Your view, but more from a it industry standpoint. I think please welcome Brandon Peter from CA
Thank you. Appreciate it. Thanks for your time this morning. I know I'm last before you have a well deserved break, so I'll hope to continue the momentum. I think what you'll see is I'm gonna speak about a number of the things that you've heard about already, just most recently from Paul and also from Carston in the first talk of the day. But what I want to do is up level that a little bit and talk about the changing nature of identity in public policy.
I think Paul is absolutely correct at what we've seen in the United States in particular, as a result of the OPM breach and as a result of a number of other high profile breaches is that public policy makers are finally beginning to understand that identity needs to have a much more prominent role in broader cybersecurity, public policy discussions.
And so what I hope to do today is to talk a little bit about this theme of digital transformation and the role that identity has in enabling digital transformation and that some of the conversations and examples that we're seeing principally in the us and in Europe, because we're here in Europe of some of the most recent public policy developments.
So you, you can't go anywhere today, obviously without talking about digital transformation. The reality is that as much as we talk about it in industry, governments are intensely focused on this issue as well.
And the reason is because that for the success of global economies and all competitiveness, the success of a nation hinges in large part on their ability to harness the power of technology, to transform their societies and move forward with economic and social gains. Now every national economy is looking for advantages in a completely or very competitive environment. And so as governments are looking to establish public policies, to accelerate digital transformation within their borders, they're looking at a variety of levers that they can trigger to maximize technologically driven growth.
And, you know, I'm not a technologist. So I work in the public policy space. And what we see globally is that governments are focusing holistically on how to attract investment and open up their markets.
They wanna look at different kinds of financial and other incentives that they can use to spur innovation inside of their countries while at the same time balancing some of the domestic and global market demands and increasingly focused on risk and in risk, obviously cybersecurity is a critical part of that.
What we see driving most of the public policy discussions in terms of risk is a focus on five principle themes. And, you know, you'll see again, I'm gonna focus on some developments in Europe, principally and in the United States, but the same dynamics are taking place around the globe. And then we could just as easily talk about examples from India, from Korea, from Japan, from Brazil.
The reality is, is that as all governments are seeking to maximize these levers, they're becoming more and more concerned about some emerging themes that I think are leading to a greater focus on identity as a broader part of the cybersecurity ecosystem.
So I've listed five here, and I won't dwell on these because we'll talk about these in the context of some of the other public policy developments that are coming up, but the role of technology in enabling trust in protecting data and enhancing cybersecurity, as well as preserving the need for data to flow, where it needs to move, to serve customers at their point of interaction is one that has increasingly begun to focus on identity.
One of the biggest challenges we in the public policy space have had in years has been getting public policy officials to understand that cybersecurity is much more than endpoint security, antivirus, and botnets. That's an easier thing for them to understand, but as Paul and others had mentioned, big, large scale breaches have given a much greater focus on this. So there's five things I want to touch on very, very quickly as part of this conversation, we could spend a day talking about any of these individually, and there's some follow on sessions on the GDPR.
Some of this I've seen on your agenda, others, I don't think I've seen. So I wanna touch on some of these quite quickly here, hopefully. So I can give you a little bit of a feel of some of the broader public policy developments that we're working on, and then happy to have side conversations with you about the implications of each of these and a broader, deeper discussion on what it means and what the opportunities are. I think for identity providers and the role of identity in the context of compliance with these new mandates.
So you heard this morning from Carston, you'll hear some other presentations later on about the new EU GDPR, as he mentioned, obviously this is quite significant in scope and that it applies more uniformly across the EU, which is a fundamentally different legislative instrument in the EU systems. The idea and the goal here is obviously to strengthen user data protection, but also to ease business compliance burdens.
If you've looked at the text, and if you're thinking about what compliance means, you know, I would argue that the commission and the parliament failed on the compliance burdens, the reality is that this is gonna be a, a huge undertaking for organizations to get a handle on their data, where it's flowing, how they're managing it and who has access to it. And the reality is I think we need to make sure that we're instilling a significant sense of urgency in customers because two years on is not a lot of time.
As you heard from Carson, the legislation will enter into force in 2018, mid 2018, probably the latter part of may, early part of June and the processes that need to be undertaken to help an organization manage their technology infrastructure and understand where their data is flowing are gonna be quite significant. The reality is that I think apart from the fines and the parameters on data, why I think this is important from a requirements perspective and why it's critical is that identity is central to ensuring organization's compliance with the GDPR.
All of the requirements that Carson and others have talked about on data protection, by design privacy, by design protection, by default, all of the data, privacy impact assessments and the appointments of the DPOs, the new rights that users have to extend the right to be forgotten, to request from data processors and controllers, what data they have to necessitates that companies have a comprehensive strategy about where their data is, where it's moving, who has access to that data who can collect it, who can touch it.
And even though privacy is the odor overarching regulatory requirement here, the necessity for strong identity governance, identity management discipline is foundational to organizations coming into compliance with this. So I think this is gonna be an area where we're gonna see a significant amount of activity and focus moving forward. That is going to continue to accelerate the focus on the role of identity and enhancing trust, protecting privacy and enhancing cybersecurity.
The last year was also pretty busy in Brussels on another legislative development, which was the network and information security directive, or what's called the N I directive. This is a directive form of legislation in the EU system, which applies across the European union, but gives member states some flexibility to implement the requirements of the legislation differently. And the challenge that arises with that is we have some risks of fragmentation and different implementations across the 2080 U member states.
The goal of this legislation is to enhance cybersecurity readiness in both government and in business. And it applies to critical infrastructure sectors to essential service providers. I'll talk a little bit more about who those entities are and what that means in just a second. But similarly to the GDPR, the MIS directive is going to come into force in the first half of 2018.
And there is going, going to be a state of legislative initiatives because the member states have to enact this new directive into national legislation that I think is gonna provide opportunities for those of us active in the public policy space to continue to focus on the strong role that identity needs to play in ensuring compliance.
And I has a variety of new security requirements to impose a new breach notification systems. It has incentives for companies to invest in new security technologies to strengthen their protections.
And it has a strong focus on leveraging tools to automate management and reporting, to comply with breach notification requirements. And the reality is that even if an organization is not in scope, per se, with what's required under this legislation, our sense is, and our expectation as a provider of technology solutions is that our customers are going to flow down additional requirements to us. So most of your customers, even if they're not in scope of this regulation are also gonna have requirements flown down to them by their partners and customers who may be in scope.
So scope is an important issue. In this context, there are two categories of groups that are affected and covered by the legislation.
First category is operators of essential services, which in a, in a different definition just means essentially critical infrastructure, sectors companies and organizations that are operating in the energy, transport banking, digital infrastructure, health, and financial sectors are covered and will have to be compliant with requirements.
The second component is digital service providers, and this is an area that will continue to be defined because the directive itself focuses on covering the activities of online search engines, online marketplaces, and as a very broad definition of cloud computing providers, which is still going to evolve there, wasn't clear guidance on that in the legislation. And so the EU commission, the commission rather will be issuing some delegated act and implementing guidance to define more broadly what cloud computing services would be covered by the legislation.
I wanna switch gears very briefly and just talk about something that's been happening in the us that while again, notionally focused on exchanging threat indicators, I think also has a significant role for identity in enabling what needs to happen to accelerate the sharing and action on real time cyber threat data.
So in the us, we've been trying for 10 years to get some cybersecurity information sharing legislation passed.
And in December of last year, the Congress enacted some legislation that set up a new program to facilitate the sharing of cyber threat indicator information between the private sector and the us government. There's a real situation that exists in the United States. It's not unique in the United States where government security services, intelligence services have significant amounts of cyber threat vulnerability information. And they're not as forthright about sharing that information with the private sector.
So that companies and actors that may be potentially impacted by threats can take action. At the same time, companies have been very reluctant to share cyber threat information with the government, for fear of shareholder, lawsuits, or litigation that that may open them up to by disclosing a significant vulnerability that may exist on their network.
So Congress had been seeking to establish some legislation for a number of years that would ramp up efforts to enhance the voluntary sharing of information back and forth between the government and industry.
So legislation that was passed, created a new voluntary program that allows companies that wish to exchange information with the us government to set up a mechanism and a legal framework to allow them to exchange that data with some assurances, that if they're sharing information and taking good faith action based on data that they may receive from the us government, they'll have some liability from certain kinds of legal actions, challenges that are associated with this.
And if you talk to a CSO, you talk to the government, the reality is, is that the volume of the threat data that's coming is incredible. Obviously the ability to take action on that and the timeliness of that information really necessitates that the government and industry have an automated way to be able to share information in real time.
There's a significant requirement in the legislation that for companies that wish to participate in these programs, if they're sharing cyber threat information with the us government, they have to strip out personally identifiable information before they share information with the government. And so the relevance to our sector is I think that entities and organizations that seek to participate in programs like this and the us is just one example are gonna need some strong API management discipline technologies.
They're also gonna need some robust identity and access management and privileged access management solutions to ensure that the individuals that have access to data that will be shared individuals who can receive threat information are appropriately protecting information, and the organizations can audit. Who's using that information for what purpose quickly. I wanna talk about another development, which also happened last year in Europe, which I didn't see much information about on the agenda at EIC this year.
But one that we at CA are spending a significant amount of time focusing on is the, the update of the old EU payment and security or services directive. PSD two was agreed to this past year and will enter into force in January, 2018 and similar to the NIS directive. This is a piece of legislation that applies across the EU member states, but maybe implemented differently. The European banking authority is gonna be issuing some technical guidance. And the reality is we, this is going to be a fight for control of users, digital identities in interacting with payment systems.
So you see here, I talked a little bit about APIs and advanced authentication. Again, the reality is that PSD two is intended to standardize how digital payments are made across the European union to enhance consumer protection, to make it more convenient for citizens and to accelerate adoption of mobile payments.
If you know how systems work today, traditionally, we have a variety of intermediaries that are involved in payment processing systems, the indication and the impetus beyond PSD two is to facilitate new innovations and payment system models.
The banks will be able to give third party providers an ability to have secure access to customer accounts, which means that there'll be much greater dis intermediation of financial institutions in payment security technology platforms. What this does is it puts the consumer at the center of every transaction. And the reality is that new payment service providers are going to need significant security controls to respect consumer confidentiality and fight fraud.
It's critical because really at the end of the day, the ability of a service provider to offer compelling, easy to use solutions is about the ownership of consumers' digital identities in the financial services and financial payments marketplace.
So it's a very interesting development. The European banking authority, as I mentioned, is gonna be issuing some technical guidelines in the near future to facilitate technical interoperability and implementation.
But I think this is another area and indication specifically where we're seeing a lot greater focus on the role of identity and enhancing trust and in accelerating digital transformation. Finally, what I wanna do is just spend a few minutes talking about, and you heard a little bit about this from Carsten and others, the new E us EEU privacy shield, which replaces a safe Harbor is significant in the context of the overarching discussion around international data transfers. As you know, under EU law, both existing and under the new GDPR data on EU.
Citizens can only be transferred outside of the EU if a, a, a government where that data may be transferred has essential equivalency under EU law.
So when the European court of justice struck down the safe Harbor agreement after the Shrems decision and the negotiations continue to proceed, there's a variety of new requirements and processes in place on organizations that wanna sign up for the shield.
And that necessitates that organizations are gonna have to have a significant review period of their own processes, their compliance processes and certifications, as well as the controls that they're pulling in place to be certain that individuals can access and challenge data and how it's being used.
So, again, in this context, as the shield comes into force and companies sign up, there are a variety of redress mechanisms that are offered to EU citizens that are gonna necessitate that a company like CA who was a signatory to safe Harbor and intends to sign up to the privacy shield, to be able to transfer data is gonna have to have a lot of sign of significantly robust identity solutions in place to be able to audit and document where data's been moved, who's had access to it in the event, the complaints are lodged.
So the, the reality is I think what we're seeing globally is sharpened focus on new cybersecurity threats and governments across the globe. The reality is which I think is a good thing for our industry, a significantly growing interest in identity with a stronger focus on governance and oversight. And the reality is that for us as identity providers for you as consumers of identities, stronger attention to these identity controls is gonna be foundational to business compliance. So with that, I will stop and I'll look forward to seeing if there's any questions. I appreciate your attention.
Excellent overview. As I think, can we see the question? I think there was one question there you network operators and is scope. Yes. Is that true? Yeah.
Yeah. Very so that's easy. Yeah. It wasn't a, it wasn't an inclusive list. It was just a illustrative. Okay.
So, so, okay. Thanks for your time. Thank you. Appreciate it.
