PlainID Identity Security Posture Management Blog

How PBAC Ensures Data Privacy

Written by Gal Helemski | Jun 25, 2019 1:56:29 PM

Over the past few years, two of the most important trends in Identity and Access Management (IAM) have been on the rise concerning the number of applications that cloud-facing businesses use, and the growing popular and legislative demands for safeguarding users’ privacy. In 2017, the last year for which data is available, the average enterprise used 928 cloud-based apps, meaning that IAM departments had their work cut out for them. 

At the same time privacy legislation such as the EU’s General Data Protection Regulation (GDPR) and the recently passed California Consumer Privacy Act (CCPA) set strict requirements for the handling of customers’ personally identifying information (PII), and also mandated stiff penalties in case of violations. 

Industry expert Kent Graziano noted in a recent article entitled The true impact of GDPR is emerging now that in the first three months of 2019, Google was fined $57 million for GDPR violations and complaints were filed against Amazon and Apple for up to 4% of their worldwide revenue, which is $9 billion in the case of Apple. Small wonder that according to Gartner, accelerating privacy regulation was the top risk concern of surveyed executives. 

IAM and Privacy

Effective privacy means ensuring that only the correct people have access to PII and only under the right circumstances. For example, doctors need patients’ medical histories but not their home addresses, whereas someone in a hospital’s billing department would need just the opposite data. Likewise, a number of states, such as Michigan, have passed recently laws requiring insurance companies to implement strict data privacy policies and the trend is expected to continue GDPR itself is explicit in requiring “protection against unauthorized and unlawful processing” Complying with requirements such as these are the concern and strength of IAM. 

Additionally, IAM is useful in complying with the following aspects of GDPR, CCPA, and similar regulations:

-Security of processing: Beyond Authorization issues in terms of access to data, these statutes require that networks be secure, a basic mission of IAM.
Informed consent: IAM solutions must include data proving users’ consent to data storage as well as limited access to that data.

-Data minimization: As John Notman of OpenText’s recently acquired Identity Platform argues, IAM enables you to determine how long data needs to be stored, allowing you to set an automatic deletion date for “ghost” accounts and to enact other policies to eliminate data that becomes irrelevant.
Cloud services: Hospitals often use delegated Authorization with pharmacies, a situation requiring strong IAM to comply with GDPR as well as other security concerns.
Identity governance: IAM can be used to ensure separation of duties [as well as] enforcing and auditing access policies to sensitive accounts and data.

-Cloud services: Hospitals often use delegated Authorization with pharmacies, a situation requiring strong IAM to comply with GDPR as well as other security concerns.
Identity governance: IAM can be used to ensure separation of duties [as well as] enforcing and auditing access policies to sensitive accounts and data.

-Identity governance: IAM can be used to ensure separation of duties [as well as] enforcing and auditing access policies to sensitive accounts and data.

PBAC and Privacy

Authorization, in the IAM context, is determining which users can access which resources and under what circumstances. There are several approaches to this task, but in recent years Policy-Based Access Control (PBAC) has emerged as the solution of choice, especially for B2B Delegated Authorization, SaaS, and other cloud-based scenarios. PBAC is a relatively recent Authorization solution, combining the best features of Role-Based Access Control (RBAC) and Attribute-Based Policy Control.(ABAC) while avoiding their problematic features. 

RBAC contributed roles or clusters of authorizations that a user always has, regardless of the current conditions (e.g. time of day). ABAC takes a different approach, authorizing usage based on conditions as well as user characteristics. Both can be cumbersome, difficult to maintain, and so complex that managers often end up delegating authorization to IT, instead of creating the important policies themselves

PBAC offers a much better solution: it uses roles but allows permissions to vary with circumstances, such as time of day. PBAC supports the creation of natural language rules that can be implemented on a user interface, such as “sales managers can access certain customer financial data only during business hours, when they are in the office or using a VPN network, but not when they are using a non-secure connection.” Thus, PBAC supports what is known as fine-grained Authorization, which allows for very specific policies, using roles and attributes. These policies work in real time, and can be easily edited by the data/application owner, allowing for a maximum of flexibility with little or no downtime. 

Additionally, PBAC supports the creation of policies that can be consistently applied throughout an enterprise; this type of standardization is difficult to achieve in ABAC, but it is required by laws such as GDPR and CCPA. The ability to support clearly written policies that are both flexible and applicable across an enterprise’s subsystems both helps a company provide security and also returns access control policy to management’s hands where it belongs, since it is ultimately a business decision. This is easier if the chosen solution has a UI that supports the creation of entities (users, resources, etc.) and makes it simple to link them graphically.

A Policy-Driven Solution for a Privacy-Driven Future

PBAC offers the best Authorization solution for meeting privacy requirements such as GDPR and CCPA. PBAC supports using both roles and attributes to create natural language rules that specify which users can use which resources, and under what conditions. In addition, PBAC can be used by enterprises that have more than one network and need standard policies that are fully compliant with applicable regulations. 

Given the growth of cloud-based businesses and organizations, with the resulting growth in PII that must be protected, it is likely that privacy concerns will only grow in the future, making PBAC solutions even more necessary. 

To learn more about PlainID’s PBAC solution, click here to schedule a demonstration