Next year, the European Union’s General Data Protection Regulations (GDPR) take effect. While recent research from the Ponemon Institute indicates that 67% of organizations are aware of GDPR, there is a lot of worry from organizations that they are not prepared. From that same research, 74% of organizations indicate that GDPR will have a significant negative impact to them. And it is not just GDPR, 74% of organizations also indicate that any type of compliance mandate on critical infrastructure protection will have a significant negative impact.
Part of this worry is attributed to the changing ways in which users expect access. Fifty-five percent of organizations say that of all the age groups, Millennials represent the biggest risk to sensitive and confidential data in the workplace. When asked why, the most common answer was usage of unapproved apps and devices in the workplace. All of this leads to potential difficulties in ensuring not only compliance with GDPR, but really any type of regulatory compliance measure that focuses on data privacy and data security. Security and privacy requirements may differ depending on local regulations. This creates challenges for large global organizations in crafting security and access policies that span any region they operate in. But there are commonalities that can be leveraged in how sensitive data can be protected. Whether we are talking GDPR (which focuses on EU residents’ personal data), or HIPAA (which focuses on securing patient data in the United States), a theme common amongst the variety of regional compliance regulations is a focus on who can see data, where the data can be seen, and where the data can and should go.
Is this something that the internet of things can assist with? Often people frame the conversation of IoT and compliance more along the lines of the security risks of IoT, whether it is the risk of new device types accessing and sharing data in a non-compliant manner or the potential for IoT devices to introduce new backdoors to your network to allow theft of compliance-governed data. These are legitimate concerns, something I have talked about before in terms of the evolving options for securing IoT in the enterprise.
However, IoT can also serve as a strong component to your overall strategy for ensuring compliance with privacy regulations. It can do this by providing a mechanism for collecting more contextual information about users and what users are accessing. This is not a new requirement, but fits into the evolution of network security. For example, think back to the days of network firewalls and fixed network perimeters. Access then was mainly focused on the “who” (user identity) and that was about it.
With BYOD and with remote access needs to accommodate things like telecommuting, the fixed network perimeter needed to evolve to become more flexible. This led to the access model evolving to be a combination of the “who” and then adding in the “what” (what device are you using for access). From there, access models built with risk profiles were formed, which essentially asked “why” does the user need access based on the “who” and the “what.” See Google’s BeyondCorp for a good description of this approach. What this model does is start to insert context into the access equation by asking for more information than just who the user is, but adding in how much we trust the device they are using.
With IoT, the security perimeter is pushing much more closely to the applications themselves, as the rapid growth of things and devices accessing and exchanging information makes it even more challenging to defend a fixed network perimeter. But at the same time these same things and devices also can provide useful mechanisms in capturing valuable contextual information about access. This information can be very useful in ensuring access happens not only to authorized users based on who the user is, but expanding the concept of authorization to cover user location and user activities. This information can also be helpful in classifying data according to compliance requirements as well, better segmenting which data should be considered personal and protected data. What you start to see is a concept of a “contextual perimeter” protecting your apps and data, with access across that perimeter based on a trust model expanded to the five W’s: “who” needs access, “what” devices are they using and “what” applications and data are they accessing, “where” are they when they attempt access, “when” is it they need access and then, based on their role, “why” do they need access.
Just think of the value of this contextual information with regulatory compliance. Imagine a medical doctor entering a patient space. You know they are entering the space because of a combination of user authentication along with the doctor’s phone interacting with smart devices. You know the patient is in the room because the phone queried the doctor’s schedule in order to preload the patient record to a secure terminal in the patient space, or the patient wristband contained information that identified the patient to the room. You know when the doctor leaves the room and when a nurse enters the room, automatically changing the view of the patient data to the intended audience based on workflows that integrate with the medical record and smart devices in the room.
By controlling access beyond just user identity, you can help users from inadvertently violating compliance rules as well as help ensure that data that moves throughout the organization does so in a compliant and secure matter. In the example above, you can help ensure that the patient’s record, protected by a variety of different types of compliance regulations around the world is controlled based on who can see it, when and where they need to see it.
Additionally, and possibly more importantly, there is an associated big data opportunity tied to this. Capturing of user context can be a wealth of information for organizations in conducting compliance-based risk analysis. This information can be used to better evaluate how sensitive data flows throughout their organization and design workflows with compliance and security in mind. Correlating access events across multiple applications, physical systems like badge readers as well as knowing user location may help identify unknown compliance or privacy issues that can be easily rectified perhaps through automation or user education, or both.
GDPR has the potential to be very disruptive to organizations, and the data reinforces that. According to the Ponemon Institute study, 74% of respondents say GDPR will have a significant and negative impact on business operations, and 65% are worried about new penalties of up to 100 million euros or 2-4% of annual worldwide revenue. Yet in many ways we are better prepared than ever before to protect sensitive data because of the contextual information available about users, devices and the data itself. While BYOD and IoT have contributed to the overall negative hype behind regulatory compliance — because in many ways they have enabled the ability for data to be available anywhere — they also enable the means in to better protect sensitive data because they can also collect information about the who, what, where, when and why related to data access, and that information can be instrumental in creating a contextual perimeter for your data, and for your organization.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.