1 Introduction
The protection of sensitive customer data has become a critical issue of our modern times, especially for organizations that collect and maintain an individual’s information. On top of that, there are many conflicting perspectives on how data should be secured. Impacted are security teams, database administrators as well as developers struggling how to deal with the disparate data stored sometimes in multiple locations by multiple business units. Beyond an organization’s authority on who has access to what data, government authorities as well as the consumer can dictate how sensitive customer data can be used.
Privacy laws, regulations, and initiatives are proliferating to address the growing concerns over the use and control over personal data. The European Union’s General Data Protection Regulation (GDPR), seen most in the headlines in recent times, gives Europeans the right to control their personal information collected by organizations through user consent mechanisms. Also, in the US, personal data breaches such as at Experian and the Facebook - Cambridge Analytica scandal are compelling legislators in individual states to implement their data privacy laws. The state of Vermont passed a law that requires data brokers to register with the government, inform people on how to opt-out, what is collected and when their data has been breached, as well as giving individuals legal recourse when their data has been abused. The state of California is going further by introducing new rights for consumers regarding the privacy and use of their data. The California Consumer Privacy Act was recently enacted and will take effect in 2020. It’s anticipated that the growing momentum for individual data privacy will eventually lead to a more uniform law at the federal level to provide consistency across all states sometime in the distant future.
Another trend in consumer rights is the ability to have access to their data via APIs. In 2017, the Australian Government introduced the Consumer Data Right (CDR), giving Australians greater control over their data via APIs. Also, in the EU, the Revised Payment Services Directive (PSD2) allows Third Party Providers (TPPs) to access customer data at financial institutions via secure APIs once the customer gives the TPP consent to share their bank data. Also, another point to consider regarding APIs, is how organizations will address the implementation of new Digital Services, which have become more complex due to the different environments and the many integration points to consider. This is driving the rapidly growing demand for exposing and consuming APIs which are developer-centric. By exposing information via APIs, it allows for better data access, workflows, and orchestration capabilities across environments. Along with better data access comes the need to protect this unauthorized data at the API level, typically accomplished as a data security gateway deployed as a proxy.
Ping Identity addresses the challenges mentioned above with their PingDataGovernance, which provides dynamic, fine-grained authorization for an organization’s data, as well as protection at the API layer. Founded in 2002, Ping Identity started with a primary focus in the area of Identity Federation. Since then, Ping Identity has steadily grown to add other solutions, such as PingDataGovernance, that have made them an established and innovative leader in the IAM field, both for on-premise and cloud deployments.