Identity Management is an important piece of the GDPR governance process, particularly ‘who’ has access to ‘what’ data and ‘how’ that access is granted.
Identity access to resources should be federated and controlled to protect, and log access, to all corporate data. This is a key step in avoiding potential data leaks and being able to report on subject access requests for the GDPR>
Many companies may have an existing identity management solution, such as Microsoft Active Directory or the primary alternative, LDAP. Although there are cloud equivalents Identity Management remains one of the key IT resources that has, for most companies, remained on-premises.
Modern companies tend to leverage multiple cloud providers (AWS, GCP, Azure etc) and additionally may have incorporate additional on-premises resources, such as Object Storage, as part of a costs saving and/or digital transformation exercise. Where cloud vendors have offered integration with on-premises identity management solutions they have tended to be cumbersome and/or limited to integration with their own cloud stack and ultimately end up adding another partial solution that adds more complexity to harnessing and securing data for the GDPR.
In truth federating access to such disparate resources can be difficult particularly as the corporate enterprise Identity Management paradigms (Active, Directory, LDAP, SAML) and the cloud Identity Management paradigms (OPenID, OAuth2, town based access) are not compatible.
The File Fabric promotes a single-sign-on solution as part of its overall solution. This utilises existing corporate identity management systems, such as AD, LDAP and SAML for sign-in, but which is the enforcer for access to data that is stored on solutions such as Amazon Web Services, or a service such as SalesForce or even DropBox or on-premises Sharepoint.
When enabled for Single-Sign-On, the File Fabric does not store user passwords but passes through requests to the underlying corporate identity management system to validate access, which is then used in combination with a users roles and resource access permissions to determine access to data.
In this way user access to all corporate data resources are monitored and audited providing corporate IT and data protection officers what they need to not only effectively police their corporate data but also respond to requests about that data.
This is the second blog post in our series on GDPR. If you missed the first you can catch it here.by