identity anagement · 2017-09-25 · identity management comes into play . if/when you grant anyone...
TRANSCRIPT
Society for International Affairs
IDENTITY MANAGEMENT1:30-2:00PM
Waqas ShahidAnkura Consulting
SIA PROPRIETARY
AGENDA
What is Identity Management?
Identity Management and Export Controls
Required Attributes
Verification
Usage
Best Practices
GDPR Is Coming! 2
http://SIA.socialqa.com
SIA PROPRIETARY
WHAT IS IDENTITY MANAGEMENT?
The IT security area concerned with granting the right individualsaccess to the right information at the right time
Concerned with creating digital identities for real world entities through a set of identifiers & attributes
ISO/IEC 24760-1: “processes and policies involved in managing the lifecycle and value, type and optional metadata of attributes in identities known in a particular domain.”
3http://SIA.socialqa.com
SIA PROPRIETARY
Identity management comes into play if/when you grant anyoneaccess to a system with export-controlled tech data or technology
Use identity management attributes to permit/deny access and exports
22 CFR §120.17 Export.
(a) Except as set forth in §126.16 or §126.17, export means:
(1) An actual shipment or transmission out of the United States, including the sending or taking of a defense article out of the United States in any manner;
(2) Releasing or otherwise transferring technical data to a foreign person in the United States (a “deemed export”);
. . .
(b) Any release in the United States of technical data to a foreign person is deemed to be an export to all countries in which the foreign person has held or holds citizenship or holds permanent residency.
Identity management comes into play if/when you grant anyoneaccess to a system with export-controlled tech data or technology
Use identity management attributes to permit/deny access and exports
22 CFR §120.17 Export.
(a) Except as set forth in §126.16 or §126.17, export means:
(1) An actual shipment or transmission out of the United States, including the sending or taking of a defense article out of the United States in any manner;
(2) Releasing or otherwise transferring technical data to a foreign person in the United States (a “deemed export”);
. . .
(b) Any release in the United States of technical data to a foreign person is deemed to be an export to all countries in which the foreign person has held or holds citizenship or holds permanent residency.
INTERSECTION OF IDENTITYMANAGEMENT AND EXPORT CONTROLS
4
Physical Location
U.S. Person Status
Nationalities
http://SIA.socialqa.com
SIA PROPRIETARY
22 CFR §120.16 Foreign person.
Foreign person means any natural person who is not a lawful permanent resident as defined by 8 U.S.C. 1101(a)(20) or who is not a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any foreign corporation, business association, partnership, trust, society or any other entity or group that is not incorporated or organized to do business in the United States, as well as international organizations, foreign governments and any agency or subdivision of foreign governments (e.g., diplomatic missions)
DIGGING DEEPER – FOREIGN PERSON
5
22 CFR §120.16 Foreign person.
Foreign person means any natural person who is not a lawful permanent resident as defined by 8 U.S.C. 1101(a)(20) or who is not a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any foreign corporation, business association, partnership, trust, society or any other entity or group that is not incorporated or organized to do business in the United States, as well as international organizations, foreign governments and any agency or subdivision of foreign governments (e.g., diplomatic missions)
22 CFR §120.16 Foreign person.
Foreign person means any natural person who is not a lawful permanent resident as defined by 8 U.S.C. 1101(a)(20) or who is not a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any foreign corporation, business association, partnership, trust, society or any other entity or group that is not incorporated or organized to do business in the United States, as well as international organizations, foreign governments and any agency or subdivision of foreign governments (e.g., diplomatic missions)
Individual’s U.S. Person
StatusEmployerIndividual’s
Nationalities
Employer’s Country of
Organization
http://SIA.socialqa.com
SIA PROPRIETARY
IDM ATTRIBUTES FOR EXPORTCONTROL
6
•Country where individual is currently located (use standard ISO alpha2/3 codes)
Physical Location
•Boolean - U.S. citizen, permanent resident, asylee, etc.?
Individual – U.S. Person Status
•Array of countries (ISO codes) where person has citizenship or permanent residency
Individual – Nationalities
•Name of individual’s employer
Individual – Employer
•Boolean – Employer organized within the U.S.?
Employer – U.S. Person Status
•Country where employer is organized
Employer – Nationality
•If not U.S. person, what can person access?
Access List
http://SIA.socialqa.com
SIA PROPRIETARY
VERIFICATION
7
Verify user provided information!
Three-step access process:1. User provides required information2. Someone verifies the information through
documentation3. User granted access to system/network
Relatively easy for your own employees. Typically HR or Security verifies.
Beware of delegating verification for non-employees outside the company!
http://SIA.socialqa.com
SIA PROPRIETARY
HOW TO USE THE ATTRIBUTES
8
Physical Location
Individual - U.S.
Person Status
Employer - U.S.
Person Status
Allow Access?
Individual -Nationalities
Employer Country of
OrganizationAccess List Allow
Access?
Use attributes to:
1. Generally permit/deny access to systems / tech data in systems
2. Granularly control access to specific tech data:
Physical Location
Individual - U.S.
Person Status
Employer - U.S.
Person Status
http://SIA.socialqa.com
SIA PROPRIETARY
USAGE
Approach 1: All or Nothing (“Compliance by Denial”)
9
In U.S.U.S. CitizenAcme US
Not Tech Data Tech Data
In GermanyNot U.S. Person
Acme GmbH
Not Tech Data Tech Data
http://SIA.socialqa.com
SIA PROPRIETARY
USAGE
Approach 2: Partitioned Access
10
In GermanyNot U.S. Person
Acme GmbH
Non Tech Data Tech Data
Approach 3: Container Access
In GermanyNot U.S. Person
Acme GmbH
Non Tech Data Tech Data
Access List
http://SIA.socialqa.com
SIA PROPRIETARY
USAGE
Approach 4: Dynamic Access
11Non Tech Data Tech Data Non Tech Data Tech Data
Access
Export Authorization
DB & Attributes
Content Attributes
Personal Attributes
AUTOMATEDACCESS DECISION
http://SIA.socialqa.com
SIA PROPRIETARY
BEST PRACTICES
12
• If you can, go with Approach 1 or 2 – minimizes attributes
• If you have to do Approach 3, have a good Data Governance framework in place, including tagging/marking of tech data + container framework
• Centralize verification of identity – don’t have multiple teams doing it; destroy original documents once attributes verified
• Restrict access to information stored in attributes; have change management procedures
• Verify identity information periodically; it can change
• Verify employment information; require company emails and periodically ping
• Regularly deactivate dormant and unverified identities
• Screen for IP addresses from sanctioned countries
http://SIA.socialqa.com
SIA PROPRIETARY
EU General Data Protection Regulation (GDPR)
• Protects privacy and personal data of EU data subjects. Adopted by European Parliament in April 2016. Goes into effect May 2018
• "Personal data" means any information relating to an identified or identifiable natural person
• In addition to EU companies, also applies to companies outside of the EU that offer goods or services to, or monitor behavior of, EU data subjects (even if free)
• Steep penalties for non-compliance – higher of €20M or 4% of global annual turnover
• Requires companies to minimize data collection and retention, gain consent from consumers when processing data, and only use data for specified purpose
• Permits personal data transfers to country outside the EU, subject to compliance with set conditions, including conditions for onward transfer, AND if recipient country provides an “adequate” level of personal data protection. The U.S. does NOT provide adequate level of data protection
• Bottom line – GDPR imposes tough requirements if you collect data from EU data subjects13
http://SIA.socialqa.com
SIA PROPRIETARY
EU-US PRIVACY SHIELD FRAMEWORK
• Opt-in framework created to allow U.S. companies to handle EU data subjects’ personal data in compliance with GDPR. European Commission blessed it in July 2016
• Administered by the International Trade Administration with the U.S. Department of Commerce
• To take advantage of the Privacy Shield, U.S.-based organizations must self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements
• Framework consists of seven core principles and 16 binding supplemental principles
• In essence, requires companies to adopt a very strong data governance and privacy program
14http://SIA.socialqa.com
SIA PROPRIETARY
EU-US PRIVACY SHIELD FRAMEWORK –CORE PRINCIPLES
15
• Must provide thorough notice to individuals, covering 13 separate points, including information about type of data collected, purpose, third-party sharing, individual rights, commitment to Privacy Shield principles, etc.
1. Notice
• Must allow individuals to opt-out of disclosure of personal information to third party or usage for purpose other than originally collected. Need affirmative consent for sharing with third party for certain types of information.
2. Choice
• If utilizing a 3rd party Data Processor, have to comply with notice and choice provisions AND have contractual safeguards for the data.
3. Accountability for Onward Transfer
• Must take reasonable and appropriate steps to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction
4. Security
• Personal information must be limited to the information that is relevant for the purposes of processing.
5. Data Integrity and Purpose Limitation
• Individuals must have access to personal information about them that an organization holds. Must be able to correct, amend, delete.
6. Access
• Must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed.
7. Recourse, Enforcement & Liability
http://SIA.socialqa.com
SIA PROPRIETARY
WHAT SHOULD YOU DO?
• If you are asking this question just now . . . MAY 2018. GET HELP NOW!
• Assess yourself. Are you collecting EU persons’ data? Do you really need to?
• If Yes and Yes, get your ducks lined up:
• Implement required data governance framework
• Review what data you’re collecting for system/tech data access. Get rid of everything you don’t need
• Review data retention and destruction procedures
• Sign up for the EU-US Privacy Shield
• GET HELP! 16http://SIA.socialqa.com