Cloud Identity in the Age of GDPR
Outsourcing any data storage or management tasks will ultimately raise questions of legal responsibility.
In the age of GDPR, these questions have become all the more important.
GDPR exponentially increased the complexity of handling personal data by adding more layers of responsibilities to companies that collect private information from their clientele.
To make matters worse, determining how the regulations apply to emerge trends and technologies in the world of IT is not always so straightforward.
All of Europe’s new data regulations are geared toward entities called data “controllers”, and their “processors”, or in other words companies that collect personal information and the third parties they hire to process that information. The way in which GDPR’s rules are framed brought up an interesting question as far as identity providers are concerned:
Will Cloud Identity Providers be included in this definition?
Moving to the Cloud
For years, enterprises have been rapidly adopting a “cloud first” mentality for many of their data processing tasks. This trend has meant a major shift for the related organizations has with their data. Moving the primary “home” of the data from hardware to the cloud, means that endpoint devices– from laptops to PCs, to file servers– become merely a local access point of the cloud base repository. Logistically speaking, this has drastically improved the efficiency of data management. IT departments no longer have to handle data storage on devices individually and any changes, alterations or updates can be executed once for all users. But perhaps more importantly, the shift to the cloud meant a major change in the very nature of stored data. Sensitive information is no longer contained on devices located in this or that location but rather in a digital infrastructure. This fact has very important implications when considering a particularly fast-growing trend within the cloud revolution.
Cloud Identity providers, or IDPs, have been taking the world of IT by storm. According to an estimate from Gartner, cloud-based identity is and will continue to be, one of the fastest growing cloud-based services.
Traditional non-cloud IDPs have fallen squarely into GDPR’s definition of a “data processor” a contracted service that handles personal data. According to the Regulations, an organization has to inform the end user that his credentials are being stored by such a service. The original entity that collected the data from the client, aka the data controller, would also have considerable liability in the event of a breach at the IDP. Furthermore, clients will likely not be too happy being informed that their personal credentials are being transferred to a third party data handler.
Cloud identity has changed all of this.
Cloud-based identity providers do not require on-site servers or storage devices. It is a solution in the form of a protocol without any tangible hardware. What this means practically is that Cloud IDPs don’t retain session data or login information making sessions, to put it in the GDPR own terminology.
As far as GDPR is concerned, Cloud IDPs that utilize a stateless architecture are not considered “data controllers”.
Enters the stateless cloud – Identity Management Without the Liability
To implement identity management that fits GDPR, CiSOs will have to begin shifting from traditional solutions. Authentication tools that address the liability issues of Europe’s new data laws will be based on stateless programs, digital architecture that does not retain login data or any other private information.
Secret Double Octopus’s technology solution combines the highest in authentication assurance with GDPR compatibility. Utilizing a stateless cloud the Octopus Authenticator allows enterprises to achieve top security standards without exposing the organization to potential liability under data regulations. On the security end, the Authenticator implements Secret Sharing algorithms for a mathematically unbreakable authentication scheme. In terms of regulation compliance, Secret Double Octopus’s authentication tools do not require the storage of any personal credentials. In fact, the platform’s servers are completely unaware of who issued the request to begin with, and only responding in the event of correct authentication data is presented.