REGULATION

Centralised access, modification / review, transfer and deletion of PII

The new General Data Protection Regulation (GDPR) is designed to put the user in control of their information.  GDPR also requires that the customer be able to transfer  accounts from one service to another, or completely remove the account and personal data.

In a corporate environment where you have more than one online service you can centralise the management of personally identifiable information (PII). Customer IAM solutions can link to separate identity repositories deployed at one time or another, or acquired through mergers or acquisitions. The centralised approach simplifies how to create GDPR compliant processes with granular user control over data.

Consent collection, management and revocation

GDPR requirements include consent management. The Ubisecure Identity Platform can be used to collect, record, enable management and revocation workflows of consent to the customers thereby helping the organisation towards GDPR compliance. After the initial “registration” phase it becomes more challenging when user information is transferred between service providers, third party authentication is used, or you make changes how you process the identity data.

Ubisecure Customer IAM is a tool to help you collect and record consent also in these edge cases. If for example you are an identity provider (mobile network operator, bank, government) and the identities you have issued are used in third party (external) applications and you deliver personal information to the third party, consent for this action can be collected and recorded by the Customer IAM solution.

Another use case example for consent management is Mobile Connect. In the Mobile Connect ecosystem when the user first accesses an online service with Mobile Connect credentials, they give their consent. This consent must be manageable by the end user. In our Mobile Connect solution we can allow the user to manage these consents using e.g. a smartphone app, making it extremely easy for the user to revoke consent. For other ecosystems the Ubisecure Identity Server offers similarly straightforward ways to to manage and revoke consent.

Centralised policies for control of identity attribute release

Privacy regulations like GDPR increase the need to carefully evaluate what identity attributes are required by the target application. It is especially important when identity information is sent to another service provider domain through federation, or if the information travels beyond EU borders.

Ubisecure Identity Server and the centralised authorisation policies are strong tools to enforce that both internal and external target systems receive only the minimum viable set of identity attributes required. This ensures compliance to regulations, and improves security and privacy.

Customer control is important. In cases where it would be beneficial for the target application to receive more information than the absolute minimum, the consent can be collected from the end user for the release of individual identity attributes. Later on, the user can manage these consent, modify them or revoke them. This will increase trust through transparency and leads to customer satisfaction.

• The Identity Broker Engine always delivers the correct attributes to the online application (e.g. GDPR requirement)
• The Identity Broker Engine connects to various identity repositories and builds the identity information based on the authorization policy
• Authorization decisions can be based on e.g. direct group membership, indirect group membership, authorization through authentication method, attribute group mapping, dynamic rules for versatile authentication

Strong Customer Authentication

Strong authentication is required for services that hold confidential data, or for high value transactions, or demanded by regulation such as the Payment Services Directive 2 (PSD2).

Strong authentication means 2-factor or multi-factor authentication. For the online service provider there are two main ways to deploy strong customer authentication. You can buy a solution and deploy that to your customer base. Or you can adopt the existing solution that is already used by your customers, if it is available for third parties.

The Ubisecure Identity Platform has built-in support for over 20 different authentication methods ranging from social media to e-ID cards and Mobile PKI. The service provider can use a single solution for both lower levels of identities such as social identities to capture and convert visitors easily, and when required, use the same solution to implement strong customer authentication.

For issuers of strong customer identities such banks, insurance companies, mobile network operators and governments the Platform provides the opportunity to become an identity provider. The wide support for standards allows an issuer to start selling authentication services to third parties – online services. GDPR and PSD2 will drive the demand for strong customer authentication and smaller online services might want to outsource the management of PII to trusted third parties and only utlise the data they have.

• Numerous methods to authenticate a user from social identities to strong multifactor out-of-band methods
• Step-up authentication when needed
• OTP: OTP TAN list self-service print-out & SMS OTP, 3rd party tokens and mobile apps
• Mobile: Mobile Connect, SMS+URL, USSD, Swipe/Click OK (app), PIN+PKI (app), biometrics+PKI (app), TOTP (app)

• Mobile PKI: ETSI MSS Wireless PKI standard (native client)
• PKI: Smartcards, tokens, soft certificates
• Nordic BankIDs: TUPAS, BankID Sweden, EID2 Sweden, NemID Denmark

Customer Experience

Operational Efficiency

Security & Privacy

Regulation