By Lewis Barr, Vice President of Legal and Privacy, Janrain
This year, 5.5 million new devices will get connected online every day, according to Gartner. By the end of 2016, there will be more than 6.4 billion connected things, a 30% rise from last year. And Gartner predicts the trend is not going to slow down; by 2020, the Internet of Things market will include 20.8 billion things. In tandem with the explosion of connected devices is the growth in breaches. In just the first three months of 2016, there were 139 reported data breaches, resulting in almost 4.3 million exposed user records, according to the Identity Theft Resource Center.
Data breaches are costly and can negatively impact customer trust and companies of all sizes are being compromised. Customers’ identities are critical assets and they trust companies to keep them secure. With so many devices going online, the surface for potential attacks keeps growing and calls for the redoubling of efforts to protect online device and user data. Against this backdrop, companies are focusing on scoped access to enhance data security and privacy. Scoped access ensures that only those employees and contractors who need access to data to do their work have access and that their access is limited to the data required for their work.
Devices will also have their identity and then we will concentrate security around those devices. You want to have the device control itself, rather than relying on some third party and hope that they do a good job.
In a recent security and privacy talk with Janrain, miaa Guard co-founder Carlo Schupp, discussed the importance of managing access for devices and people to protect secure customer identities. With a background in managed infrastructure security, Schupp co-founded miaa Guard six years ago. Based out of Belgium, the company provides managed access services.
Devices are starting to have their own identities, often associated with a human being that owns the device. There is a client-device relationship and devices need to be secure in order to maintain trust from the owner.
“From a security standpoint, we are now treating devices the same way we treat individuals,” Schupp said. “So devices will also have their identity and then we will concentrate modern identity-centric security around those devices. You want to have the device control itself, rather than relying on some third party and hope that they do a good job.”
Access and Policy
With more data being gathered and becoming available, access and policy are important to consider. Doctor access to patient records is an issue that will need policies and constraints. Consumer brands accessing customer data has to be controlled so not everyone working at these large companies has access to the data. Every industry is collecting identity data and without scoped access and relevant, targeted and enforced policy choices, information can get into the wrong hands.
It’s important to review security as identity-centric. In regard to access of authorization management, you must think about the identity and make sure that you have a single identity for an individual
“Access control relative to applications is often embedded in the application,” Schupp said. “Also, if the application is web-enabled, then it may be part of the web server. We see more and more trends to externalize the control of access out of the applications, so that you can have a harmonized way of controlling access to different types of web sites and applications.”
By understanding the parameters that are important in your industry, you can determine the best way to control access at your company.
Keeping Permissions Current With Roles
“Often times in the past, people were given permission to access certain data and then when people changed throughout the organization, nobody dared to take away those permissions,” Schupp said. “They would add permissions to access even more data and more applications, and the longer a person is with the company, the more permission they have.”
It’s important to review security as identity-centric. You give a person certain roles and business roles and that changes as they move throughout the organization. In regard to access and authorization management, you must think about the identity and make sure that you have a single identity for an individual.
“You don’t want to have 4,000 accounts of one person and a gazillion number of access rights and permission spread all over the company,” Schupp said.
Access control is a key component of Customer Identity Management. And simple as it may be, the most important thing to remember is to actually make it a priority and establish protocols to ensure the privacy and security of your customer data.
Lewis Barr, CIPP/US, has more than 16 years of general counsel experience managing a wide range of legal and privacy-related matters for growing technology companies. He brings to his work in-house a diverse background as a litigator, federal appeals court staff attorney, and teacher. As General Counsel and VP of Privacy at Janrain, Lewis leads the company’s legal and privacy matters as the company continues its international expansion. He received his Bachelor Degree from Georgetown University’s School of Foreign Service and his Juris Doctor from the University of Missouri School of Law.