Privacy by Design is the practice of building data privacy into IT products and services by default. It’s a practice that makes privacy a fundamental requirement of IT along with uptime and other IT basics.
This concept might sound new, but it builds on long-standing IT security practices such as authentication, authorization, and accounting – the well-known AAA of IT security. In this post, I’ll discuss the importance of AAA for data privacy and highlight ways that integration can help enterprises ensure that customer data is always protected and tracked.
Let’s begin with a quick overview of what AAA means.
- Authentication means verifying that a user is really who they say they are. When a user logs in to a system, authentication uses technologies such as LDAP directories or SAML tokens to ensure the user is who they present themselves to be.
- Authorization means allowing that user to perform only the actions that they’re allowed to perform, usually based on their role in the organization. Basing authorization on internal roles is known as role-based access control (RBAC). If Sally Smith has authenticated herself and logged into the CRM system, what privileges does she have once she’s in? Authorization ensures that Sally can only access data and services allowed by her role.
- Accounting means maintaining audit logs of all user activity, enabling IT security teams and other authorized users to monitor user activities. If Sally added three customer records to the CRM system, accessed eight others, and deleted two of them, all that activity should be logged in a secure audit trail for subsequent review.
You can see why AAA matters for data privacy. Authentication ensures that an enterprise knows who is accessing customer data. Authorization ensures that users can only access and manipulate that data if they’re allowed to. Accounting ensures that whatever happens to that data is logged for possible review.
How Integration Supports AAA for Data Privacy
Here’s where integration comes in.
Integration moves data from here to there, reliably and securely. In a modern enterprise architecture, integration might connect a cloud application to microservices running on another vendor’s cloud platform. Or it might connect legacy ERP application running on-premises to a new cloud service supporting mobile apps. These days, it’s an absolute requirement that an integration platform be able to connect easily to any kind of data source or destination, whether it’s a business application on-premises, a data lake in the cloud, a standard technology protocol such as FTP or JSON, an API, an EDI network, or a data stream.
But to promote data privacy, an integration platform has to do more than support all these types of connections. It has to work with an organization’s capabilities for authentication, authorization, and accounting. Fortunately, modern integration can do just that.
- Authenticating users and processes
- Integration platforms can themselves integrate with single sign-on (SSO) services and other authentication services to ensure that any user or process accessing data is fully authenticated.
- Authorizing integrations
- Integration platforms can also limit processes based on user identity and RBAC. For example, an integration platform can enable a process to access account data but not personal data in a CRM system.
- Accounting and audit trails
- Integration platforms can record all user and process activity in log files. If compliance officers want to see who accessed personal information in a particular data source, the integration platform’s audit trail can provide the answers.
Additional Benefits of Integration Platforms for Data Privacy
An integration platform can help IT organizations implementing a Privacy by Design strategy for their enterprise architecture.
- Discovery
- By tracking metadata for data fields such as names, addresses, and credit card numbers, an integration platform makes it easier for an organization to find all its sensitive data. Data privacy begins with ensuring that all such private data is identified.
- Consistency and data governance
- An integration platform can work with a master data hub or some other data governance platform to help ensure that personal data being stored and collected is consistent and up-to-date. If customer records are stored in applications and databases with conflicting data fields, a data hub can enforce data quality rules to ensure all applications and databases are working from the same set of golden records.
- Data delivery
- Some data privacy regulations require companies to collect a consumer’s personal data records and deliver it to the consumer for review. Integration platforms can automate the data collection and data delivery required for compliance.
- Flexibility
- An integration platform should allow integration processes to run wherever security policies require. The same platform should be able to support cloud-to-cloud integrations running in the cloud, as well as on-premises-to-on-premises integrations running behind the firewall. Enterprises shouldn’t have to invest in different integration platforms simply to support both cloud and on-premises data privacy policies.
Integration Is an Essential Part of Data Privacy
Companies collect data because it’s useful. Using data involves moving it from here to there, from storage to analytics or to automated workflows or some other destination as part of business processes. And you can’t move data without integration.
A modern data integration platform ensures that only authenticated users and processes can access data, that access is limited to authorized users and processes, and that all data access and transmission is logged for review and compliance.
As data privacy regulations multiply and public scrutiny of companies’ handling of personal data intensifies, more organizations will recognize the advantage of adopting Privacy by Design. They’ll see that building data privacy into their IT operations is more cost-effective and rewarding than treating privacy as an afterthought.
To build privacy into IT architectures requires integration. To provide the most airtight data privacy controls possible, IT organizations should invest in an integration platform that:
- Works with all applications, data storage technologies, and APIs
- Provides enterprise-grade security features such as encryption, single-sign-on support, and processes that run wherever security policies require
- Provides a centralized interface for monitoring and managing data access.
Compliance requires Privacy by Design, and effective design requires secure, flexible integration.
To learn more about integration strategies to support data privacy, contact a Boomi integration specialist today.