By Mike Kiser, Senior Identity Strategist, SailPoint
“You are what you eat.” Many a dinner table has heard these words uttered by a parent encouraging their children to make healthy eating choices. At times, these choices are obvious: an apple or a serving of peas has a greater health benefit than a chocolate dessert. When the nutritional value of a particular food is not as clear, then government entities such as the Food Standards Agency steps in to ensure that mandatory nutritional information is included on packaging.
These “nutritional labels” can guide consumers as to the harm and benefit of that particular foodstuff, responding to their desire to make wise choices.
Nutritional Labels for Financial Applications
A similar desire is rising among consumers surrounding their privacy. No longer a nice-to-have, application providers such as Apple have begun labelling applications being sold on its platform with the equivalent of a nutritional privacy label as to how that application utilises personal information and the identity of the user. This is welcome addition, and, just like that label on your favourite jar of marmalade, can guide consumers to make wiser choices about their privacy.
Financial institutions, dependent on retaining the trust of their customers, will do well to identify their use of sensitive data. While nutritional labels may be simple for a food and beverage company (as you create your product, jot down everything that you have placed into the cooking vessel), it is slightly more challenging for the financial industry.
Asking for the Recipe
There are questions that these organisations will be forced to ask themselves: What sensitive data have we collected on this particular customer? How is access to that data governed in an appropriate way? How can the organisation prove that privacy is being protected appropriately?
What Data Exists
Getting visibility into how the organisation uses identity and identity data is a key element into any coherent security program, particularly in portions of the business that are less structured. While applications and databases may have systematic approaches to securing this sensitive data, vast troves of this data is often lurking in files and other network-based repositories.
Who Has Access
Knowing what data is available is only the first step, of course. If it was known that there were dangerous—or even highly risky—ingredients in a product, the issue would be remedied immediately. The use of sensitive data must be placed under the same scrutiny. Do only the proper people or systems have access to this data? Or is there a dangerous mix of access and personal data that must be addressed?
Is Privacy Protected?
When all of the sensitive identity data has been identified and proper controls established around that data, the organisation can actually document and prove that it handles its customers’ privacy properly. Protection of this sort of data is a key element of any coherent identity program.
The proper treatment of sensitive identity data for customers is not an optional feature, but a core requirement of any solution. With the addition of nutritional labels, consumers concerned about their health will not purchase products that have harmful ingredients. Similarly, the rise of privacy nutrition labelling will equip the public to make wise choices, and they will move to those institutions that transparently protect their privacy by governing identity data well.
Now pardon me while I finish this plate of chips . . . er . . . steamed broccoli.