Identity access management in data privacy governance
MRS FUNMI WANTS TO access a particular service but as part of authentication and trust, she must provide some information so that in future she can use these details to login. These unique identifiers will allow her to gain access to this service. It behoves the controller to ensure that these information assets she has provided to gain access to the service or system is managed adequately. Yet, most stakeholders don’t give this part of their business enough attention.
If at anytime Mrs Funmi is unable to gain access to the service, especially if it’s a paid one, then that’s a breach. But, what exactly, does identity mean? Identity simply means, in data privacy speak, any information that identifies an individual. This includes names, address, contact information and any other details about an individual, especially when they are used for authentication processes or collected to meet organisational needs.
When she tries to gain access to XYZ company systems they require credentials like username, a password, and possibly add any further security level like a tokenbased authenticator. Once she proves who she is, she can access the systems.
Against her authentication, policies are placed in the system to enforce authorisation. Based on the customer’s identity information, it allows her to perform actions or gain access to the systems. In a company for example, if Lekan logs into a particular system, there are policies in place to ensure that he only has viewing functionalities within the system.
One important area is the accounting part of identity access management. This is where monitoring is carried out and provides information about how and what users are doing within the system.
In contemporary times most companies have identity management systems, which includes, provisioning, single-sign-on, access management, federation, account, provisioning, authentication, reporting, logging, auditing, workflows and many more (these areas would be covered in other articles).
There are many areas to identity access management, and it covers many functionalities. Some functions include identity creation and management (which an example was given above), authentication and authorisation, and in some cases what is called federation of identity, to allow users outside the organisation network access systems needed.
There are certain threats to identity and access that can be classified into major areas. The ability of a company to be microscopic in locating the underlying threats within authentication and authorisation systems will allow them to see areas of vulnerabilities exploiting their systems.
In other articles, I will cover the protocols and methodologies that companies employ in their identity access management framework. The policy and governance structure embedded in IDAM feeds directly into the principles of data protection and the creation of a good system.
It can help companies reduce the exposure to data privacy breaches. For example, when the identity consumer-endpoint services are not properly structured, or the right policies and rules are not implemented, there is the potential for various attacks and could lead to the reduction of revenue and disruption to business processes.