Keeping Your Data Safe: Identity, Security and The GDPR

Announcer:  Ladies and gentlemen, please welcome to the stage, Okta's associate general counsel, Tim McIntyre. 

Tim:  Thank you all very much for coming out to see us speak today and for taking time out of your busy schedules this afternoon. Just a bit about myself at the outset, I'm Tim McIntyre, Okta's associate general counsel, and I oversee our commercial legal team and our product and privacy counseling functions as well. I also manage the Okta GDPR readiness team, and we're a cross-functional group of stakeholders that is working to ensure that Okta is fully in compliance with the GDPR by next year, and we're committed to helping our customers be in full compliance at that time too. Safe harbor statement, I'll spare you the details on that one. The gist of that is simply that because we're going to be talking about feature functionality today, it's important that you make any purchasing decisions based upon features and functionality that is presently available in the product and service today. 

Before we unpack the GDPR and look at its details, let's anchor on some key definitional points. What is the GDPR? You've probably heard about it, you've heard it mentioned earlier today in some of the discussions, and at its core, it is a regulation that applies to personal data of EU individuals. What does personal data mean? Personal data is any data that can be tied back to an individual. Name. What could be more personally associated than one's name? Your email address, for instance, constitutes personal data. An employee ID number that you may have could be personal data, and in addition to obviously personal data, data that can be triangulated back to form a nexus within an individual can also constitute personal data. If you've got three pieces of data, geolocation data, behavioral data, things of that sort, and you can tie it back to an individual, that could be covered by the GDPR. The EU has always been at the forefront of data privacy protection. It's got a long history of thorough and detailed regulations in this area, and the GDPR is really the next generation of that long lineage of legislative history in the EU.

At Okta, we really believe in and support the GDPR. I know for a lot of folks it has created a fair amount of work, but it really aligns with our core principles of trust and transparency, and we believe that Okta is well-positioned to help our customers meet their own GDPR requirements. Now, the GDPR is already in effect today. It's on the books. It went into effect in 2016, but we're in the middle of a two year grace period during which companies that are impacted by it can meet compliance. May 25th of 2018 is the enforcement date, and at that point regulators will have the ability, if they wish, to audit companies and assess penalties. Let's anchor on two key terms. I think it sort of informs the discussion that we'll have today about this. In the Okta customer relationship, there are two parties. You've got a controller and a processor. As an Okta customer, you would be a data controller. A data controller exercises control over the processing of personal data. The data controller decides what data to collect in the first place. Name, other information. Which items of personal data to collect, which individuals to collect the data about. 

For example, if you have a hundred subscriptions to Okta, the data controller will decide where to allocate those subscriptions, and the users that receive the subscriptions will have their personal data under the data controller's control. You would also control whether to make changes to that data. Perhaps somebody gets married and their name changes, or their email address changes. If you're making modifications to that data, you are a controller of that data. Okta's role is a little bit different. We are a data processor in the eyes of the EU. We act at the direction of the data controller. We would decide what IT systems or other methods to use to collect personal data, how to store that personal data, which data centers will be used, security measures around the personal data, the protocols and policies that are in place to ensure that your customer data and personal data is protected, and finally, the means used to retrieve data about certain individuals and delete or dispose of that data. That would be under Okta's control. We're the data processor. Customers are the data controllers. The GDPR applies to both types of entities. Each group has its own slightly different set of compliance requirements, but the takeaway is that we are in this together, so we are committed to helping our customers comply as we comply with our portions of the GDPR too.

Let's think for a moment how companies are preparing for the GDPR. There was a 2016 survey by Egress Software, which is a UK based firm, and according to their analysis, 87% of CIOs are significantly concerned with their current security policies, and they believed at that time at least in 2016 that their security policies were not robust enough, and at the point where it would allow those companies to be in compliance with the GDPR, which is a pretty high number. According to that same survey, 73.5% of those CEOs would be tightening up their data sharing practices, in other words, which third parties would they allow to have access to their personal data, the personal data of their employees, of their customers, of their partners. That's a very high number in my eyes, 73.5%, and then there was a Price Waterhouse Cooper survey last year of American companies that are doing business in the EU who are therefore impacted by the GDPR. 77% of those respondents said that companies, or excuse me, that their companies plan to spend at least one million dollars or more on GDPR compliance efforts. Those are some data points. I also want to mention one of our partners that's here today, Sky High, has some fantastic data and information. They're out on the plaza. They have a table, and I encourage you to talk to them about some of the data that they have compiled in this area too. It's really interesting. 

Let's anchor again at the outset here on, A, those definitions, and B, the key core tenets of the GDPR itself. It's an 88 page regulation, but if you distill it down to its core essence, there are really four areas that you need to think about. The first, and this is I think the most important takeaway of any thorough discussion about the GDPR, is that you need to know where your person data that's within your control is going. Which applications have access to it, so you need to map out your data flows. Anyone who's looking to get into compliance needs to map those out, and almost in a visual way, look at where the data's going. Is it being put into Salesforce? Is it being put into an enterprise Google G-mail system. Is it going into WorkDay? What are they doing when they get access to that data? Where are they storing it? How are they using it? How are they processing it on your behalf? If you have the ability and the insight to understand where the data is going, you've done probably more than half your work right there, so consider solutions and consider practices and protocols for your own organization that give you that visibility. It's critical. 

At Okta, one of the core beliefs that we have, and this is hard-coded into every customer subscription agreement we have with our customers, customers own their customer data, so if you dust off, if you're a company, your subscription agreement, there will be language in there that says that customer data is defined broadly. It's any information that you enter into the Okta service, and you own that data. It's your data. We don't own it, and you can extract it, you can examine it, you do not give us any IP rights in that data, and that is critical, and it's important under the GDPR because it allows you to give data to other parties that yo may need to share it with. 

Another interesting aspect and very different aspect to the GDPR as compared to the way the laws work today is that the GDPR addresses and introduces a new concept. It's the concept of pseudonymous data, and the GDPR expressly excludes anonymized data, so any data that doesn't relate to a person, that's anonymized, is not covered at all. Personal data of course is. Pseudonymous data doesn't directly disclose a data subject's identity, but may identify the data subject when associated with additional info. Now the GDPR, it still regulates pseudonymous data, but it does so in a very different way. There's a lower standard for pseudonymous data, and the underlying public policy is that companies should do whatever they can to make sure that personal data, if it were to somehow escape out into the world in an unauthorized way, is going to be less likely to be tied back to an individual. 

The next one is the right to erasure, and this is known, or it was known previously as the right to be forgotten, and it's been polished up a bit and renamed. Under the right to erasure concept, individuals could request that their personal data be deleted, and the individual, and I'm painting with a bit of a broad brush here, but essentially they can reach out and for almost any reason say that they want their data to be pulled out of your systems. You have to think about that. If in June of next year somebody emails your organization and says, "What data do you have on me? I want it to be deleted." You're going to have to understand what data you have and be able to identify it quickly, and then you've got to be able to wipe it from your systems. 

The next pillar of the GDPR is the right of subject access and data portability, so data subjects can ask controllers for copies of the personal data that's being processed by them, and that data needs to be provided, and it needs to be provided back in a structured format, so you need to be using systems that allow you to extract that data in a readily understood fashion so that it can be provided back to the data subject. So controllers must know where personal data's flowing, where is it being transmitted, and which applications have copies of it. 

You may be wondering what does this really mean for my organization? What's the risk? How do I quantify this? It sounds maybe a little bit scary, maybe a little bit onerous. At the end of the day, the fact of the matter is that the GDPR has real teeth from an enforcement perspective. Regulators can assess fines of up to 20,000,000 euros or 4% of a company's annual revenue, whichever is higher. To sum up before I turn the spotlight over to my colleague, Chris, who's going to talk about Okta and the GDPR, there are three critical takeaways to keep in mind. The first would be to map your company's personal data flows, understand which applications are accessing the personal data that you have under your control. Second would be to ensure your ability to handle right to erasure requests, and finally ensure your company's ability to handle requests for data and data portability. With that said, I'm going to ask my colleague, Chris, to come and talk to you about Okta and the GDPR in more detail. Thank you very much. 

Chris:  Thank you very much, Tim. All right. So my name is Chris Niggle. I'm the director of security and compliance at Okta, so a big part of my job is risk management, and when I look at the GDPR, I see this is a risk problem. Now, I already understand what the threat is, so the threat is up to 4% of our company's annual revenue, and I can't make a big change to that, but what I can do is I can change the likelihood. I'm going to look at this using a risk management approach by looking at the concepts of identification, reducing those risks, controls for the risks that I can reduce, and then reviewing and testing that. 

The first step is identification and knowing our scope. Now, with previous privacy regulations such as Safe Harbor or Privacy Shield, it really kind of focused on personally identifiable information of our customers, so as a risk person, I've got that pretty well figured out. Information like name, address, phone, a customer ID, and maybe an IP address are about all that we may capture about our customers, but the GDPR also looks at HR data, so data about our employees, and that is a lot more broad. There we may capture information like a national tax ID number, birth date, hire data, gender, other sensitive types of information, so I need to get an idea of what data I'm capturing about my employee's identities, and then where that data is going. 

Okta provides us with capabilities to do this through both our lifecycle management and our reporting. Now, like Charles, I actually came to Okta originally as a customer, and one of the biggest challenges that I had with getting my business units to accept Okta was that idea that if we centered identity with our IT department, then all of our users would have to go to help desk when they wanted access to applications like Salesforce or other systems that may be owned by our other business customers. With Okta's identity life cycle, you actually have the capability of handing that ownership back to the business customers through the application approval workflow. Now, when an employee needs access to a system, you can actually request that access directly from the business customer, and they don't have to go through help desk and the waiting that that entails. The application approval form doesn't expose PII, so as we go back to that scoping, we want to ensure that we're limiting how much PII is being shared across our enterprise, but still giving the business customers the ability to own their applications. 

The second part is reporting, so we also have identity information spread out across multiple applications. You need to know how that's being used and if those applications are, in fact, being used. How frequently and by whom. Okta gives you that capability. You can see who's using what apps, how frequently, and if those applications are actually adding value in your organization. The second piece is reduction, so I want to reduce the amount of exposure that I have to the GDPR. Now, a recent research study that was released by our partner, Sky High, shows that the average employee uses 36 cloud services every day, and the average enterprise has over 1,400 cloud services in use. Now, many of you are in IT. Think about how many applications you know about in your organization, and is that number close to 1,400. Now, under GDPR, if these applications have personally identifiable information loaded into them, and you receive an erasure request, you may be responsible for all of those apps whether you know about them or not. 

Okta gives you the ability to consolidate your identities. Through the application provisioning workflow, which you saw Kyle talk about a little bit earlier today, you can center your identities inside of Okta or inside of your HR system, and then task them through provisioning using Okta. Now, we've talked a lot about HR systems and Workday, HR systems, success factors, Salesforce, other tools that we're all really familiar with, but just looking at some of the applications used at Okta, my PII is not only in Workday, in Okta, it's also in a third party org chart tool, and our business card printing application, so I need to ensure that I know all of these different and frankly kind of weird places that my PII's in so I can report that to any regulator or user request as well as delete that when requested. 

As Tim mentioned, all of this is already in effect. We need to pay attention to the GDPR now. We still have about a year to get ready for it, so now we're implementing controls. I've got an idea of the scope. I have an idea of how I can reduce where my personally identifiable information is, but I need to put controls around those other places that I can't change. Okta provides adaptive multi-factor authentication, which you'll see a little bit later today that gives us the ability to put multi-factor controls in the places where it's most needed. Now, again, as an administrator, if I deployed MFA into our WebX and sharing tools, right, my sales guys would've killed me, but we really need to have MFA on top of Salesforce and on top of Workday and on top of places where we have sensitive information, and Okta gives us the capability to do that. We also have really strong APIs built into the Okta product, so if you have a request to pull the identify information for one of your users, you can do that using the APIs in that industry standard format. This can be done as easily as with the click of one button. 

The final piece is testing. I have my controls in place. I need to test that those controls are actually being enforced, and I need my IT and security teams to have the visibility into our identity system to accomplish that. Now, the problem with visibility is in a lot of cases, we get too much of it. A Cloud Security Alliance study showed that almost 32% of administrators ignored alerts because they're just exhausted. They get too many false positives, and a little over 40% of those same IT administrators, and a little over 40% of those same IT administrators thought that they were getting alerts that were unactionable because they just didn't have enough information. Now again with the GDPR, this could be a significant problem because GDPR has a breach notification requirement. You get 72 hours after identifying a breach to notify those affected. If your notification gets lost because of its, it gets lost among a list of other false positives, then you're never going to be able to reach that 72 hour requirement. Okta gives you detailed reporting not only within our tool but also real time data feeds into your sim, so you can consolidate your identity and access information along with the information of your other cloud apps. 

This significantly reduces the amount of false positives, and it significantly increases your autonomy to identify and react to any sort of security issue that you may see across your environment. You don't need to wait for a request to get through the security team or the support team of a cloud vendor. You have all of your information right at your fingertips ready for you to go. 

As we kind of put all of this together, your first step, as Tim mentioned, is to map your company's personal data flows. Doing this through Okta's universal directory, and doing this through that integration and that consolidation of identity through all of your apps. You need to be able to ensure you can accommodate any right to erasure or request for data and data portability. Again, using universal directory, using life cycle management to ensure that only the folks who have, who need access to identity and personal data have access to that information, and you have easy access to those APIs and reporting so you can not only meet the right to erasure but you can also meet the request for data that you may receive. Finally, you need to provide your IT and security with actionable information, so that's through the use of APIs, through detailed reporting and integrations with the tools that your IT and security teams already have and use every day. By providing all of these capabilities through tools like our integrated life cycle management, local device management, and SSO, Okta can be your partner in this security and in GDPR. 

Thank you very much. Tim and I will both be available during the networking sessions at the end of the day to answer any additional questions that you may have.