Digital Transformation Puts the Spotlight on Privacy ( and Security)
As the pandemic evolved and workforces required remote access to the enterprise’s most critical systems and data, IT teams were challenged with virtually extending the enterprise’s security boundaries to wherever the employees were. All of a sudden, the adage of Identity is the New Perimeter suddenly received a new lease on life.
IT Security teams are tasked with securing organizations against unauthorized access by threat actors. However they also need to make sure that only authorized individuals within the organizations with valid and legitimate need can access protected critical information. In certain industry segments this is needed in order to conform to corporate information security standards and meet regulatory compliance requirements.
In the past few years, information privacy (or data privacy) has evolved as a key area of protection for consumers, individuals and organizations as digital transformation altered the enterprise landscape forever. In North America initial success to define policies for the protection of individual’s privacy were largely centered in Canada with Privacy by Design initiatives. In the US privacy was left to policy makers in each individual state which inherently removed the impetus to create a US privacy framework at the national level. In the United States, California has taken a lead in this area by passing the California Consumer Privacy Act (CCPA) regulations.
In contrast the European Union (EU) acted decisively and passed the EU General Data Privacy Regulations (GDPR) to protect the rights of EU residents within their borders with the capabilities for those protections to extend to other geographies when non-EU companies wanted to conduct transactions with EU residents.
Businesses are now being held responsible to protect personally identifiable information (PII) or protected information that they had collected from their customers, contractors, partners, employees etc. and make sure that individuals could make the decision of how and when their information was being used. Individuals were given the right to control the use of data about themselves, what it could be used for, and for how long. Provisions allowed individuals to change their mind and ask for their information to be forgotten, and not used for any purpose. The fine for violating these rules is steep, in some cases approaching the greater of 2% of annual revenue of the company or up to €20 Million.
Where do information security and data privacy intersect?
Quite understandably, privacy violations can be related to cybersecurity breaches. Citing data from Verizon DBIR (Data Breach Investigations Report) as well as the LexisNexis Risk Solutions Cybercrime Report, data categorized as protected personal information was the most widely sought after and stolen information. Cybercrime is the most widely used method of exposing personal information as personal information is stolen for criminal gain. GDPR and other privacy regulations and standards are therefore mandating almost real-time reporting of data breaches where the consumer and the relevant regulatory bodies must be notified of data breaches that have taken place.
Best Practice Advice for Enterprises When it Comes to Privacy
Based on recommendations from the NIST Privacy Framework and guidance from industry experts, the following are recommendations to organizations who are in the midst of dealing with privacy related concerns or requirements:
Create a function within the company that is responsible for Privacy. This can be a function that reaches across Legal, Information Security, IT, Compliance, and customer facing roles in the enterprise. Designate an executive as the chief privacy officer or equivalent.
Create and Maintain a Data Governance and Classification Program. This is an important element to discover where in the organization protected information resides, what regulations does the possession of this data trigger and what are the resulting compliance requirements. Leveraging the program, IT managers can categorize their systems by criticality and apply focused data and access controls on those systems ranked by criticality.
Define Who in the organization has access to this Data. It is equally important to define for what purpose and for how long access to this data is needed. Many privacy regulations now require corporations to track this information and to make sure access is granted only to those individuals whose roles require them to have access to the information.
- Implement a Robust and Secure Identity and Access Management Solution that works across the enterprise covering both digital and physical access. With protected personal information being the most widely sought-after information and compromised credentials being the most widely reported origin for data breaches, having an accurate, highly secure, yet very usable authentication solution is the real answer.
Selecting the Right Identity and Authentication Solution to Protect Privacy
Protecting data privacy for individuals means putting extra systems and controls in place. Organizations are faced with the ever-increasing risk of their systems being breached, data being stolen, and reputation impacted. Industry experts have proven time and time again that the overwhelming percentage of these breaches involve compromised credentials resulting in account takeover attacks or credential abuse.
Enterprise customers have been telling us they want one cohesive solution that genuinely removes passwords across all the access events in their workplace. Enterprises need to deliver secure remote access for employees working from home and planning for a possible phased approach towards return-to- work onsite. The reality of increased security attacks during this period means that organizations cannot rely on half-way security solutions that protect only part of the workforce or only part of the infrastructure they rely on.
Enterprises had initially addressed authentication challenges by implementing single sign-on (SSO) solutions, later augmented with multi-factor authentication (MFA). User adoption is critical for any security solution to work effectively and over time feedback from users, particularly during the pandemic, showed that MFA solutions were tedious and hard to use. Having to deal with an extra hardware device like a physical token or getting many push notifications on their mobile phones every time they accessed resources, created too much friction and led to a poor user experience.
TruU delivers a cloud-based unified identity and access management platform that eliminates the risk of data breach and maintains privacy by completely eliminating passwords for staff to access their work systems. We offer unique passwordless identity through adaptive MFA built on biometrics and behavioral identity that unifies access to physical and digital resources across the enterprise.
Benefits of Deploying TruU Passwordless Authentication in Privacy Sensitive Enterprises
There are some distinct advantages to using the right passwordless authentication solution. Making identity a part of authentication is key. Being able to authorize someone to access data based on validating their identity as real is the most effective way to eliminate compromised credentials. Doing that and eliminating passwords can completely mitigate the threat of data breach leading to exposed personal data.
The TruU Passwordless Authentication Platform delivers the following benefits:
Presence based on proximity and other identity validating factors delivers a passwordless authentication experience.
Eliminates the use of passwords to access all systems and endpoints across the enterprise delivering a unified experience and higher likelihood of adoption.
Sophisticated AI and ML based risk engine delivers continuous validation of identity while accepting risk signals from the immediate surroundings to make the most accurate authentication and authorization decisions to grant access to systems and applications containing PII.
Enterprise-class approval workflows and notifications enforce roles-based access authorizations that make sure that only those with a need to know can access PII records.
For more information on TruU’s Passwordless Authentication platform or to request a demo visit