How to Minimize Stored Identity Data and Breach Risk
Why do organizations often behave like pack rats – over-storing identity data again and again even after seeing so many peers suffer breaches and put their employees or customers at risk? A recent post by Peter Ridgway “Who are you doing business with, and should you care?” suggests we consider these questions and develop Identity Assurance Frameworks to analyze and make policy for a more nuanced solution.
I particularly liked Ridgway’s recommendation to consider minimizing the sensitive data that is stored about employees after HR verification processes are completed. To highlight this issue…can you say “OPM?” The U.S. Office of Personnel Management (OPM) stored all the investigative and biometric data about individuals from their Personal Identity Verification (PIV) card background checks. Now the Federal employees’ identity data records are who knows where, taxpayers are paying for credit monitoring services, and more ominous intelligence impacts are expected due to the sensitive nature of government work.
Perhaps in future posts, Ridgway will investigate similar rationale for minimizing stored data on external persons that organizations deal with or track. The following are some possibilities:
- Consider using a payment gateway to outsource credit card information storage and related business process. This can reduce breach risk and minimize the burden of PCI/DSS audits.
- Anonymize customer data required for business intelligence / analytics unless there’s a specific requirement not to.
- Architect and deploy identity, attribute and entitlement federation or brokering capabilities to leverage third parties – such as verified attribute providers or cloud-based identity service providers – to reduce the need to store personally-identifying information (PII).
Security Architects Partners can help develop identity assurance frameworks and modernize identity architectures. We also hope to publish more blog posts on the recommended approaches listed above to protect customer information while enabling the business.