Subscribe

Further down the rabbit hole

Regulation coming into effect internationally will drive the adoption of IAM, but will make data management more complex locally.
Samantha Perry
By Samantha Perry, co-founder of WomeninTechZA
Johannesburg, 14 Apr 2008

Identity and access management (IAM) has matured to the point where it's become as de-facto as ERP or BI in most organisations. For local companies, IAM is about to be impacted by two things: the Protection of Personal Information Bill and the international Payment Card Industry Data Security Standard (PCI-DSS).

The Protection of Personal Information Bill (colloquially known as the Privacy Bill) aims to promote the protection of personal information processed by private and public bodies.

The implications of the Bill, once it is enacted, will be that any company that holds information on natural or juristic persons (companies, although this part of the Bill is considered to be contentious and may be removed in later versions) will be required to know exactly what information they have, whether it can be described as personal or sensitive, as opposed to public, and have permission from the person/company to which that information relates to, both to have and use that information.

While the Bill is still meandering its way through the legislative process and is not expected to be promulgated anytime soon, the impact it is expected to have on the way companies acquire, use, store and protect personal information means it's worth getting data houses in order now, rather than having to scramble madly when the Bill finally gets promulgated.

Data everywhere

<B>What</B> <B>is IAM?</B>

Identity and access management (IAM) evolved from identity management as physical and systems access control started to merge.
Briefly put, IAM is a framework or methodology, within which various technology solutions exist to drive roles and functions, processes and procedures, security and access management solutions, and databases.
According to Wikipedia, IAM is "the management of information (as held in a directory), which represents real life identified items (users, devices, services, etc)".
Practically speaking, an identity management solution enables the identification of users, secure verification of that identity and, following roles-based policies and procedures, the provisioning of access to systems and information based on that verified identity.
This access can be physical access to buildings, rooms, secure areas and so on, as well as system access to e-mail, applications, information and so forth. By obtaining all of its information from one central repository (usually called an identity vault or directory), identity management solutions give an organisation one view of the user, one set of accesses to monitor, and one switch to flip to enable or deny access when, for example, someone joins or leaves an organisation.

A recent report on ITWeb said: "Once law, the legislation will help protect people from criminals by holding companies and individuals, who fail to take adequate steps to protect other people's private information, legally liable. In terms of the proposed law, companies, for example, will be required to notify all customers affected by security breaches that could result in identity theft. Offenders could face up to 10 years in prison, as well as fines and punitive damages."

Says KPMG director Graham Teare: "Preparation now for the Bill goes back to the standard old principles around security. Do you know what data you have, where it is and have you classified it accordingly? Some companies have got it right, while others are still battling with it. If you're going to collect information on people - personal and sensitive (as per the Bill), you need to ask if you have looked at it as per the Bill and classified it as personal, or even further, as sensitive, which needs extra measures to protect it.

"Also, if you are collecting information, have you specified the purpose it will be used for, can you identify the information in the organisation and use it for that specified purpose, can you process it and are you storing in line with those requirements? Do you have a mechanism in place to find information and delete it? The Bill specifies that I can ask for my information and check that it is correct - whose responsibility is it to update information or find information and give me access to it?"

The question is, says CA Africa security solutions consultant Karel Rode: "Can the people tasked to get the information get it effectively? For example, a medical organisation that has my age, blood pressure and so on, on record. Who can get access to confidential attributes? This doesn't just relate to IAM, but accessing attributes within a data set, so the doctor versus the nurse versus the accounts department's need to see the aspects of my record differ wildly. What people are going to struggle with is separating that data access."

Deciding how

Can the people tasked to get the information get it effectively?

Karel Rode, security solutions consultant, CA Africa

The heads-up, says Rode, is that people need to start bending minds around how they are going to deal with this.

"The first thing they have to deal with is individuals: who has access? Then: who has access to what? And finally, 'who has accessed what?', from an auditing perspective and having the capability to send someone out to take action if privileges are exceeded."

Paul Jacobson, founder of Jacobson Attorneys, which specialises in new media law, says: "When it comes to the corporate world, it means companies need to include a data protection/privacy policy in their bundle of policies. The draft legislation contemplates a specific office bearer be appointed to monitor data protection issues. It makes it more important that companies have a well thought-out approach to data protection and privacy."

Companies will have to obtain permission from anyone whose personal information they hold, including employees and customers. It also doesn't just apply to companies that one traditionally thinks of as holding personal information - like banks - but any company that holds information defined in the Bill as personal, such as schools, health clubs and so on, notes KPMG's Teare.

As noted, companies that are in breach will be held liable by a body called the Information Protection Commission, which the Bill seeks to establish. The commission must be informed by any companies looking to gather information that they will be gathering information and what it will be used for. The commission must also be notified of security breaches, and is the body that will monitor compliance and investigate breaches of the Bill once it becomes law.

Regulation drives adoption

The above demands that companies, as Jacobson notes, include a data policy in their policy collection. It will also mean companies will have to know exactly what information they have, who has access to it, how they can access it and how it can be used if they are to avoid breaches. This is where IAM comes in and is probably good news for the IAM vendors.

Obtaining permission to have and use, for a clearly defined purpose, all of the information companies have on record is likely to be a logistical nightmare for many organisations, as will the job of ensuring information is stored correctly and disposed of appropriately at the appropriate time. ILM, storage, security and databases - all will be useful and all will be affected.

Adding even more fun to the mix is the PCI-DSS. Any company that processes credit card transactions will have to comply with the standard or risk being unable to process payments from the issuers, mainly Visa and MasterCard.

Says Novell business unit sales specialist Lewis Taljaard: "Between 2005 and 2007, in excess of 167.7 million records containing sensitive personal information were exposed due to security breaches. If you cannot identify your risks, you cannot manage them and, in turn, you cannot be secure. The PCI-DSS covers key security pillars aimed at securing access to personal identity records. Key elements are to securely store these credentials and to identify, manage and report on the access to this data.

"The PCI-DSS has various scales that certain of the standards are enforced on depending on the number of transactions processed in a 12-month period. It is applicable to the primary account number and thus companies that are storing, transmitting or processing that account number will have to comply."

The PCI-DSS specifies six categories or pillars that it enforces, says Taljaard. These are around securing the network, protecting cardholder data - typically where IAM comes in - maintaining a vulnerability management programme, implementing strong access control measures (both physical and systems), regularly monitoring and testing networks, and maintaining an information security policy.

Focused approach

"There is a very strong focus on ID (the card holder) and account number, as well as the persons using and accessing data on a physical and logical access control level," he says. "Organisations that do not comply risk not being able to handle cardholder data and risk fines of up to $500 000 for lost or stolen data," he adds.

While the deadline for global adoption and enforcement was December 2007, ITWeb was unable to establish when it comes into effect in SA, although Taljaard says it is definitely applicable to the South African market. "Consultants and auditors are already engaging with companies to evaluate the impact and assist with compliance," he says.

That's more good news for the vendors and yet another set of regulations for companies to comply with. That said, the smart money will no doubt combine compliance initiatives and find a workable way to implement the systems needed to comply with the above, as well as the other regulations and legislation applicable to their industries.

Share