18.12.18 | Author : Sadrick Widmann
Published in “Digitale Welt”

A prerequisite for the secure handling of data, as also required by the GDPR, in both the digital and the real world, is that users should be able to authenticate themselves. Data can only be successfully protected if the identity of a person, service or machine is clearly established and their associated roles and access to data are defined via authorization management. The use of modern customer identity and access management tool (CIAM) ensures this.

A CIAM software enables e-Commerce, healthcare, e-commerce or banks to act GDPR-compliant and the identity of the users – be it humans or machines – to be determined unambiguously. The latter also meets the Payment Services Directive PSD2 – which requires strong authentication via multi-factor authentication (2MFA).

In the context of GDPR, the identification of users must also be taken into account, that the user has sovereignty over his data at all times, therefore he can actively give his consent to allow the use of his data and revoke this consent at any time. The observance of the new data protection regulation, which according to Art. 5 para. 1 d) requires that personal data must be factually correct and, if necessary, up to date, can be implemented quickly and legally by a CIAM system. Among other things, the customer can manage his data directly via a user self-service function. Through simple user management, customer profiles can also be deleted easily, if necessary also directly via Self Service by the customer himself, and thus the right to deletion (Art. 13 EU-DSGVO) can be complied with.

However, it must also be borne in mind that the control and management of digital data for both employees and customers extends not only to the virtual world but also includes access control and monitoring of premises in the real world, such as server and administration rooms.

IDENTITIES ARE THE KEY

In both worlds, the authentication of identities is the key to security.

Authentication is the process of logging on to a system, be it digitally to a bank account, online shop or employee portal. Or also physically to a business premises, where the identity of the user is determined and verified. Especially in the digital world, passwordless authentication is becoming more and more important. Identity is the unique identifier for a person, organization, resource or service. A modern Customer Identity and Access Management (CIAM) software based on Big Data technology not only manages the data, but also offers the corresponding authentication options and enables, for example, the distribution of roles and access rights in employee administration.

But even while protecting access to online shops, so-called “strong authentication” must be ensured. The basic EU data protection regulation (EU-GDPR) does not directly prevent authentication with user name and password. However, it is explicitly demanded that personal data must be protected from unauthorized access. At the same time, user-friendliness is becoming increasingly important.

Multi-factor authentication in combination with behavior-based fraud detection and biometric factors ensures the high level of security required by Art. 32 of the EU-GDPR.

Biometrics is the safest way to uniquely identify people. The biometric characteristics of each person are unique and therefore very personal. Recognition methods that use biometrics for personal identification are not new, as Francis Galton laid the scientific foundation for the use of fingerprints in 1892. Today, fingerprint scanning is the most commonly used biometric method worldwide.

However, compared to other biometric methods, they represent a comparatively insecure biometric method, since the features are easier to forge or replicate. In addition, moisture, dirt or simple hand cream, for example, can influence the accuracy of the measurements. But when compared to the input of PINs, for example, this recognition method is much more reliable.

The advantage of futuristic identity and access management using biometrics is that unauthorized persons have significantly more difficulty in accessing digital data or, for example, a physical location, a computing device, a network or a database.

For identification and authentication, various methods can be used and combined via CIAM software.

  • Speech recognition: Identification via voice
  • TouchID, FaceID or Android Fingerprint: Identification via device-specific authentication methods
  • Pattern: Identity using a pattern drawn by the user.
  • Push notification: Identification via accreditation only on the device used
  • TOTP: A unique, time-limited code used for identification.
  • Back-up code – In case a user does not have his mobile phone at hand
  • FIDO U2F USB-based technology for security
  • Email
  • SMS
  • IVR – Verification codes sent by voice call

MULTI-FACTOR AUTHENTICATION FOR MAXIMUM SECURITY

Software solutions based on Big Data technology and hosted in Germany typically offer a wide variety of authentication methods that are scalable and include both access management for digital and real spaces.

With a comprehensive user identity and access management tool, identities are not only verified through authentication, but access rights are also granted to customers, employees or suppliers based on their roles. These rights can include physical spaces (e.g. access to doors) and/or online spaces (e.g. access to an online shop or CRM system). All-access to data and physical spaces is comprehensively documented.

In the case of physical spaces, classic methods such as access via keycards can continue to be used, but new biometric authentication methods can also be utilized.

If the face is used as a unique identification feature for access controls, IP cameras are installed on the corresponding doors; this is a minimum manual effort. These are then configured via the central administrator dashboard. Administrators have the ability to scan images of the personnel and assign users or user groups to specific doors or areas. Based on access permissions, the access of personnel can now be allowed or restricted with the IP camera. Moreover, face recognition can also be used for authentication to digital access points in the company.

The integration into the existing IT architecture and existing security systems for doors and rooms is possible without problems with a modern Customer Identity and Access Management (CIAM) software solution.

Which authentication method is used and if multi-factor authentication is used – i.e., the combination of two or more identifiers varies by requirement. A two-factor authentication (2MFA) – for example, finger or face recognition with a password – offers a high level of security and is essential in the banking insurance sector, for example.

At the same time, the increased number of technical authentication options is accompanied by user demands for increased user comfort and scope of functions – something that plays an important role, especially in online shopping, since the user should not be diverted in the buying process. This can be achieved by using a SMART MFA. Through continuous fraud detection, based on the analysis of user behavior (behavior-based clustering), suspicious behavior is detected and a SMART MFA is triggered, i.e. a two-factor authentication or confirmation of identity is only requested if necessary.

The requirements for the protection and management of data in digital as well as real spaces, including the management of declarations of consent, for example from customers, can be easily and cost-effectively implemented by using customer identity and access management from the cloud – even for mid-sized companies.

CIAM REQUIREMENTS

When deciding on a tool, various points should be considered:

  • Scalability – so that the software can be effortlessly adapted to corporate development.
  • Cloud software hosted on German servers for GDPR conformity and quick automated updates
  • Standards such as OAuth2 and OpenID with Social Login or Single Sign-On should also be part of the product scope.
  • Can be used in the digital world as well as in the real world – to have a comprehensive system. Data fraud is often carried out by employees.
  • Simple integration into the existing security and IT architecture.

The author: Sadrick Widmann completed his Master of Science at the Karlsruhe University of Applied Sciences. He has already lectured on topics such as business process automation and programming. And he has demonstrated his management skills as the managing director of CarbookPlus GmbH. Sadrick Widmann has been CPO since the beginning of 2018 and is therefore responsible for the product development of cidaas – the customer identity management solution developed by WidasConcepts.