identity anagement · 2017-09-25 · identity management comes into play . if/when you grant anyone...

Society for International Affairs

IDENTITY MANAGEMENT1:30-2:00PM

Waqas ShahidAnkura Consulting

SIA PROPRIETARY

AGENDA

What is Identity Management?

Identity Management and Export Controls

Required Attributes

Verification

Usage

Best Practices

GDPR Is Coming! 2

http://SIA.socialqa.com

http://sia.socialqa.com/

SIA PROPRIETARY

WHAT IS IDENTITY MANAGEMENT?

The IT security area concerned with granting the right individualsaccess to the right information at the right time

Concerned with creating digital identities for real world entities through a set of identifiers & attributes

ISO/IEC 24760-1: “processes and policies involved in managing the lifecycle and value, type and optional metadata of attributes in identities known in a particular domain.”

3http://SIA.socialqa.com


SIA PROPRIETARY

Identity management comes into play if/when you grant anyoneaccess to a system with export-controlled tech data or technology

Use identity management attributes to permit/deny access and exports

22 CFR §120.17 Export.

(a) Except as set forth in §126.16 or §126.17, export means:

(1) An actual shipment or transmission out of the United States, including the sending or taking of a defense article out of the United States in any manner;

(2) Releasing or otherwise transferring technical data to a foreign person in the United States (a “deemed export”);

. . .

(b) Any release in the United States of technical data to a foreign person is deemed to be an export to all countries in which the foreign person has held or holds citizenship or holds permanent residency.

Identity management comes into play if/when you grant anyoneaccess to a system with export-controlled tech data or technology

Use identity management attributes to permit/deny access and exports

22 CFR §120.17 Export.

(a) Except as set forth in §126.16 or §126.17, export means:

(1) An actual shipment or transmission out of the United States, including the sending or taking of a defense article out of the United States in any manner;

(2) Releasing or otherwise transferring technical data to a foreign person in the United States (a “deemed export”);

. . .

(b) Any release in the United States of technical data to a foreign person is deemed to be an export to all countries in which the foreign person has held or holds citizenship or holds permanent residency.

INTERSECTION OF IDENTITYMANAGEMENT AND EXPORT CONTROLS

4

Physical Location

U.S. Person Status

Nationalities



SIA PROPRIETARY

22 CFR §120.16 Foreign person.

Foreign person means any natural person who is not a lawful permanent resident as defined by 8 U.S.C. 1101(a)(20) or who is not a protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any foreign corporation, business association, partnership, trust, society or any other entity or group that is not incorporated or organized to do business in the United States, as well as international organizations, foreign governments and any agency or subdivision of foreign governments (e.g., diplomatic missions)

DIGGING DEEPER – FOREIGN PERSON

5





Individual’s U.S. Person

StatusEmployerIndividual’s

Nationalities

Employer’s Country of

Organization



SIA PROPRIETARY

IDM ATTRIBUTES FOR EXPORTCONTROL

6

•Country where individual is currently located (use standard ISO alpha2/3 codes)

Physical Location

•Boolean - U.S. citizen, permanent resident, asylee, etc.?

Individual – U.S. Person Status

•Array of countries (ISO codes) where person has citizenship or permanent residency

Individual – Nationalities

•Name of individual’s employer

Individual – Employer

•Boolean – Employer organized within the U.S.?

Employer – U.S. Person Status

•Country where employer is organized

Employer – Nationality

•If not U.S. person, what can person access?

Access List



SIA PROPRIETARY

VERIFICATION

7

Verify user provided information!

Three-step access process:1. User provides required information2. Someone verifies the information through

documentation3. User granted access to system/network

Relatively easy for your own employees. Typically HR or Security verifies.

Beware of delegating verification for non-employees outside the company!



SIA PROPRIETARY

HOW TO USE THE ATTRIBUTES

8

Physical Location

Individual - U.S.

Person Status

Employer - U.S.

Person Status

Allow Access?

Individual -Nationalities

Employer Country of

OrganizationAccess List Allow

Access?

Use attributes to:

1. Generally permit/deny access to systems / tech data in systems

2. Granularly control access to specific tech data:

Physical Location

Individual - U.S.

Person Status

Employer - U.S.

Person Status



SIA PROPRIETARY

USAGE

Approach 1: All or Nothing (“Compliance by Denial”)

9

In U.S.U.S. CitizenAcme US

Not Tech Data Tech Data

In GermanyNot U.S. Person

Acme GmbH

Not Tech Data Tech Data



SIA PROPRIETARY

USAGE

Approach 2: Partitioned Access

10


Acme GmbH

Non Tech Data Tech Data

Approach 3: Container Access


Acme GmbH

Non Tech Data Tech Data

Access List



SIA PROPRIETARY

USAGE

Approach 4: Dynamic Access

11Non Tech Data Tech Data Non Tech Data Tech Data

Access

Export Authorization

DB & Attributes

Content Attributes

Personal Attributes

AUTOMATEDACCESS DECISION



SIA PROPRIETARY

BEST PRACTICES

12

• If you can, go with Approach 1 or 2 – minimizes attributes

• If you have to do Approach 3, have a good Data Governance framework in place, including tagging/marking of tech data + container framework

• Centralize verification of identity – don’t have multiple teams doing it; destroy original documents once attributes verified

• Restrict access to information stored in attributes; have change management procedures

• Verify identity information periodically; it can change

• Verify employment information; require company emails and periodically ping

• Regularly deactivate dormant and unverified identities

• Screen for IP addresses from sanctioned countries



SIA PROPRIETARY

EU General Data Protection Regulation (GDPR)

• Protects privacy and personal data of EU data subjects. Adopted by European Parliament in April 2016. Goes into effect May 2018

• "Personal data" means any information relating to an identified or identifiable natural person

• In addition to EU companies, also applies to companies outside of the EU that offer goods or services to, or monitor behavior of, EU data subjects (even if free)

• Steep penalties for non-compliance – higher of €20M or 4% of global annual turnover

• Requires companies to minimize data collection and retention, gain consent from consumers when processing data, and only use data for specified purpose

• Permits personal data transfers to country outside the EU, subject to compliance with set conditions, including conditions for onward transfer, AND if recipient country provides an “adequate” level of personal data protection. The U.S. does NOT provide adequate level of data protection

• Bottom line – GDPR imposes tough requirements if you collect data from EU data subjects13



SIA PROPRIETARY

EU-US PRIVACY SHIELD FRAMEWORK

• Opt-in framework created to allow U.S. companies to handle EU data subjects’ personal data in compliance with GDPR. European Commission blessed it in July 2016

• Administered by the International Trade Administration with the U.S. Department of Commerce

• To take advantage of the Privacy Shield, U.S.-based organizations must self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements

• Framework consists of seven core principles and 16 binding supplemental principles

• In essence, requires companies to adopt a very strong data governance and privacy program

14http://SIA.socialqa.com


SIA PROPRIETARY

EU-US PRIVACY SHIELD FRAMEWORK –CORE PRINCIPLES

15

• Must provide thorough notice to individuals, covering 13 separate points, including information about type of data collected, purpose, third-party sharing, individual rights, commitment to Privacy Shield principles, etc.

1. Notice

• Must allow individuals to opt-out of disclosure of personal information to third party or usage for purpose other than originally collected. Need affirmative consent for sharing with third party for certain types of information.

2. Choice

• If utilizing a 3rd party Data Processor, have to comply with notice and choice provisions AND have contractual safeguards for the data.

3. Accountability for Onward Transfer

• Must take reasonable and appropriate steps to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction

4. Security

• Personal information must be limited to the information that is relevant for the purposes of processing.

5. Data Integrity and Purpose Limitation

• Individuals must have access to personal information about them that an organization holds. Must be able to correct, amend, delete.

6. Access

• Must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed.

7. Recourse, Enforcement & Liability



SIA PROPRIETARY

WHAT SHOULD YOU DO?

• If you are asking this question just now . . . MAY 2018. GET HELP NOW!

• Assess yourself. Are you collecting EU persons’ data? Do you really need to?

• If Yes and Yes, get your ducks lined up:

• Implement required data governance framework

• Review what data you’re collecting for system/tech data access. Get rid of everything you don’t need

• Review data retention and destruction procedures

• Sign up for the EU-US Privacy Shield

• GET HELP! 16http://SIA.socialqa.com


SIA PROPRIETARY

QUESTIONS?

17



identity anagement · 2017-09-25 · identity management comes into play . if/when you grant anyone...

Documents