and whether different laws apply based on these new locations.
For example, while Massachusetts has some privacy laws, California has a different, more comprehensive set of laws. Privacy laws can even apply to a single city, such as New York City. And the European Union requires adherence to the General Data Protection Regulation (GDPR) for any organization that targets or collects data related to people in the European Union. Depending on where an individual lives, you may need to be able to show what information you have about the person, how the data can be used, how the person can opt out of data usage, and of course, the ability for the person to be forgotten.
Real implications of identity transport & privacy
For all these reasons, it’s particularly important for any organization that retains identity information to know the current jurisdictions for the people whose identity information they hold. Many organizations may not have thought this through, thinking that the identity information they hold belongs to people who will remain in a single privacy jurisdiction, but this is a short-sighted view that could harm them long term. The option to work remotely has allowed more individuals to work in diverse locations, resulting in many moving to different states or even countries. If there are enough privacy violations, different regulatory bodies could come after you, resulting in fines for your organization or even jail time for your CEO. Understanding how identity is managed and authenticated, the degree to which an identity is portable, how to enable and support end users to better control access to their identities, and what the implications are for identities transported across privacy jurisdictions is critical for data privacy professionals, security practitioners, and leadership teams today.