Blog posts by John Tolbert
As the May 25th, 2018 GDPR enforcement date approaches, more and more companies are actively taking steps to find, evaluate, and protect the personally identifiable information (Personal Data) of EU persons. Organizations that do business with EU persons are conducting data protection impact assessments (DPIAs) to find Personal Data under their control. Many are also asking “do we need to keep the data?” and putting into practice data minimization principles. These are good measures to take.
IT and privacy professionals are inventorying HR, CRM, CIAM, and IAM systems, which is reasonable since these likely contain Personal Data. Administrators should also consider performing DPIAs on security solutions.
Security solutions such as SIEMs, EMMs, and Endpoint Security/EDR tools collect lots of data, including Personal Data, for analysis. Many of the following types of Personal Data (as defined by GDPR) are routinely harvested for ongoing security and risk analysis:
- Email address
- User attributes, including organizational affiliations, citizenship, group membership
- IP address
- User-created data files
Most security solutions allow options for on-premise analysis or cloud-based analysis. As an example, most anti-malware products "scoop up" files for deep inspection at the vendor's cloud, which may be outside of EU. Some vendor solutions are configurable in terms of what attributes can be collected and/or sent elsewhere for analysis; some are not.
Any processing of Personal Data is controlled under GDPR. The definition of processing is so wide that it likely includes these forms of scanning and analysis
In light of GDPR, one question administrators should ask “Is this information collected with user consent?” In some cases, user consent will be required. However, according to GDPR Article 6, personal information collection may proceed for the following purposes:
- for the performance of a contract or legal obligation;
- to protect the vital interests of the data subject;
- for a task in the public interest;
- or where processing is necessary for the legitimate interests of the controller.
Moreover, there will be situations in which Personal Data may be processed by more than one Data Processor. In these joint-processor scenarios, all entities involved in processing share responsibility for ensuring that the use of Personal Data is authorized under one of the GDPR-specified purposes above.
Security administrators should work with their DPOs and legal team to address the following additional points:
- Determine which of your deployed security solutions collect which kinds of data; in effect, do DPIAs on security solutions.
- Ascertain where this data goes: local storage? Telemetry transmitted to the cloud? If so, does it stay in the EU? Could it go outside the EU? GDPR defines the notion of data protection adequacy with regard to countries and organizations outside the EU. The Official Journal of the EU will publish and maintain a list of locations for which no additional data transfer agreements will be required.
- If the security scanning or analysis is performed by a third party or cloud provider, irrespective of wherever this is done there must be a written legal agreement as set out in Article 28 (3).
- Do your security solutions permit Personal Data anonymization? GDPR Recital 26 states that data which is sufficiently masked to prevent the identification of the user will not be subject to the data protection mandates. However, SIEMs and forensic tools sometimes need to be able to pinpoint users. Specifically, IP addresses and user credentials are almost always necessary and serve as “primary keys” on which security analyses are based. Within your security solutions, is it possible to mask user data at a high level for external analysis, but leave details encrypted locally, so that they can be unmasked by authorized security analysts during investigations? This is a difficult technical challenge, which is not supported yet by many security vendors. Regardless, even local processing of data elements such as IP address falls under the jurisdiction of GDPR.
In summary, don’t forget your security solutions when running DPIAs. Check with vendors about what information they collect and how it is treated. Work closely with your DPOs and legal counsel to plan the best course of action if you find that remediation or some re-design is needed.
The Equifax data breach saga continues to unfold. In late 2017, the company admitted it had suffered significant data loss starting in March of last year. There were likely multiple data theft events over a number of months. At some point in May, they notified a small group of customers but kept mostly quiet. Months later the story went public, after Equifax contacted government officials at the US federal and state level. The numbers and locations of consumers affected by the breach keeps growing. As of March 1, 2018, Equifax is reported to have lost control of personally identifiable information on roughly 147 million consumers. Though most of the victims are in the US, Equifax had and lost data on consumers from Argentina to the UK.
Perpetrators made off with data such as names, addresses, Social Security numbers, and in some cases, driver’s license numbers, credit card numbers, and credit dispute files. Much of this is considered highly sensitive PII.
The breach and its effects on consumers is only part of the story. Equifax faces 240 class action lawsuits and legal action from every US state. However, the US Consumer Financial Protection Bureau is not investigating, has issued no subpoenas, and has essentially “put the brakes” on any punitive actions. The US Federal Trade Commission (FTC) can investigate, but its ability to levy fines is limited. On March 14, 2018, the US Securities and Exchange Commission (SEC) brought insider trading charges against one of Equifax’ executives, who exercised his share options and then sold before news of the breach was made public.
Given that Equifax is still profiting, and the stock price seems to have suffered no lasting effects (some financial analysts are predicting the stock price will reach pre-breach levels in a few months), fines are one of the few means of incentivizing good cybersecurity and privacy practices. Aiming for regulatory compliance is considered by most in the field to be the bare minimum that enterprises should strive for with regard to security. A failure to strictly enforce consumer data protection laws, as in the Equifax case so far, may set a precedent, and may allow other custodians of consumers’ personal data to believe that they won’t be prosecuted if they cut corners on cybersecurity and privacy. Weak security and increasing fraud are not good for business in general.
At the end of May 2018, the General Data Protection Regulation (GDPR) comes into effect in the EU. GDPR requires 72-hour breach notification and gives officials the ability to fine companies which fail to protect EU person data up to 4% of global revenue (or €20M) per instance. If an Equifax-like data breach happens in the EU after GDPR takes hold, the results will likely be very different.
Regulators in all jurisdictions must enforce the rules on the books for the good of consumers.
The Facebook data privacy story continues to be in the headlines this week. For many of us in IT, this event is not really a surprise. The sharing of data from social media is not a data breach, it’s a business model. Social media developers make apps (often as quizzes and games) that harvest data in alignment with social networks’ terms of service. By default, these apps can get profile information about the app users and their friends/contacts. There are no granular consent options for users. What gives this story its outrage factor is the onward sharing of Facebook user data from one organization to another, and the political purposes for which the data was used. Facebook now admits that the data of up to 87 million users was used by Cambridge Analytica. If you are a US-based Facebook user, and are curious about how they have categorized your politics, go to Settings | Ads | Your Information | Your Categories | US Politics.
But data made available through unsecured APIs, usually exported in unprotected file formats without fine-grained access controls or DRM, cannot be assumed to be secure in any way. Moreover, the Facebook - Cambridge Analytica incident is probably just the first of many that are as yet unreported. There are thousands of apps and hundreds of thousands of app developers that have had similar access to Facebook and other social media platforms for years.
CNBC reports that Facebook was attempting to acquire health record data from hospitals, but that those plans are on “hiatus” for the moment. Though the story says the data would be anonymized, there is no doubt that unmasked health care records plus social media profile information would be incredibly lucrative for Facebook, health care service providers, pharmaceutical companies, and insurance companies. But again, according to this report, there was no notion of user consent considered.
It is clear that Facebook users across the globe are dissatisfied with the paucity of privacy controls. In many cases, users are opting out by deleting their accounts, since that seems to be the only way at present to limit data sharing. However, the data sharing without user consent problem is endemic to most social networks, telecommunications networks, ISPs, smartphone OSes and apps developers, free email providers, online retailers, and consumer-facing identity providers. They collect information on users and sell it. This is how these “free” services pay for themselves and make a profit. The details of such arrangements are hidden in plain sight in the incomprehensible click-through terms of service and privacy policies that everyone must agree to in order to use the services.
This is certainly not meant to blame the victim. At present, users of most of these services have few if any controls over how their data is used. Even deleting one’s account doesn’t work entirely, as a Belgian court found that (and ruled against) Facebook for collecting information on Belgian citizens who were not even Facebook users.
The rapidly approaching May 25th GDPR effective date will certainly necessitate changes in the data sharing models of social media and all organizations hosting and processing consumer data for EU persons. Many have wondered if GDPR will be aggressively enforced. As a result of this Facebook – Cambridge Analytica incident, EU Justice Commissioner Vera Jourova said “I will take all possible legal measures including the stricter #dataProtection rules and stronger enforcement granted by #GDPR. I expect the companies to take more responsibility when handling our personal data.” We now have the answer to the “Will the EU enforce GDPR?” question.
It is important to note that GDPR does not aim to put a damper on commerce. It only aims to empower consumers by giving them control over what data they share and how it can be used. GDPR requires explicit consent per purpose (with some exceptions for other legitimate processing of personal data). This consent per purpose stipulation will require processors of personal data to clearly ask and get permission from users.
Other countries are looking to the GDPR model for revamping their own consumer privacy regulations. We predict that in many jurisdictions, similar laws will come into effect, forcing social networks and consumer-facing companies to change how they do business in more locations.
Even before the Cambridge Analytica story broke, Facebook, Google, and Twitter were under fire for allowing their networks to spread “fake news” in the run-up to the US election cycle. Disengagement was growing, with some outlets reporting 18-24% less time spent on site per user. Users are quickly losing trust in social media platforms for multiple reasons. This impacts commerce as well, in that many businesses such as online retailers rely on “social logins” such as Facebook, Twitter, Google, etc.
To counter their growing trust problems, social network providers must build in better privacy notifications and consent mechanisms. They must increase the integrity of content without compromising free speech.
Facebook and other social media outlets must also communicate these intentions to improve privacy controls and content integrity monitoring to their users. In the Facebook case, it is absolutely paramount to winning back trust. CEO Mark Zuckerberg announced that Facebook is working on GDPR compliance but provided no details. Furthermore, he has agreed to testify before the US Congress, but his unwillingness to personally appear in the UK strengthens a perception that complying with EU data protection regulations is not a top priority for Facebook.
If social network operators cannot adapt in time, they will almost certainly face large fines under GDPR. It is quite possible that the social media industry may be disrupted by new privacy-protecting alternatives, funded by paid subscriptions rather than advertising. The current business model of collecting and selling user data without explicit consent will not last. Time is running out for Facebook and other social network providers to make needed changes.
Just when you thought we had enough variations of IAM, along comes FIAM. Fake digital identities are not new, but they are getting a lot of attention in the press these days. Some fake accounts are very sophisticated and are difficult for automated methods to recognize. Some are built using real photos and stolen identifiers, such as Social Security Numbers or driver’s license numbers. Many of these accounts look like they belong to real people, making it difficult for social media security analysts to flag them for investigation and remove them. With millions of user credentials, passwords, and other PII available on the dark web as a result of the hundreds of publicly acknowledged data breaches, it’s easy for bad actors to create new email addresses, digital identities, and social media profiles.
As we might guess, fake identities are commonly used for fraud and other types of cybercrime. There are many different types of fraudulent use cases, ranging from building impostor identities and attaching to legitimate user assets, to impersonating users to spread disinformation, and for defamation, extortion, catfishing, stalking, trolling, etc. Fake social media accounts were used by St. Petersburg-based Internet Research Agency to disseminate election-influencing propaganda. Individuals associated with these events have been indicted by the US, but won’t face extradition.
Are there legitimate uses for fake accounts? In many cases, social network sites and digital identity providers have policies and terms of service that prohibit the creation of fake accounts. In the US, violating websites’ terms of service also violates the 1984 Computer Fraud and Abuse Act. Technically then, in certain jurisdictions, creating and using fake accounts is illegal. It is hard to enforce, and sometimes gets in the way of legitimate activities, such as academic research.
However, it is well-known that law enforcement authorities routinely and extensively use fake digital identities to look for criminals. Police have great success with these methods, but also scoop up data on innocent online bystanders as well. National security and intelligence operatives also employ fake accounts to monitor the activities of individuals and groups they suspect might do something illegal and/or harmful. It’s unlikely that cops and spies have to worry much about being prosecuted for using fake accounts.
A common approach that was documented in the 1971 novel “The Day of the Jackal by Frederick Forsyth is to use the names and details of dead children. This creates a persona that is very difficult to identify as being a fraud. It is still reported as being in use and when discovered causes immense distress to the relatives.
In the private sector, employees of asset repossession companies also use fake accounts to get close to their targets to make it easier for them to repo their cars and other possessions. Wells Fargo has had an ongoing fake account creation scandal, where up to 3.5 million fake accounts were created so that the bank could charge customers more fees. The former case is sneaky and technically illegal, while the latter case is clearly illegal. What are the consequences, for Wells Fargo? They may have suffered a temporary stock price setback and credit downgrade, but their CEO got a raise.
FIAM may sound like a joke, but it is a real thing, complete with technical solutions (using above-board IDaaS and social networks), as well as laws and regulations sort of prohibiting the use of fake accounts. FIAM is at once a regular means of doing business, a means for spying, and an essential technique for executing fraud and other illegal activities. It is a growing concern for those who suffer loss, particularly in the financial sector. It is also now a serious threat to social networks, whose analysts must remove fake accounts as quickly as they pop up, lest they be used to promote disinformation.
At KuppingerCole, cybersecurity and identity management product/service analysis are two of our specialties. As one might assume, one of the main functional areas in vendor products we examine in the course of our research is administrative security. There are many components that make up admin security, but here I want to address weak authentication for management utilities.
Most on-premises and IaaS/PaaS/SaaS security and identity tools allow username and password for administrative authentication. Forget an admin password? Recover it with KBA (Knowledge-based authentication).
Many programs accept other stronger forms of authentication, and this should be the default. Here are some better alternatives:
- Web console protected by existing Web Access Management solution utilizing strong authentication methods
- SAML for SaaS
- Mobile apps (if keys are secured in Secure Enclave, Secure Element, and app runs as Trusted App in Trusted Execution Environment [TEE])
- FIDO UAF Mobile apps
- USB Tokens
- FIDO U2F devices
- Smart Cards
Even OATH TOTP and Mobile Push apps, while having some security issues, are still better than username/passwords.
Why? Let’s do some threat modeling.
Scenario #1: Suppose you’re an admin for Acme Corporation, and Acme just uses a SaaS CIAM solution to host consumer data. Your CIAM solution is collecting names, email addresses, physical addresses for shipping, purchase history, search history, etc. Your CIAM service is adding value by turning this consumer data into targeted marketing, yielding higher revenues. Until one day a competitor comes along, guesses your admin password, and steals all that business intelligence. Corporate espionage is real - the “Outsider Threat” still exists.
Scenario # 2: Same CIAM SaaS background as #1, but let’s say you have many EU customers. You’ve implemented a top-of-the-line CIAM solution to collect informed consent to comply with GDPR. If a hacker steals customer information and publishes it without user consent, will Acme be subject to GDPR fines? Can deploying username/password authentication be considered doing due diligence?
Scenario # 3: Acme uses a cloud-based management console for endpoint security. This SaaS platform doesn’t support 2FA, only username/password authentication. A malicious actor uses KBA to reset your admin password. Now he or she is able to turn off software updates, edit application whitelists, remove entries from URL blacklists, or uninstall/de-provision endpoint agents from your company’s machines. To cover their tracks, they edit the logs. This would make targeted attacks so much easier.
Upgrading to MFA or risk-adaptive authentication would decrease the likelihood of these attacks succeeding, though better authentication is not a panacea. There is more to cybersecurity than authentication. However, the problem lies in the fact that many security vendors allow password-based authentication to their management consoles. In some cases, it is not only the default but also the only method available. Products or services purporting to enhance security or manage identities should require strong authentication.
The EU’s General Data Protection Regulation (GDPR) will force many changes in technology and processes when it comes into effect in May 2018. We have heard extensively about how companies and other organizations will have to provide capabilities to:
- Collect explicit consent for the use of PII per purpose
- Allow users to revoke previously given consent
- Allow users to export their data
- Comply with users’ requests to delete the data you are storing about them
- Provide an audit trail of consent actions
Software vendors are preparing, particularly those providing solutions for IAM, CIAM, ERP, CRM, PoS, etc., by building in these features if not currently available. These are necessary precursors for GDPR compliance. However, end user organizations have other steps to take, and they should begin now.
GDPR mandates that, 72 hours after discovering a data breach, the responsible custodian, in many cases it will be the organization’s Data Protection Officer (DPO), must notify the Supervisory Authority (SA). If EU persons’ data is found to have been exfiltrated, those users should also be notified. Organizations must begin preparing now how to execute notifications: define responsible personnel, draft the notifications, and plan for remediation.
Consider some recent estimated notification intervals for major data breaches in the US:
- Equifax: 6 weeks to up to 4-5 months
- Deloitte: perhaps 6 months
- SEC: up to 1 year
- Yahoo: the latest revelations after the Verizon acquisition indicate up to 4 years for complete disclosure
The reasons data custodians need to be quick about breach notifications are very clear and very simple:
- The sooner victims are notified, the sooner they can begin to remediate risks. For example, Deloitte’s customers could have begun to assess which of their intellectual property assets were at risk and how to respond earlier.
- Other affected entities can begin to react. In the SEC case, the malefactors had plenty of time to misuse the information and manipulate stock prices and markets.
- Cleanup costs will be lower for the data custodian. Selling stocks after breaches are discovered but prior to notification may be illegal in many jurisdictions.
- It will be better for the data custodian’s reputation in the long run if they quickly disclose and fix the problems. The erosion of Yahoo’s share price prior to purchase is clear evidence here.
Understandably, executives can be reticent in these matters. But delays give the impression of apathy, incompetence, and even malicious intent on the part of executives by attempting to hide or cover up such events. Though GDPR is an EU regulation, it directly applies to other companies and organizations who host data on EU member nations’ citizens. Even for those organizations not subject to GDPR, fast notification of data breaches is highly recommended.
This past weekend we learned that Gigya will be acquired by SAP Hybris. California-based Gigya has been a top vendor in our CIAM Platforms Leadership Compass reports. Gigya offers a pure SaaS CIAM solution, and has one of the largest customer bases in the market. SAP’s Identity solution was previously positioned more as an IDaaS for SAP customers for SAP use cases.
What is most interesting is the pairing of Gigya with SAP Hybris. Hybris is SAP’s marketing tools, analytics, and automation suite. It already has a considerable customer base and big feature set. Gigya is also very strong in this area, with specialties for leveraging consumer data for personalization and more accurate targeted marketing.
This Gigya – SAP transaction is the latest in an active year of CIAM startups, funding rounds, buyouts, and even an IPO. CIAM is the fastest growing section of the Identity market, and all aforementioned activity is evidence that this trend is being recognized and rewarded by investors.
CIAM is an essential component in contemporary business architectures. Consider the following:
- EU GDPR – CIAM solutions collect and retain user consent for compliance
- EU PSD2 – CIAM solutions are significant competitive advantages for banks and financial services providers that implement them; CIAM can also offer strong customer authentication options
- Retail – consumers will shop elsewhere if the user experience is cumbersome
- Digital transformation – IoT and SmartHome gadgets are best managed via consumer identities with strong consumer security and privacy protections
Traditional IAM is also capturing a larger portion of most organizations’ budgets, as the C-Suite begins to understand the importance of cybersecurity and the pivotal function of digital identity within cybersecurity strategies. The lines between IDaaS and CIAM have begun to blur. Traditional IAM vendors have been modifying and rebranding their solutions to meet the changing needs of consumer identity. Some CIAM vendors are offering their services as IDaaS. If SAP chooses to leverage the full CIAM feature set that Gigya has, rather than just integrating the marketing analytics and automation capabilities with Hybris, it will broaden SAP’s reach in the CIAM and IDaaS space.
KuppingerCole will continue to monitor and research the dynamic CIAM market. If CIAM is a trending topic for you, join us at our Consumer Identity World events, in Paris (November 28-29) and Singapore (December 13-14)
Last week we completed the opening dates on the Consumer Identity World Tour in Seattle. To kick off the event, the Kantara Initiative held a one-day workshop to showcase the work that they do. Kantara is an international standards organization which develops technical specifications promoting User Managed Access, Consent Receipt, Identities of Things, and Identity Relationship Management. Kantara is also a Trust Framework Provider, approved by the US Federal Government´s Identity and Access Management (ICAM), which accredits Assessors and Approve CSPs at Levels 1, 2 & non-PKI Level 3. Kantara will be joining us on our subsequent CIW tour dates.
The CIW conference is all about consumer and customer identities. It is the only conference to focus specifically on the use cases, requirements, and technical solutions in the Consumer Identity and Access Management (CIAM) space. Keynotes were delivered by distinguished guests and our sponsors, including:
- Christian Goy – Behavioral Science Lab
- Ryan Fox – Capital One
- Tim Maiorino – Osborne Clark
- Jason Keenaghan – IBM
- Katryna Dow – Meeco
- Colin Wallis – Kantara
- Phil Lam – Lam Advisory
- Jason Rose – Gigya
- Steve Tout - VeriClouds
- Heather Flanagan – DIACC
- Allan Foster – ForgeRock
With a looming May 2018 implementation date, the EU General Data Protection Regulation (GDPR) was a subject that bubbled up in many sessions. Though it will be a regulation in the EU, it applies to any company or organization that does business with or processes data of EU citizens, including enterprises here in the US. Thus, privacy and consent for use of PII were important conversations: Denise Tayloe of Privo and Lisa Hayes from the Center for Democracy and Technology discussed family management and building-in privacy in their sessions. John Anderson of Facebook, the world’s largest social identity provider, presented on consumer authentication trends.
Many organizations deploy CIAM solutions to gain insights into consumer behavior to create more effective marketing campaigns and increase revenue. Lars Helgeson of Greenrope went into detail on the intersection of CRM, CIAM, and Marketing Automation. The MarTech panel continued the conversation on marketing in CIAM.
On both days, we had many expert panels covering a range of topics within CIAM. One of the things that distinguishes KuppingerCole conferences from others is our use of panel discussions. This format allows conference attendees to hear multiple viewpoints on a subject within a short time, and engages the audience more directly. Delegates and panelists interacted on topics such as:
- Next Generation Authentication for Health Care
- Moving Beyond Passwords
- CJAM Strategies
- The Business Value of Consumer Identity
- Informed Consent
- Security and Privacy
- Mobile Biometrics
- User Experience
- CIAM Case Studies
- Economics of GDPR
- The Risks of Compromised Credentials
- Marketing Technology
Christian Goy, Co-founder & Managing Director of Behavioral Science Lab said about CIW Seattle, "Consumer Identity World Tour is one of those rare events that truly inspires forward thinking in the consumer identity management, privacy and security space. Stirred by thought leaders in the industry, this must-attend event provides invaluable discussions and learning experiences for everyone present."
Katryna Dow, CEO & Founder of Meeco added, “The European regulatory changes are driving major shifts in CIAM, privacy, and consent. These changes represent challenges for global enterprises, including those headquartered in the USA. Enterprises are faced with the choice to either focus on compliance or harness these changes to drive digital transformation and trust based personalization. KuppingerCole is uniquely positioned to bring deep knowledge of the European market to provide strategic insight in North America. Great to see the Consumer Identity World tour kicked off here in Seattle, I hope it will be the first of many USA events”.
Finally, we’d like to thank our platinum sponsors ForgeRock, Gigya, IBM, and VeriClouds; association sponsors Global Platform, Kantara, and Open Identity Exchange; and component sponsors PlainID, Ping Identity, Saviynt, Axiomatics, CloudEntity, Deloitte, and Login Radius.
Authorization is one of the key concepts and processes involved in security, both in the real world as well as the digital world. Many formulations of the definition for authorization exist, and some are context dependent. For IT security purposes, we’ll say authorization is the act of evaluating whether a person, process, or device is allowed to operate on or possess a specific resource, such as data, a program, a computing device, or a cyberphysical object (e.g., a door, a gate, etc.).
The concept of authorization has evolved considerably over the last two decades. No longer must users be directly assigned entitlements to particular resources. Security administrators can provision groups of users or select attributes of users (e.g. employee, contractor of XYZ Corp, etc.) as determinants for access.
For some of the most advanced authorization and access control needs, the OASIS eXtensible Access Control Markup Language (XACML) standard can be utilized. Created in the mid-2000s, XACML is an example of an Attribute-Based Access Control (ABAC) methodology. XACML is an XML policy language, reference architecture, and request/response protocol. ABAC systems allow administrators to combine specific subject, resource, environmental, and action attributes for access control evaluation. XACML solutions facilitate run-time processing of dynamic and complex authorization scenarios. XACML can be somewhat difficult to deploy, given the complexity of some architectural components and the policy language. Within the last few years, JSON and REST profiles of XACML have been created to make it easier to integrate into modern line-of-business applications.
Just prior to the development of XACML, OASIS debuted Security Assertion Markup Language (SAML). Numerous profiles of SAML exist, but the most common usage is for identity federation. SAML assertions serve as proof of authentication at the domain of origin, which can be trusted by other domains. SAML can also facilitate authorization, in that, other attributes about the subject can be added to the signed assertion. SAML is widely used for federated authentication and limited authorization purposes.
OAuth 2.0 is a lighter weight IETF standard. It takes the access token approach, passing tokens on behalf of authenticated and authorized users, processes, and now even devices. OAuth 2.0 now serves as a framework upon which additional standard are defined, such as Open ID Connect (OIDC) and User Managed Access (UMA). OAuth has become a widely used standard across the web. For example, “social logins”, i.e. using a social network provider for authentication, generally pass OAuth tokens between authorization servers and relying party sites to authorize the subject user. OAuth is a simpler alternative to XACML and SAML, but also is usually considered less secure.
From an identity management perspective, authentication has received the lion’s share of attention over the last several years. The reasons for this are two-fold:
- the weakness of username/password authentication, which has led to many costly data breaches
- proliferation of new authenticators, including 2-factor (2FA), multi-factor (MFA), risk-adaptive techniques, and mobile biometrics
However, in 2017 we have noticed an uptick in industry interest in dynamic authorization technologies that can help meet complicated business and regulatory requirements. As authentication technologies improve and become more commonplace, we predict that more organizations with fine-grained access control needs will begin to look at dedicated authorization solutions. For an in-depth look at dynamic authorization, including guidelines and best practices for the different approaches, see the Advisory Note: Unifying RBAC and ABAC in a Dynamic Authorization Framework.
Organizations that operate in strictly regulated environments find that both MFA / risk adaptive authentication and dynamic authorization are necessary to achieve compliance. Regulations often mandate 2FA / MFA, e.g. US HSPD-12, NIST 800-63-3, EU PSD2, etc. Regulations occasionally stipulate certain that access subject or business conditions, expressed as attributes, be met as a precursor to granting permission. For example, in export regulations these attributes are commonly access subject nationality or licensed company.
Authorization becomes extremely important at the API level. Consider PSD2: it will require banks and other financial institutions to expose APIs for 3rd party financial processors to utilize. These APIs will have tiered and firewalled access into core banking functions. Banks will of course require authentication from trusted 3rd party financial processors. Moreover, banks will no doubt enforce granular authorization on the use of each API call, per API consumer, and per account. The stakes are high with PSD2, as banks will need to compete more efficiently and protect themselves from a much greater risk of fraud.
For more information on authentication and authorization technologies, as well as guidance on preparing for PSD2, please visit the Focus Areas section of our website.
The General Data Protection Regulation (GDPR) and Revised Payment Service Directive (PSD2) are two of the most important and most talked about technical legislative actions to arise in recent years. Both emanate from the European Commission, and both are aimed at consumer protection.
GDPR will bolster personal privacy for EU residents in a number of ways. The GDPR definition of personally identifiable information (PII) includes attributes that were not previously construed as PII, such as account names and email addresses. GDPR will require that data processors obtain clear, unambiguous consent from each user for each use of user data. In the case of PSD2, this means banks and Third-Party Providers (TPPs). TPPs comprise Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). For more information, please see https://www.kuppingercole.com/report/lb72612.
Screen scraping has been in practice for many years, though it is widely known that this method is inherently insecure. In this context, screen scraping is used by TPPs to get access to customer data. Some FinTechs harvest usernames, email addresses, passwords, and account numbers to act on behalf of the users when interacting with banks and other FinTechs. This technique exposes users to additional risks, in that, their credentials are more likely to be misused and/or stored in more locations.
PSD2 will mandate the implementation of APIs by banks, for a more regular and safer way for TPPs to get account information and initiate payments. This is a significant step forward in scalability and security. However, the PSD2 Regulatory Technical Standards (RTS) published earlier this year left a screen scraping loophole for financial organizations who have not yet modernized their computing infrastructure to allow more secure access via APIs. The European Banking Authority (EBA) now rejects the presence of this insecure loophole: https://www.finextra.com/newsarticle/30772/eba-rejects-commission-amendments-on-screen-scraping-under-psd2.
KuppingerCole believes that the persistence of the screen scraping exception is bad for security, and therefore ultimately bad for business. The proliferation of TPPs expected after PSD2 along with the attention drawn to this glaring weakness almost ensures that it will be exploited, and perhaps frequently.
Furthermore, screen scraping implies that customer PII is being collected and used by TPPs. This insecure practice, then, by definition goes against the spirit of consumer protection embodied in GDPR and PSD2. Furthermore, GDPR calls for the principle of Security by Design, and a screen scraping exemption would contravene that. TPPs can obtain consent for the use of consumer PII, or have it covered contractually, but such a workaround is unnecessary if TPPs utilize PSD2 open banking APIs. An exemption in a directive should not lead to potential violations of a regulation.
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]