Machine identities are software-based network “users” that are a subset of the broader category of “identities” which include humans, including both your employees and customers.
Examples of machine identities include Application Programming Interfaces (APIs) and Robotic Process Automation (RPAs or “bots”). They do the background jobs such as connecting services across the cloud ecosystem or managing repetitive administrative tasks.
These silicon-based “users” interact with sensitive company and personally identifiable information (PII) just as typical human users do.
Leveraging Identity Governance to Meet GDPR Requirements
Adjusting internal processes and systems in order to achieve compliance with GDPR takes time, given the depth and scope of the regulation. Compliance with GDPR requires organizations to have solutions deployed to manage personal data of different types of users — employees, contractors, customers, partners and suppliers, along with their access. Identity Governance solutions help manage digital identity and access rights of these user types across various systems. Enterprise IGA solutions focus on digital identities within the enterprise, namely employees and contractors, and provide visibility to the personal data that it disseminates to connected systems. It also helps govern access to systems that store or process personal data.
Enterprise IGA solutions can be used to achieve the objectives of data minimization and pseudonymization. On the other hand, Customer IDM (identity management) solutions provide similar capabilities to collect and manage customer data.
As part of an organization’s compliance efforts, these Identity Governance solutions can be leveraged to record consent to capture and process personal data, as well as comply with elements of GDPR such as the right to object to data processing, or the right to request the deletion of their data.
Another critical aspect is to discover and protect personal data stored in unstructured format within enterprise or cloud collaboration platforms. Identity Governance solutions help in identifying such data, assigning data ownership, and ensuring that only authorized users have access to personal data. Better Data Access Governance platforms increase an organization’s visibility of data breaches, and therefore, its ability to conduct to create notifications in a timely manner, consistent with the timelines outlined by the GDPR.
Customer IDM solutions support self-registration and social logins using Facebook and LinkedIn, also known as “bring your own identity” or BYOID, streamlining the process. Consequently, Customer IDM increases the number of successful registrations. However, instead of relying on social media credentials to facilitate a customer’s initial registration, an organization may want their Customer IDM solution to support a risk-based approach to registration, also known as Identity Proofing, that requires customers to provide information only they know such as their prior home addresses, educational institutions attended, or the lender on their automobile or primary residence.
In addition to helping companies satisfy existing regulatory requirements, Customer IDM integrates with internal platforms such as customer relationship management systems (CRMs), providing a single view of the customer’s activities and records — including the PII in the organization’s possession, customer consent approvals, and data access history. Furthermore, Customer IDM solutions are scalable in that they possess the ability to support large number of customers, usually in millions.
As it relates to GDPR compliance, Identity Governance solutions provide organizations with the ability to provision and manage access and therefore satisfy a number of requirements.