Last updated: 17 October 2017
My colleague Alex Hanway has been running a great blog series around GDPR compliance and is courteously allowing me to butt in to talk about authentication. If you haven’t been following, check out his previous posts to date on a Deeper dive into GDPR.
An important part of GDPR addresses the need for strong, two-factor authentication, as well as physical access controls to organizational information systems, equipment, and the respective operating environments to authorized individuals. Are you ready?
Mapping the GDPR article to authentication
GDPR greatly expands the requirements for organizations to prove identity, and basically aims to get rid of the password once and for all. Organizations will need to verify the legitimacy of user identities and transactions, and to prove compliance, or face big fines, which can be more than four percent of an organization’s global worldwide revenue or €25 million. So let’s take a look at the articles of GDPR and how they call for stricter authentication controls.
Article 5 covers principles relating to processing of personal data. It says, however data is processed, it needs to be secured from unauthorized access and loss. This is achieved through multi-factor authentication. Multi-factor authentication ensures a user is who they claim to be and can be achieved using a combination of the following factors something you have (such as a token or smart cards), with something you know (PIN or password) and/or something you have (biometric). The more factors used to determine a person’s identity, the greater the trust of authenticity.
Asking for a second authentication factor ensures a simple stolen password won’t be sufficient to gain unfettered access to sensitive systems.
Article 24 says organizations are required to take reasonable security measures that respond to the likely risks and threats they face. This not only covers the data itself, but calls for solutions that restrict access to corporate networks, protect the identities of users, and ensure users are who they claim to be. As a first line approach to data security, requiring multiple factors of authentication to verify a user’s identity helps mitigate the risk of unauthorized users accessing sensitive systems to manipulate data.
Article 32 calls for additional security of processing, and calls for organizations to consider the risk associated with data processing such as data loss and unauthorized access when choosing the right level of security. Authentication solutions make it harder for unauthorized users to access sensitive environments while also mitigating risk posed by administrators with privileged access.
Authentication solutions such as Public Key Infrastructure (PKI) or access management services offer a complete set of provisioning rules and policy engines that cover privileged users and the varying levels of security they may need for their roles. Organizations can increase or decrease the level of access security to their data and network according to the level of sensitivity of the data concerned. In addition, PKI allows for other advanced security functionality, such as digital signature and email encryption as well as physical access that we’ll talk about next.
Article 33 covers notification of a personal data breach to the supervisory authority. Organizations will need to ensure individuals only process data when authorized. Authentication solutions automatically apply rules in real time to users based on their group membership and their need to access certain levels of private data. The rules’ default setting can keep users out of processing systems, or offer only a narrow level of access, until instructions are given from the data controller. Once processing is complete, administrators can return settings to a more restrictive default that prevents any further data processing. In addition, some authentication solutions provide extensive log and report mechanisms to give up-to-date snapshots of all authentication and management events.
Authentication and access management solutions, come in many shapes and sizes, including cloud access management, PKI, certificate-based authentication, one-time password authentication, identity federation, complete lifecycle management and auditing tools. We hope you find this blog helpful in planning your authentication needs for GDPR.
For more information on GDPR’s due diligence requirements along with other topical issues such as breach notification, security, and data control obligations, check out our expanded ebook, The General Data Protection Regulation.