Pourtant, le volet IAM « Identity and Access Management » est souvent relégué au second plan dans les Programmes de mise en conformité LPM/NIS mis en œuvre par les Opérateurs d’Importance Vitale (OIV) / Opérateurs de Service Essentiel (OSE).

Comment comprendre cette situation et quelles leçons en tirer pour construire sa feuille de route IAM pour ses infrastructures critiques ?

L’IAM est un des piliers du volet cybersécurité de la LPM/NIS

Les mesures IAM à mettre en place sur les infrastructures critiques sont décrites dans les quatre règles suivantes :

Auxquelles il convient d’ajouter la règle portant sur les indicateurs (règle 20 pour la LPM et règle 4 pour NIS).

Les bonnes pratiques IAM habituelles à appliquer à tous les accès

Les exigences des trois premières règles reprennent les bonnes pratiques habituelles à appliquer à la gestion des comptes et des droits, tant pour les utilisateurs physiques que pour les processus automatiques accédant aux infrastructures critiques :

• Gérer le cycle de vie des utilisateurs, notamment les mutations et départs
• Affecter les droits selon le principe du moindre privilège
• Revoir (ou recertifier) régulièrement les droits affectés, a minima annuellement
• Contrôler et auditer les droits
• Attribuer des comptes et des moyens d’authentification strictement nominatifs

Le cadre ci-dessous résume les règles concernées :

Ces règles fixent un cadre mais laissent une grande liberté aux Opérateurs pour les décliner dans leur contexte.

Des comptes d’administration dédiés et soumis aux mêmes exigences

La quatrième règle (n°14 LPM et n°11 NIS) traite spécifiquement des comptes d’administration, destinés aux seuls personnels en charge de l’administration des infrastructures critiques : installation, configuration, maintenance, supervision, etc. L’exigence forte est la mise en place de comptes d’administration dédiés à la réalisation des opérations d’administration.

Au-delà du principe de moindre privilège explicitement mentionné, les comptes d’administration doivent respecter les mêmes exigences que les autres comptes telles que décrites précédemment.

Des indicateurs à produire pour surveiller les comptes à risque élevé

Enfin, la règle sur les indicateurs prévoit la définition de plusieurs indicateurs concernant la gestion des comptes présentant un niveau de risque élevé :

• Pourcentage de comptes partagés
• Pourcentage de comptes privilégiés
• Pourcentage de ressources dont les éléments secrets ne peuvent pas être modifiés

Au vu de ces exigences, l’intégration des infrastructures critiques dans les outils IAM (ci-après appelés « l’IAM ») de l’Opérateur apparaît comme la réponse nécessaire ; à compléter par l’application de mesures de durcissement (suppression, désactivation ou changement de mot de passe des comptes par défaut).

NB : les exigences LPM et NIS étant très similaires, nous emploierons par la suite le terme « OIV » pour désigner aussi bien les Opérateurs d’Importante Vitale et les Opérateurs de Service Essentiel, et le terme « SIIV » pour désigner les Systèmes d’Informations d’Importance Vitale et les Systèmes d’Informations Essentiels.

Pourtant, les Opérateurs hésitent encore à raccorder leurs infrastructures critiques à l’IAM

Les règlementations LPM et NIS ont accéléré la mise en place et le déploiement de solutions de bastion d’administration afin de sécuriser les accès d’administration. Cependant, bien que ces projets soient nécessaires, ils ne permettent de répondre que très partiellement aux exigences évoquées précédemment.

Ces règlementations devraient pourtant être un bon driver pour les projets IAM, mais les Opérateurs sont confrontés à deux principaux problèmes :

• La complexité d’intégration des systèmes industriels avec l’IAM – pour les Opérateurs industriels.
• Le risque induit par le raccordement des infrastructures critiques à l’IAM.

Des systèmes industriels complexes à intégrer

Les systèmes industriels présentent en effet des spécificités qui, d’une part complexifient le raccordement à un outil IAM, et d’autre part le rendent moins indispensable. Car, de façon générale :

• le nombre d’utilisateurs est limité ;
• ces systèmes sont cloisonnés, voire isolés du réseau d’entreprise ;
• la maturité sécurité des éditeurs et constructeurs est en retrait, les capacités d’interfaçage sont réduites, tant pour la gestion des comptes que pour la délégation d’authentification ;
• la granularité des droits d’accès est faible, se limitant souvent à autoriser l’accès ou non à l’ensemble du système, et non fonctionnalité par fonctionnalité.

Une intégration potentiellement génératrice de risques

Mais, au-delà de ces considérations propres aux systèmes industriels, les Opérateurs sont parfois réticents à mettre en place cette intégration, car elle est perçue comme génératrice de risques. En effet, si l’outil IAM ne présente pas un niveau de sécurité à la hauteur des règlementations, il pourrait paradoxalement constituer un point d’entrée sur les SIIV et ainsi amener de nouvelles vulnérabilités : création de compte ou attribution de droit illégitime, suppression malveillante de tous les comptes, etc.

Quant à mettre en place un IAM entièrement dédié au périmètre SIIV, cela représente un investissement très conséquent, parfois disproportionné, et qui ne permet pas de tirer tous les avantages d’un IAM mutualisé, par exemples les liens avec les sources autoritaires comme le SI RH.

Différentes approches d’intégration IAM permettent de répondre aux exigences règlementaires en maintenant un niveau de cloisonnement élevé

Dès lors, comment répondre efficacement aux exigences de la LPM et de la directive NIS ? Comment tirer parti des services proposés par les outils IAM sans ouvrir de nouvelle porte sur les infrastructures critiques ?

Nous distinguons différentes approches pour intégrer un système avec les outils IAM.

L’approche « délégation », à l’état de l’art mais fortement couplée

La première approche consiste à déléguer l’authentification et l’autorisation à l’IAM, en l’occurrence au service d’authentification et de contrôle d’accès, via un protocole de Fédération d’Identités (SAML2, OpenID Connect / OAuth2) ou via un raccordement Active Directory / LDAP.

Cette solution permet une gestion des comptes et des accès à l’état de l’art, mais rend le SIIV totalement dépendant de ce service et l’expose aux risques évoqués précédemment. Même en situation de crise, une isolation du SIIV serait difficilement envisageable.

Cette approche est donc plutôt à réserver aux applications qui fonctionnent déjà sur ce principe, typiquement les applications du SI de gestion avec un grand nombre d’utilisateurs. Pour les systèmes industriels, la solution à privilégier est de conserver le service d’authentification au sein du SIIV et d’opter pour une autre approche.

L’approche « provisioning », avec un niveau de couplage à ajuster au contexte

Cette approche consiste à conserver un système d’authentification et de contrôle d’accès propre au SIIV mais provisionné – c’est-à-dire alimenté – par l’IAM : les comptes et droits des utilisateurs sont stockés dans un référentiel interne au SIIV, et la solution IAM les gère au travers d’un connecteur. En fonction du niveau d’isolation souhaité, ce connecteur peut prendre différentes formes :

• Un connecteur automatique, permettant à l’IAM d’écrire directement les informations sur les comptes et accès dans le SIIV. Une isolation temporaire devient possible, en situation de crise ou en cas de détection d’activité anormale (par exemple : suppression massive de tous les comptes). Mais rien n’empêche un utilisateur malveillant ayant la main sur l’IAM de se donner accès au SIIV.
• Des ordres transmis aux administrateurs du SIIV (par ticket ITSM ou par mail) qui réalisent les actions manuellement. Un « sas » d’isolation est ainsi maintenu entre l’IAM et le SIIV, avec une étape de contrôle par les administrateurs.

Cette approche permet de bénéficier des processus de gestion des identités et des accès : validation et traçabilité des demandes d’accès, retrait des comptes et droits en cas de mutation ou de départ, etc. tout en préservant un degré de cloisonnement du SIIV.

L’approche « revue », orientée contrôle a posteriori

L’approche « revue » (également appelée « recertification ») se distingue des autres par le fait qu’elle repose sur une logique de contrôle a posteriori plutôt que de gestion a priori. Il s’agit cette fois d’analyser périodiquement les accès déclarés dans le SIIV afin de vérifier s’ils sont toujours légitimes. Cette vérification peut reposer sur un rapprochement des comptes avec un référentiel de collaborateurs (fichier RH, solution IAM, etc.), ou sur une validation explicite de la part des responsables des utilisateurs.

Ce peut être l’occasion de réaliser des contrôles approfondis (par exemple détection de combinaisons toxiques), de produire des indicateurs et des rapports d’audit.

Adapter son projet IAM – Infrastructures critiques à son niveau de maturité et à la typologie du SIIV

Sur la base de ces différentes options, nous proposons ci-dessous des pistes pour construire la feuille de route de mise en conformité LPM/NIS en fonction du niveau de maturité IAM et de la typologie des SIIV concernés.

Conserver la brique d’authentification et autorisation localement dans chaque SIIV

Il est préférable de conserver un référentiel de comptes et de droits d’accès localement dans chaque SIIV. Cependant, pour les systèmes déjà raccordés à un service mutualisé d’authentification et d’autorisation, le système mutualisé peut être conservé mais l’Opérateur doit lui appliquer les mesures prévues par la LPM et NIS : a minima le cloisonnement réseau, le durcissement, le maintien en conditions de sécurité, l’administration depuis un SI d’administration dédié, l’envoi des logs au SIEM, etc.

Dans un environnement de gestion des identités et des accès non mature, commencer par la revue des comptes et des droits

En l’absence d’outillage de gestion IAM mature, le moyen le plus rapide d’atteindre un premier niveau de maîtrise des risques et de conformité est de définir et mettre en œuvre un processus de revue régulière, sur une base a minima annuelle.

Sur un SIIV au nombre d’utilisateurs limité, le processus peut être déroulé manuellement, avec un niveau de qualité acceptable et une charge de travail raisonnable. Mais pour gérer des volumétries plus importantes, un outillage adéquat est à envisager : il facilite le pilotage des campagnes de revue et garantit la traçabilité des décisions. Il constitue en outre une opportunité pour envisager ensuite la mise en place d’un outil de gestion IAM.

Lorsqu’un outil de gestion IAM est en place, le sécuriser pour y raccorder les SIIV

Lorsque l’Opérateur dispose d’un outillage IAM mature, le provisioning des SIIV par l’IAM est recommandé : l’automatisation, la fiabilisation et la maîtrise que permettent les outils doivent compenser les risques induits par le couplage. A condition toutefois de garantir la sécurité de l’IAM : en complément des mesures techniques précédemment évoquées, l’Opérateur doit configurer l’IAM de sorte à ce que seuls les utilisateurs susceptibles d’accéder au SIIV peuvent demander l’accès, que le propriétaire du SIIV valide les demandes d’accès et puisse consulter facilement la liste des utilisateurs autorisés, et enfin que des contrôles permettent de détecter des anomalies sur les comptes et accès.

Le rehaussement de la sécurité profitera d’ailleurs à l’ensemble du Système d’Informations.

Trouver le bon équilibre risques / bénéfices pour construire son projet IAM – Infrastructures critiques

Ces propositions doivent permettre à tout Opérateur de construire sa feuille de route IAM pour ses infrastructures critiques en trouvant le bon équilibre entre les bénéfices apportés, les risques induits et le coût de mise en conformité.

Cet article Quelle approche pour gérer les identités et les accès sur les infrastructures critiques ? est apparu en premier sur RiskInsight.

The bill, originally created to amend a 1986 bill, The Stored Communication Act, allows the United States to force US-based service providers to transfer their customers’ data hosted overseas much more rapidly. It currently takes an average of ten months to obtain the data, rendering investigations conducted from within the US highly unproductive. The bill aims to allow US authorities (from sheriffs to the CIA) to access the data hosted by US companies, without the authorization of a judge. Large technology companies, who have supported the bill in the Senate, will be able to oppose a request if:

• The customer or subscriber is not a U.S. citizen or resident (section 3.2.b.h.2.i), and
• The transfer would require the provider to contravene the regulations of the country hosting the data (section 3.2.b.h.2.ii)

Such a request would then be brought before a US court which would be able to quash (or uphold) the request for the data transfer. Its decision will be based, among other things, on the validity of the information provided, the US’s interest in the request, the scope of the violation, and the chances of it being deemed to contravene the law in the foreign country. The public nature of the appeal is not specified, especially regarding the capacity of companies to communicate about contested requests. Today, it seems likely that the major US players are using such appeals to maintain the trust of their customers.

In order to avoid contravening the regulations of the countries concerned, the US can enter into bilateral agreements with them, which, in return for their goodwill, will be able to access data from the United States.

In the US, the CLOUD Act remains contested due to the risks introduced by the potential agreements with foreign countries. The fact that an executive power can put in place mutual agreements worries the American people, who fear that foreign powers are using the CLOUD Act to access their data without any safeguards.

What are the consequences for customers in Europe?

While tech giants (like Facebook, Google, Microsoft, and Apple) have supported the bill (with the US authorities refraining from approaching them for back-door access and providing a clear framework for data transfer), these regulations raise concerns about customer privacy for the targeted businesses. The act could leave customers without a right to consult, or any information about access to their data by US authorities.

However, European customers whose data is processed in Europe are now protected by the General Data Protection Regulation (GDPR). Articles 45 and 48 of the regulation, which is now in force, lay down a clear set of rules for allowing data to be transferred to third-party countries. According to Frank Jennings (a renowned lawyer on cloud matters), the European Data Protection Board, which oversees the implementation of the GDPR, will be responsible for deciding whether data appropriation under the CLOUD Act constitutes a necessary measure for the safeguarding of US national security, or whether a request does not comply with the new regulation. This could force the United States to negotiate with the EU or its Member States on the conditions for such data transmission, thus protecting their citizens against illegitimate transfers. US customers, however, would remain within the scope of the CLOUD Act.

Negotiations are due to begin between the European Commission and the US. EU leaders have already criticized the US bill as being hastily adopted, something that may complicate negotiations. In the meantime, some 100 civil society organizations have urged transparency from the European Council about the negotiations of the CLOUD Act as set out by the “Convention on Cybercrime” (or “Budapest Convention”).

Privacy laws: an asset for companies?

While the GDPR has preoccupied a good number of companies with respect to the changes it involves for their information systems, and that the ePrivacy Directive is in preparation, it is instructive to consider the connections between regulatory developments and the world of business. Data privacy laws could, whether in the near or distant future, be considered as an aid to protecting business’ data and to maintaining customers’ trust.

In a world where data-privacy issues are becoming increasingly important (think of Cambridge Analytica and Google Home Mini ), protection of customer data can be a decisive factor when choosing between competing offers. The position US providers will take on privacy and data protection issues is therefore eagerly awaited.

What can you do today?

To conclude, the new regulations on privacy remain somewhat ambiguous and may even clash in certain areas. The main conclusion remains that, as a result of the GDPR, Europeans should be better protected against the CLOUD Act, provided US suppliers reject inappropriate requests, and the courts with responsibility for arbitrating them play their roles correctly. Meanwhile, non-European customers will not gain greater protection by choosing to host their data in Europe.

While awaiting the implementation of new laws dealing with confidentiality and possible data appropriation, there are steps you can take to protect your personal and business data against it being inappropriately accessed while overseas, and other potential threats:

1. Clarify with your provider under what conditions it may be required to give access to your data, without forgetting to consider any mutual legal assistance treaties.
2. Define or review your hosting strategy according to the type of data held, your provider’s nationality, and the hosting site’s location.
3. Favor data hosting in European data centers, or in countries with well-established data privacy frameworks.
4. Choosing a French or European supplier enables you to avoid the risks associated with the CLOUD Act. You must, however, stipulate contractually that it does not use US subcontractors (either directly or indirectly)!

Cet article The Cloud Act: does it mean your data is better protected? est apparu en premier sur RiskInsight.

Analytical assessment made possible thanks to the testimonies of Jean-Christophe Procot and Hervé Commerly, Human Resources experts from Wavestone. 

This blog post is a part of a series of articles which is itself the result of a synthesis on Privacy at the digital age published on our website. 

How is the concept of privacy between employees and employers perceived?

It is a concept that has changed significantly over the last few years. The privacy concerns of employers about their employees is that they often do not devote enough time to their work. For employees, the notion of privacy goes hand in hand with flexible working conditions such as flexible hours, reduced surveillance and teleworking arrangements. Employees also value a limit on the amount of information that the employer can gather about them. On the basis of this concept of privacy and to improve employee privacy, employers increasingly seek to support employees in their personal lives through well-being services such as laundry and daycare services, company restaurants and complementary insurance. However, providing such support also requires that the employer knows more and more about the private life of employees, such as the composition of their family and eating habits linked to religious beliefs.

What explains such concerns?

It should be understood that employers are increasingly interested in collecting data to improve understanding of their employees. Employees are increasingly reluctant to communicate this information, especially the younger workforces. Employers wants to retain their employees for longer, facilitate their decision-making and help them to perform more effectively and efficiently in the professional and personal lives. The employer collects such data not directly communicated by the employee themselves but from third parties, such as social networks, previous employers, managers, and data inputs from work tools. Both employees and customers are concerned by this development. It would almost say that, by definition, employees suspect employers of attempting to monitor their every move. The employee is then left to wonder how it is possible to retain control over privacy if employers collect all this information about them, not necessarily provided by the employee themselves, leaving them powerless if the employer chooses to correlate data for making decisions about an employee, unbeknown to them.

Do you have an example of a recent project which echoed such concerns?

The plan of the French government plan to introduce a tax withheld at source. An employee’s salary withheld is an example of this. The aim is to simplify an individual’s life by avoiding deferred payments which can lead to difficult situations. For example, tax collection methods for the state can be improved with a reduction in income set by the employer as an indication that an employee is no longer able to pay the tax rate of the previous year. However, citizens are quick to express concerns about the information their employer holds about them. As well as financial information, a tax return can contain additional private information such as marital status, children, ancillary income and any assistance provided to persons with difficulties. The objective should be therefore to ensure that the purpose of the data collected will be limited to tax purposes and that access to such data will be controlled. The employee wants to ensure that his or her data will not be used for any purposes other than that previously agreed to, such as modifying a salary due to learning the employee’s ancillary income.

What developments have taken place in human resources management that will impact the protection of personal data?

Several major trends have emerged:

• Big Data in recruitment activities, particularly sourcing, which should be supervised in order to ensure legitimacy when collecting data;
• The multiplication of decision-making for career managers (for example, the creation of succession trees or the identification of key personnel) for automated decision-making, a sensitive topic for regulators;
• Mobility, with an increasingly frequent introduction of new professional mobile terminals which do not facilitate the separation between the data produced in private settings and data produced in professional settings. The question of the “right to disconnect” is also alluded to regularly.

Cet article The evolution of the Human Resource management: what are the impacts on personal data protection? est apparu en premier sur RiskInsight.

Analytical assessment of a concrete project within the mass retail sector, made possible thanks to the testimony of Armand de Vallois, Consumer goods & distribution expert from Wavestone.

This blog post is a part of a serie of articles which is itself the result of a synthesis on Privacy at the digital age published on our website. 

What changes have occured over the last few years in the mass retail sector?

Over the last decade, we have shifted from a distribution model focusing on costs and volume to a model based upon understanding our customers. Mass distribution is thus a thing of the past, as it completely overlooks the interests of the customer relationship. Nowadays, our model gathers and stores knowledge about our customers, allowing us to develop closer proximity with the customer and loyalty programs which support the frequency and consistency of their purchases.

How should organisations handle such changes?

In recent years, awareness by business stakeholders of the opportunities that come with the high potential of customer data has increased. Nevertheless, resources must be used wisely in supporting the efforts of organisations to get closer to their customers. Data must be collected, handled and reconciled against frameworks which correspond to customer expectations and regulatory requirements. For example, the “opt-in” option is a good way to ensure that customers are well informed and accept the collection and processing of their data. Increasingly, rewards are used as a means for encouraging customers to accept the disclosure of their data. However, this model has its limitations. It is essential to ensure that services are of interest to customers and contribute to the ease of their lives, as well as ensuring that individuals have agreed to provide their data.

Do you have some examples of projects which created apprehension?

The introduction of RFID chips (integrated technology which enables the identification and follow-up of objects or people) in electronic tagging is a good example. Many projects have been launched in the textile industry based on optimising production costs, inventory automation in stores and warehouses as well as the ease of chip insertion into clothes. It is crucial to have real-time knowledge of stock levels and to have reliable information in an omni-channel context, where it is increasingly common to see online purchases made ahead of in-store collections. RFID chips can also contribute to data production based on customer journeys and the actual product itself, for example calculating ratios to record the number of times a product has been tried on in a fitting rooms compared to successful purchases of that product. This type of information is essential in the context of fast fashion in the textile industry. However, such chips are also a cause for concern. For example, salesmen can “potentially” connect a customer to a product (the RFID chips use unique identifiers) and track their activity over the duration of their shop visit (the chipset remains activated).

How did you adress these concerns?

We implemented what we call “Privacy By Design”, which goes beyond strict principles regarding chip use (identification and follow-up of products, not customers) and incorporates several other principles:

• A visible marker showing that clothes are equipped with a RFID chip
• Training sales teams so they are better qualified to respond to customer queries, such as informing customers that chips may be removed by cutting the tags attached to a product, a service offered in stores, or declaring that the company in question will never connect a customer and a chip
• Dedicated webpages for communicating all information required to understand the chip and the data it collects

These are some examples of best practices which are applicable to all projects involving the treatment of sensitive data. We must lead by example when handling and informing individuals about how to handle such data. It is therefore crucial to reassure customers and answer their questions so as to anticipate and alleviate their concerns.

Cet article Privacy and Digital Transformation: the retail relies on a Trust policy est apparu en premier sur RiskInsight.

This blog post is a part of a series of articles which is itself the result of a synthesis on Privacy at the digital age published on our website. 

Many projects aim at digitalising business processes and customer relationships in order to optimise existing processes, introduce customer proximity or offer new services

The following examples, based on Wavestone’s consulting experience, illustrate such trends. Historically, postmen, meter readers and service technicians have worked with paper (address databases, meter-reading or maintenance documentation). Work is organised according to the tasks to be performed and can usually be operated alone and independently throughout the day, before information is collected and consolidated at the end of a work shift.

The dematerialisation of such paper-based processes is intended to help organisations or agents in their activities by collecting data, better organising the work to be performed and sequencing tasks. This digitalisation process occurs in different sectors for specific purposes. For example, in the energy sector, smart meters create innovative opportunities around energy saving and fraud management through the collation of consumption data. In the insurance sector, accumulating data on customer preferences enables the personalisation and customisation of services and the development of additional offerings.

Such developments require the collation and manipulation of masses of personal data.

Cybersecurity alone is not sufficient for protecting digital privacy

To protect personal data so crucial to the digital market, organisations will pursue cybersecurity measures, such as secure transfer protocols or data encryption. However, we may question if such measures are sufficient, while concerns over data misuse, profiling and automated decision-making intensify.

An IT security-oriented approach alone is not sufficient. To address the fears over the respect of privacy, it is essential for organisations to reassure individuals by guaranteeing the non-manipulation of data without their prior knowledge and against their will.

Four Major Principles

The following guiding principles are to be applied in the collation and use of personal data

1- Communicate transparently and explicitly,

informing individuals on the data that is collected about them even if not directly obtained from those concerned. Our survey essentially illustrates this meaning of privacy to citizens: what kind of information is accessible about me, and to whom? It also means sharing the reasons behind data collection and the intended usage. Under no circumstances should data be collected without the purpose of collection disclosed to the persons concerned. Recent sanctions from regulators have illustrated that such activity is always exposed in the media, with heavy reputational impact and lost customer confidence often the damaging consequences. Building a relationship of trust takes years, whereas losing it only takes minutes.

2- Minimise the collection and storage of personal data

Less data collected about an individual means a lower risk of unauthorised and non-compliant use. For existing data, it is possible to process data while minimising risks through the use of “declassifying” techniques such as anonymisation, pseudonymisation (replacing direct identifiers with “codes”), randomisation (randomly generated data which retains the statistical value but conceals the origin) or generalisation of data sets.

Regarding data sharing and exchange, mathematical methods facilitate the exchange of data between two organisations, whilst ensuring data anonymity. When selecting such methods, it is important to assess their limitations. A poorly executed “sensitivity reduction” can still directly lead to the source of original data. For example, this can involve deleting the name but keeping the date of birth, place of birth and address.

Such methods enable organisations to optimise the customer relationship in two ways: by providing a better understanding of the digital customers’ profile and by demonstrating respect for customer privacy. This is the path chosen by Apple through the concept of differential privacy to differentiate from competitors Google and Microsoft.

3- Ensure individuals are in control of their personal data

not by generating value through the access to data, but rather by providing individuals with control over their data, allowing services to develop based on their needs.

This approach, labelled “self-data”, can be applied in the context of an energy consumption optimisation project, an example of which is to ask customers to indicate the temperature in their homes to record the potential cost savings associated with heating reduction. An individual will then be informed of the potential cost savings by autonomously using and managing a self-data Cloud platform, connected to his personal equipment to enable the cross-analysis of data through consultation of his digital thermometer and energy bills.

Use cases for self-data are also subject to research in the insurance sector, with some insurance companies contemplating the complete removal of client spaces to instead install them on self-data Cloud platforms. The insurer will then have access to the data belonging to his client but is no longer in ownership of that data. Beyond self-data, such trends may even lead to the “Green Button” mechanism where individuals explicitly validate access to their data at any time. This principle, albeit difficult to implement in practice, can be restricted to particularly sensitive data, such as health data.

4- Implement a win-win model

by clearly demonstrating the benefits generated by collecting and using data, not only for the organisation but also for individuals. Such benefits can be shared with customers through various means, such as additional services, rebates and compensation.

This approach may even drive the ease in adoption of new uses in an environment where increases in market share carry significant impact.

Ultimately, we are able to identify several levers in motion for building an honourable circle of trust when using an individuals’ data with respect and for the purposes of increasing the level of confidence.

Cet article Privacy within the digital transformation: four major principles est apparu en premier sur RiskInsight.

This blog post is a part of a series of articles which is itself the result of a synthesis on Privacy at the digital age published on our website. 

An increasingly international regulatory framework

The concept of privacy, as understood in history, can be understood across several centuries of legislation. It began taking shape in 1948, inscribed in Article 12 of the Universal Declaration of Human Rights: “No one will be the object of arbitrary interference in his private life (…). Everyone has the right to be protected by law against such interference or attacks”.

Regulation around the protection of personal data is a more recent phenomenon. It is directly linked to the development of information technology and the increased collection of data by organisations. In addition, the market value of data adds a further layer of complexity with the emergence of an international regulatory consensus. Sweden was the first state to establish legislation on the subject in 1973. In France, the “Loi Informatique et Libertés” was enacted in 1978, following debates over the Safari project, aimed at creating a centralised database of information about individuals.

Without reviewing each national law and its timeliness, an analysis of the initiatives implemented on regional scales provides a holistic view of the main privacy trends.

European Union: the state protecting its citizens

The European Union was the first institution to establish legislation on the subject in 1995 with the publication of Directive 1995/46/EC. This first attempt at creating legislative harmony on an institutional and European scale has been followed by the implementation of numerous principles, defined in the law of various Member States, including the establishment of supervisory authorities. This legislation is rooted in the “Guidelines for the Protection of Privacy and Transborder Flows of Personal Data” published by the OECD in 1980, which were non-binding.

In April 2016, the European Union elected to strengthen its legislation with the General Data Protection Regulation (GDPR), which, unlike the 1995 directive, will be directly applicable in the law of the Member States of the European Union.

Its implementation is planned for May 2018, when organisations must ensure their compliance with the requirements of the regulation. Developments will soon take place in e-privacy in the near future, aligning traditional requirements on privacy with more recent developments and innovation, thus addressing the topics of secrecy and correspondence in the digital age. Through such literature, the European Union will adopt the position as a protector of citizen data.

US: Making people aware of their responsilities

There is no specific regulation nor regulator within American law which oversees the collection and use of personal data at a federal level. Instead, the United States operates under a combination of laws which apply to certain sectors or states. Some regulation covers specific categories of personal data, such as financial data or health-related data, while others regulate activities which exploit such data, such as digital marketing. In addition to such regulations, best practices developed by federal agencies and industrial groups are also used as a means of auto-regulation. The Fourth Amendment of the US Constitution can also be referenced for the protection of personal privacy. Finally, laws around consumer protection, while they do not regulate personal privacy, forbid practices around the disclosure of personal data. Nevertheless, American citizens display a certain degree of flexibility regarding the distribution of their personal data.

As shown by the evolution of “Safe Harbor”, differences exist between the American and the European vision. This legal mechanism was implemented to ensure the protection of data transfer between the EU and the USA until October 2015, thereafter invalidated by the Court of Justice of the European Union (CJEU). According to the CJEU, the level of data protection offered by the United States was no longer satisfactory in light of the information leaked by Edward Snowden regarding the global surveillance programme operated by the American government. In February 2016, the United States and the EU drew up a new arrangement, the Privacy Shield, which came into force in August 2016 and is designed to offer better protection for data transfers.

Asia: a situation under development

With respect to data protection, we can categorise Asian countries and territories in two ways. Some are relatively mature on the subject, including South Korea, Singapore, Hong Kong or Taiwan. Until recently, China did not have any specific personal data protection legislation. However, in November 2016, new regulations applicable to operators from June 2017 were implemented. This new regulation will integrate widely agreed principles on respecting personal privacy and will require the storage of personal data on Chinese territory. On the other hand, other countries in the area are yet to implement regulations regarding the protection of personal data on a large scale, despite on-going debates.

Rest of the world: regional initiatives under development

In Africa, the first legislation on the subject was implemented in 2001, in Cape Verde. In 2004, Burkina Faso was the first state to establish a national regulator. At the regional level, the African Union Convention on Cybersecurity and Personal Data Protection, signed by 18 countries in 2014, incorporates notions derived from European legislation, with no legal binding.

In the Middle East, states such as the United Arab Emirates (UAE) and Saudi Arabia do not have specific legislation regarding the protection of personal data. Specific to these countries is the application of Sharia law, stating that damage can be claimed if the disclosure of personal data leads to abuse or damage.

In South America, several countries implement independent regulators. Moreover, they benefit from constitutional guarantees regarding personal data protection. This is particularly the case in Uruguay and Argentina, two countries recognised by the European Union as providing sufficient levels of data protection.

Cet article Privacy: which legal frameworks should be implemented on an international scale? est apparu en premier sur RiskInsight.

A consistent vision on an international scale

The countries selected for the survey, namely France, Italy, Germany, China, the United States and the United Kingdom, were selected on the basis of their socio-economic environments and the diversity of regulatory frameworks concerning privacy protection. These elements can influence the perception and opinion of citizens regarding the protection of personal data. However, despite initial contextual differences, we observed through collected responses that the theme of privacy is perceived in a relatively similar way across the surveyed countries.

Among the majority of respondents were younger generations, often perceived as “digital” citizens and more intrigued by the subject of privacy in a digital world.

Indeed, there are differences and particularities: notably in how German respondents place particular importance ahead of their counterparts on the definition of privacy relating to personal freedom. Responses from the United States demonstrate less confidence in public institutions. Generally, however, there is greater global awareness among individuals about privacy and personal data topics. This can be explained by the borderless nature of data and the digital world, with the digital citizen expecting his or her privacy to be respected regardless of borders. This observation reinforces the importance of respecting privacy in digital projects, regardless of the country and population in question.

From freedom to control: evolution of the meaning of “privacy”

Privacy is traditionally seen as the possibility for an individual to retain some form of anonymity in his or her activities and to have the ability to isolate oneself in order to best protect his or her interests. It is intimately linked to the notion of freedom. However, analysis of the survey results shows that this notion tends to disappear in favour of the control of information. We have proposed to our respondents to select one or more definitions that relate to either notion.

The most frequently selected responses relate to control. This pattern is confirmed by observing the intermediate proposals. For example, “having control over the type of information collected about you” is a more widely selected response (more than half) than “having moments alone, without being monitored by others”, relating to freedom.

It is also important to provide customers and employees with assurance that they have control over their data. This is possible by providing individuals with simple and autonomous means of access.

All personal data are viewed as sensitive in the eyes of citizens

When questioned about the level of sensitivity, the panel showed slight differences in their responses. Citizens considered most of the proposed types of data as sensitive. They did not perceive that leakage of certain data types could have serious or even irreversible consequences (e.g. health data), in contrast to other data types (e.g. financial data), for which most countries have already implemented regulatory frameworks which protect individuals (for example, rapid reimbursement in the event of fraud). This demonstrates that, regardless of the type of personal data handled by a project, special attention must be given at least to the communication of protection levels.

Trust varies greatly from one sector of activity to another

We asked respondents to indicate which type(s) of organisation(s) they trusted the most with regard to using their personal data for previously authorised use. We can differentiate between three main groups of actors.

• Firstly, the actors grouped under the category of “institutions” command the highest level of trust among respondents. / This includes public institutions, semi-public institutions or entities from the traditional economy with which individuals have historically shared a relationship of trust. This is particularly the case given how such institutions have processed sensitive data throughout their history (medical data, etc.). We also find significant differences within this category, with more than half of respondents claiming to trust banks with the processing of their data. Image and reputation are therefore crucial for banks, which serve to meet customer expectations in the aim of retaining their position as the number one trusted partner.
• Secondly, an intermediate category encompasses the actors of daily life such as transport operators and energy suppliers. Such B2C actors carry out swift digital transformation and benefit from the existing relationship of trust.
• Thirdly and finally are actors in the digital economy, whether web giants or technology firms.

Mistrust towards such companies can be attributed to the amount of data they collect and use on individuals, as well as recent high-profile prosecution cases related to such use. However, this result reveals a paradox. Despite this evident lack of trust, individuals continue to frequently use the services provided by these actors, due in part to a lack of alternative, as well as the information entrusted seeming to be, often wrongly, harmless and insignificant in the eyes of the individual.

New technologies raising fears

The panel highlights four technologies most likely to put their privacy in danger, according to respondents. What do they all have in common? Making it possible to collect data without this activity being under the control of the persons concerned. This would, for certain individuals, equate to a form of surveillance. On the other hand, technologies which provide citizens with the ability to choose the data they share, such as connected objects or Cloud services storing private information, are considered less risky in terms of privacy and therefore do not feature as any of the four technologies.

Although not traditionally thought of as “sensitive”, data on individual behaviours and actions are now viewed as a significant stumbling block between customer expectations about the respect for privacy and the increasingly personalised customer relationship.

Citizens who take action to protect their digital privacy

More than half of respondents claimed that they had made certain changes to their online behaviour in order to better protect their data. This illustrates a heightened level of awareness by individuals concerning the protection of their privacy. It is worth analysing how the means individuals take to ensure such protection. Our respondents described the measures they took, divided into two categories:

• Measures to limit the amount/ type of data provided: provision of inaccurate/incomplete information when creating an account, such as the use of a nickname or discarding non-mandatory fields or the use of anonymous accounts…
• Measures to improve the security of the data provided: increasing the level of security of online accounts such as strengthening passwords, changing passwords regularly, checking access rights and being more attentive when sharing personal information over the Internet…
• In addition to such measures, we find more extreme solutions. This ranges from the complete closure of accounts on social networks, exclusive use of trusted and tested sites or technologies, to deleting history and cookies with every use of search engines.

While these individual initiatives can contribute to increasing the protection of privacy, they may conflict with new uses and innovation promoted by organisations, thus limiting or even preventing the personalisation of the customer relationship.

The survey methodology

The survey was carried out among a 1587 respondents’ sample with people from 6 different countries: Germany, China, the United States, France, Italy and the United Kingdom. Answers have been analyzed by two Wavestone’s offices: Paris and Luxembourg. The respondents’ sample has been provided by a tierce organization (SSIS). The Wavestone research department is familiar with this structure because they used to work together on surveys on behalf of the European Commission. Before the emailing campaign, quizzes have been conceptualized and translated by Wavestone. The sample has been defined in order to ensure its representativeness. The panel needed to be representative of the targeted population without any gender and socio-professional category discrimination. Besides, the two selection criteria were that people need to be adults and they must have an Internet access. The survey was conducted from July to August 2016 and analysed from September to December of the same year. The final version has been finally published at the beginning of 2017. All the data from this survey have been anonymized. The data collection has been made for statistical purposes only.

Cet article What does privacy mean in a digital world? est apparu en premier sur RiskInsight.

Cette réflexion avait notamment été initiée par la Commission au Parlement européen dans sa communication du 26 août 2010 (Une stratégie numérique pour l’Europe).  Bien qu’aujourd’hui le règlement reprenne la majeure partie des dispositions de cette directive auxquelles sont apportées quelques modifications, de nouvelles dispositions y sont décrites et viennent renforcer et développer l’acquis qu’elle représente.

Création d’un cadre transnational et intersectoriel

Le principal problème recensé est notamment cité au point (9) du règlement : « Dans la plupart des cas, les citoyens ne peuvent pas utiliser leur identification électronique pour s’authentifier dans un autre État membre parce que les systèmes nationaux d’identification électronique de leur pays ne sont pas reconnus dans d’autres États membres ». Cette non-reconnaissance est due à l’interprétation et à la mise en œuvre technique par chaque État membre de la directive, ce qui amène ainsi  des problèmes d’interopérabilité et des divergences  lors des contrôles effectués. Concernant les services de confiance tels que l’horodatage ou encore le cachet, les divergences pouvaient émaner de l’absence de cadre juridique clair au niveau européen.

C’est pourquoi, l’objectif du règlement eIDAS (electronic IDentification And trust Services) est d’«instaurer un climat de confiance dans l’environnement en ligne » en fournissant un cadre transnational et intersectoriel complet pour des transactions électroniques sûres, fiables et aisées entre citoyens. Ce climat de confiance couvre donc l’identification et l’authentification électroniques, mais également d’autres services de confiance tels que l’horodatage ou encore le recommandé électronique. La mise en place d’un tel cadre permettra d’effectuer des démarches administratives dans tous les pays membres de l’Union et imposera la reconnaissance mutuelle.

Cependant, il est nécessaire de souligner que le règlement reste ouvert puisqu’il laisse la liberté aux pays membres de définir d’autres types de services de confiance à des fins de reconnaissance au niveau national comme des services de confiance qualifiés.

Concrètement, qu’est-ce que eIDAS va changer ?

Un des premiers points notables concerne la mise en conformité en vue d’une qualification eIDAS pour les Prestataires de Services de Confiance (PSCO). Afin d’intégrer la liste des PSCO qualifiés (qui devra être publiée régulièrement) et donc reconnus par les États membres, ils devront respecter un ensemble d’exigences de sécurité (mesures techniques, organisationnelles, etc.). Pour cela, ils devront s’appuyer sur les standards décrivant les mesures à mettre en place : analyse de risques, plan de cessation d’activité, processus de délivrance en face à face, notifications en cas d’atteinte à la sécurité, contrôles, responsabilités, etc. L’interopérabilité technique des systèmes passe donc par la revue des référentiels nationaux, comme le Référentiel Général de Sécurité (RGS) ; et la coopération des pays membres.

Cependant, la qualification reste une démarche volontaire, et un label de confiance UE sera créé pour identifier les PSCO qualifiés. Pour obtenir ce label, les prestataires de services de confiance devront se soumettre à des audits qui attesteront du respect des mesures définies dans les standards adossés au règlement. Il est donc fort probable que dans les mois qui viennent, les PSCO recherchant la qualification eIDAS lancent des projets globaux de mise en conformité comprenant la mise à jour documentaire (PC, DPC, PH, DPH, CGU, etc.), la revue de leur architecture d’Infrastructures de Gestion de Clés (IGC), de leurs gabarits de certificats, etc. À noter que les prestataires qualifiés dans le cadre de la Directive restent qualifiés au sens du règlement jusqu’au renouvellement de leur qualification mais devront passer un audit avant le 1er Juillet 2017 pour renouveler leur qualification.

Parmi les autres points remarquables, nous pouvons citer l’apparition d’un nouveau principe juridique : la signature électronique de personne morale. Le cachet électronique permettra donc aux entreprises et administrations de signer électroniquement en leur nom des documents afin de certifier leur provenance. Concrètement, un juge français ne pourra pas refuser un cachet ou une signature électronique apposé par un italien avec une solution allemande.

Enfin, nous pouvons également souligner l’introduction de la notion de signature qualifiée côté serveur, ce qui permettra notamment le développement de nouvelles offres (en SaaS) ; objectif clairement recherché du règlement eIDAS.

Cet article Confiance numérique: que doit-on attendre du règlement eIDAS ? est apparu en premier sur RiskInsight.

La sécurité de l’information, un pré-requis sur les canaux numériques

La protection des données est aujourd’hui une préoccupation évidente des clients et usagers. C’est ce que révèle un sondage de l’Economist Intelligence Unit en 2013, dans lequel 90% des sondés affirment penser que leurs données utilisées en ligne peuvent être volées, notamment pour détourner de l’argent. C’est également une préoccupation des pouvoirs publics qui renforcent les obligations en termes de sécurité. Attirer les clients sur les canaux digitaux est  une nécessité pour beaucoup d’entreprises. La sécurité est un prérequis indispensable à cette transition.

D’une part, Il faut rassurer les clients, et pour cela démontrer de manière visible que des mesures de sécurité existent pour protéger les données critiques et éviter notamment les fraudes financières. Une création de compte, une transaction, un changement de RIB… une bonne sécurisation, organisationnelle ou technique, peut conforter les clients dans leur confiance dans le canal numérique.

D’autre part, en cas d’incident, la capacité à bien réagir,  tant  pour résoudre l’incident le plus rapidement possible, que pour communiquer clairement et rassurer les clients concernés est un élément clé. L’évolution de la réglementation autour de la notification des incidents poussera d’ailleurs les organisations à développer ce point.

Enfin, il est important de relayer cette position au travers des acteurs de la relation client sur le terrain (vendeurs, conseillers…) en les sensibilisant pour qu’ils portent également ces messages en magasins, agences, etc.

La sécurité de l’information, un facteur de différenciation et de compétitivité

Démontrer un réel engagement dans la sécurité de l’information peut être un élément différenciant sur le marché. Pour ce faire, des solutions de sécurité avancées peuvent être proposées. Des banques comme Société Générale ou HSBC, proposent ainsi un logiciel à installer gratuitement pour renforcer la sécurité du terminal de l’utilisateur lorsqu’il utilise leur site. D’autres, comme Natwest et Barclays mettent à disposition de leurs clients des moyens d’authentification renforcés.  Au-delà des solutions techniques, certains acteurs vont jusqu’à sensibiliser leurs clients et usagers sur l’importance du respect de bonnes pratiques de sécurité. AXA a ainsi publié le « Le guide du bon sens numérique » et encore Le Groupe La Poste a communiqué sur des bonnes pratiques à adopter sur les réseaux sociaux.

Les services marketing doivent donc travailler en collaboration avec les équipes de sécurité à la fois pour innover et proposer des solutions de sécurité, mais aussi pour écouter et savoir tenir compte des attentes des consommateurs.

La sécurité de l’information, une offre à part entière ?

Et si de centre de coûts, la sécurité devenait une source de gains ? En étant attentifs aux attentes des clients, différentes entreprises se sont posées cette question et lancent aujourd’hui des offres de sécurité en tant que telles..

Plusieurs secteurs se sont d’ores et déjà  lancés : celui de l’assurance par exemple. Cyber-assurance ou encore protection de l’identité numérique, des assurances comme AIG, AXA ou Swiss Life, ont entendu l’intérêt que portent leurs clients à la sécurité de l’information, B2B comme B2C. Autre exemple, les opérateurs télécoms qui proposent un anti-virus avec les abonnements d’accès à Internet. Ou encore, d’autres opérateurs, d’un tout autre secteur, celui des jeux en ligne, mettent à disposition de l’authentification renforcée pour leurs clients.

Ainsi, au-delà d’être un pré-requis  la sécurité de l’information peut devenir un avantage concurrentiel, voire représenter une offre à part entière. C’est à chaque organisation de choisir la posture qu’elle souhaite adopter !

Cet article La sécurité de l’information, au service de la relation client est apparu en premier sur RiskInsight.