Data Privacy vs Cybersecurity – Access Controls
Privacy and cybersecurity are important facets of businesses in today’s data-driven world. However, there is still plenty to understand about facets and to improve both in a business landscape which has technology at its core. We are required to maintain a strong understanding of the intersection of privacy and cybersecurity in order to strengthen both within our companies to maintain our footing in today's highly digitized business landscape. Access Controls is one such critical area
Access controls can be thought of as gatekeepers of personal information, playing a significant role in data privacy and cybersecurity. Simply put, access controls are security features that control what or who can use or view a resource (like databases, files, applications, or networks) in a computing environment, ensuring that only authorized parties can access specific information and resources.
Access controls form the first line of defense for companies trying to defend against unauthorized data exposures and cyber threats. They restrict unauthorized access (for both internal and external users) to sensitive information, helping organizations comply with privacy regulations and building trust. We have historically relied upon Role-based access control (RBAC) as the gold standard for managing access. In this article, we will explore some recent developments around access controls driven by privacy.
Privacy Laws require companies to only collect, use, and retain personal information that is proportionate and directly relevant to a specified purpose. Any data that is no longer needed for the specific purpose is to be immediately deleted.
From an implementation point of view, this requires access controls to be purpose-driven, as the traditional methods of managing access might not be adequate. Let us look at data collection and retention when someone purchases a product online. There may be many ways to purchase something online, but for the purposes of this discussion, let us focus on the two scenarios a purchases can be made online – as a guest/anonymous user or as a member (with account and password) When a customer purchases a product from an online retailer's website, a lot of information is captured as part of the transaction and may include the following –
Transactional data for record-keeping purposes.
Personal information that is part of the customer's profile information
Data that helps in providing a personalized experience for the customer
Security logs and performance logs collected as part of the transaction.
Payment Information (depending on the payment type) is collected and also shared with payment vendors.
Browsing and other information collected from websites through cookies and many other technologies and shared with third-party vendors.
Shipping information if the order needs to be shipped to the customer.
Product registration, warranty, and recall information associated with the purchase
Data is retained for various types of analytics and shared with service providers and third parties, including customer behavior, our service quality, product demand analytics, etc. In this case, the customer's name, email, and contact information could be collected for many different purposes (completing the transaction, including shipment of product, record keeping, providing personalized services, and for future marketing). This dataset is collected, processed, and stored in the same system (database) for all the above-mentioned purposes. Typically, access to this data in the system will be provided to employees based on their role within the company (RBAC), and the data will be processed and retained based on the longest retention period of those selected for processing operations involving this dataset in question. Under the traditional method, if a customer withdraws consent for personalization, it could be hard to restrict access to data based on usage, as RBAC does not track usage. Storing the same datasets in the same system for different purposes and within other processing operations will likely require more granular access controls and detailed tracking of how the data is accessed and gets used than what is possible using traditional models.
Purpose-Based Access Control (PBAC) is a more modern approach to managing access to data. Under this methodology, access is granted not to individuals based on roles but for a specific purpose. Users or machines may be allowed to work on multiple purposes, although when accessing data, users always do so within the context of a single purpose. Advantages of Purpose-Based Access Control
Flexible on-boarding and off-boarding: It become easier to manage who has access to some data within the company as all access required to work on a purpose is conveniently bundled in the purpose definition.
Better data security: Purpose-based access control is only possible if users justify why they need access to specific data and if this purpose is clearly documented and tracked. This improves accountability and provides an audit trail for the organization and will ultimately result in better overall security for the organization
Compliance: Purpose-based access control is necessary to ensure compliance with various regulations like GDPR, CCPA, etc.
Transparency: PBAC’s granular audit trail helps track who accessed data, which data was accessed, the date and time the data was accessed, and the purpose of the data request. It increases transparency through explicit audit trails and enhances risk management. PBAC also provides businesses with greater insight into who’s accessing sensitive data and for what purpose, helping them make better-informed decisions about their overall risk management strategy.
While PBAC has many advantages, there are challenges to the implementation of PBAC within organizations. Authentication typically has been user-based in most organizations. Evolving to a purpose-based approach will require change, and that is not very easy. The granularity at which data access is granted also depends on having a granular knowledge of the data usage within companies. Without understanding the nature and context of what data exists and how it's used, it’s impossible to apply PBAC to access requests. Fortunately, many organizations are putting time and effort into building DataMaps and developing a deep understanding of data through data discovery, mapping, and categorization processes. Granular and accurate information about content, its sensitivity, and usage will help in crafting a more detailed list of purposes and PBAC frameworks that focus on the most sensitive and at-risk data at the right time. Bottom line: Purpose Based access control frameworks are still relatively new concepts within the security world but will fast become the standard due to regulatory requirements coming from the privacy world.