Identity Access Management for GDPR: The Why, the When and the How

IAM and GDPR

EU’s General Data Protection Regulation (GDPR) took effect just a few days ago, on May the 25th, 2018. Still, research indicates that half of the organizations across EU and USA are not even aware of it.
 
This post is for those who want to understand the gist of GDPR and are interested in learning how an Identity and Access Management (IAM) solution can help their organization comply.

The Why 

According to a survey from Ubisecure, 50% of companies agree that GDPR compliance is impossible without proper IAM. But what is IAM?

An IAM solution provides a centralized mechanism for controlling user actions at different access points. To do that, you can’t avoid dealing with so-called “personally identifiable information,” or PII for short. 

Now, if you are at least relatively familiar with GDPR, you should know that that’s what the whole fuss is about. The new regulation does not always force you to get users’ explicit consent for processing their data (you can have other legal bases for that.) But when it does, PII can land you in trouble if mismanaged or not thoroughly protected. 

Here’s where IAM can facilitate GDPR compliance significantly. Most customer-facing businesses can’t operate without capturing, storing and processing PII. Besides, users have new rights such as the right to access, rectify, remove or transport their data. An effective IAM solution can make these processes consistent and secure.

The When 

Another question that arises is when would you need an IAM solution in place. This is common sense: every app that provides registration forms and uses some mechanism of identifying users in the system (they could be humans, bots, APIs, etc.) needs a centralized IAM system.

One can argue that you could do without creating a unified AIM system, but this would only add to the complexity, ambiguity, and confusion. In the end, compliance may cost you more than it would if you had an IAM solution in place.

The How

The “how” is probably the most challenging question to answer. The system one needs depends on the specifics of the organization’s (or the application’s) IT platform. 

There are also quite a few vendors out there that have the necessary expertise and can create an end-to-end IAM solution for you. And they each have their own approach, technology stack, level of granularity, capabilities, reporting options, etc.

For instance, at ObjectStyle, we offer an all-round IAM solution that includes a common base where you manage all apps, IDs, permissions, security policies, and what not. We can also implement two-factor authentication, single sign-on, security tokens, and other extras, if necessary.

Planning Ahead

There’s a lot of talk on the Internet about the need to move away from the standard user-password combo as a principal means of identifying users.

Many organizations, including some big tech players, employ multi-factor authentication, biometrics-based authentication, and other means of adding extra security to their systems. GDPR might only be the beginning, and countries like Australia and the US are working on similar laws to secure their citizens’ information. 

Still, there’s a lot of space for improvement. As per Gemalto (quoted above), 59% of organizations say they’re under pressure to enable SSO as an access management capability (which means they don’t have it yet.) At the same time, 96% expect their organization to expand the use of two-factor authentication to protect all applications in the future.