Authentication and GDPR: Covering the Bases

April 16, 2018

 

The European General Data Protection Regulation (GDPR) will take effect on May 18, 2018. The GDPR requires businesses to comply with new rules for collecting, sharing, and protecting personal data within the borders of the European Union (EU) or when exporting information internationally. This applies to any organization that processes personal data of EU citizens, regardless of where that business is located. All companies that do business in Europe will be required to implement a range of security measures.

In September 2017, multi-national consulting firm Deloitte reported a cybersecurity attack which had taken place earlier in the year. Attackers were able to access the company’s email system through a single stolen administrator password. This is one of the clearest illustrations of the need for multi-factor authentication in any security posture.

If your organization hasn’t suffered a data breach it’s probably more due to luck than to preparedness.  Verizon’s 2017 Data Breach Investigations Report shows that 81% of hacking-related breaches leveraged either stolen and/or weak passwords[1].

Many organizations rely on security software defenses that are out of date. If your company does any business in Europe, now is the time to begin adapting your data practices to comply with the new rules – including implementing the right tools to ensure data security.

How does authentication fit in to the GDPR?

The GDPR includes a number of articles that outline security measures. Here are three of the areas where SecureAuth can help address your authentication challenges, and take some of the steps necessary for GDPR compliance.

Articles 15 & 16: Data access and ratification

Key requirement: Ability to access personal data, make corrections and consent to collect data.

Solution: With SecureAuth IdP, data subjects are permitted to view, access, and edit collected personal data, then make corrections (as needed). Adaptability to different environments enables organizations to choose which user or group of users (admins, individuals, customers, etc.) can manage profiles. Organizations have the ability to choose what type of profile data and personal preferences is collected.

Article 17: Erasure of data

Key requirement: The data subject has the right to ask the controller to “forget” or erase all personal data.

Solution:  Logs can be used to quickly identify a user and ensure they’ve been forgotten as needed. A unified location or source of data (data store) ensures that all information is erased – no need to delete from multiple databases. SecureAuth IdP is scalable and adaptable, allowing you to support any number of users and applications.

Articles 25 & 32: Data protection by design and security

Key requirement: The controller must design systems to protect and secure personal data based on risk.

Solution: SecureAuth IdP layers risk checks, to stop the misuse of valid credentials. Dynamic security is applied in layers based on predetermined risk factors, to protect your business from cyberattacks. Users enjoy a frictionless experience, as they are only challenged when a threat is present.

Adaptive authentication analyzes multiple factors to determine the legitimacy of every login, thwart attacks as they happen, and keep your data and resources safe. SecureAuth IdP's Multi-Factor Authentication deploys directly into your infrastructure, tying to your enterprise directories, web servers, VPNs, and even applications built in-house.

The GDPR is coming. Why take unnecessary risks, with compliance or with the security of your business?  Contact us today to learn more about Modern Adaptive Authentication.


[1] Verizon’s 2017 Data Breach Investigations Report

 

  • Product: IdP

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!