An important part of GDPR addresses the need for strong, two-factor authentication, as well as physical access controls to organisational information systems, equipment, and the respective operating environments to authorised individuals. Are you ready?
Mapping the GDPR article to authentication
GDPR greatly expands the requirements for organisations to prove identity and basically aims to get rid of the password once and for all. Organisations will need to verify the legitimacy of user identities and transactions and to prove compliance, or face big fines, which can be more than four percent of an organisation’s global worldwide revenue or €25 million. So let’s take a look at the articles of GDPR and how they call for stricter authentication controls.
Article 5 covers principles relating to the processing of personal data. It says, however, data is processed, it needs to be secured from unauthorised access and loss. This is achieved through multi-factor authentication. Multi-factor authentication ensures a user is who they claim to be and can be achieved using a combination of the following factors something you have (such as a token or smart cards), with something you know (PIN or password) and/or something you have (biometric). The more factors used to determine a person’s identity, the greater the trust of authenticity.
Asking for a second authentication factor ensures a simple stolen password won’t be sufficient to gain unfettered access to sensitive systems.
Article 24 says organisations are required to take reasonable security measures that respond to the likely risks and threats they face. This not only covers the data itself, but calls for solutions that restrict access to corporate networks, protect the identities of users, and ensure users are who they claim to be. As a first line approach to data security, requiring multiple factors of authentication to verify a user’s identity helps mitigate the risk of unauthorised users accessing sensitive systems to manipulate data.
Article 32 calls for additional security of processing, and calls for organisations to consider the risk associated with data processing such as data loss and unauthorised access when choosing the right level of security. Authentication solutions make it harder for unauthorised users to access sensitive environments while also mitigating the risk posed by administrators with privileged access.
Authentication solutions such as Public Key Infrastructure (PKI) or access management services offer a complete set of provisioning rules and policy engines that cover privileged users and the varying levels of security they may need for their roles. Organisations can increase or decrease the level of access security to their data and network according to the level of sensitivity of the data concerned. In addition, PKI allows for other advanced security functionality, such as digital signature and email encryption as well as physical access that we’ll talk about next.
Article 33 covers notification of a personal data breach to the supervisory authority. Organisations will need to ensure individuals only process data when authorised. Authentication solutions automatically apply rules in real time to users based on their group membership and their need to access certain levels of private data. The rules’ default setting can keep users out of processing systems, or offer only a narrow level of access until instructions are given from the data controller. Once processing is complete, administrators can return settings to a more restrictive default that prevents any further data processing. In addition, some authentication solutions provide extensive log and report mechanisms to give up-to-date snapshots of all authentication and management events.
Authentication and access management solutions, come in many shapes and sizes, including cloud access management, PKI, certificate-based authentication, one-time password authentication, identity federation, complete lifecycle management and auditing tools. We hope you find this blog helpful in planning your authentication needs for GDPR.
For more information on GDPR’s due diligence requirements along with other topical issues such as breach notification, security, and data control obligations, check out our expanded ebook, The General Data Protection Regulation.
View the original post by Gemalto.