Meet the Experts: Solving for Compliance Needs with IAM

By adopting a modern Identity strategy, organisations can support many critical initiatives—from boosting workforce productivity to streamlining end-user experiences. 

Organisations that collect and store personal information are subject to a broad range of data protection and privacy laws that vary based on where in the world they conduct their business. Organisations differ in their data protection requirements, but many can apply Identity solutions in diverse ways to help them manage compliance. 

However, when regulatory compliance is the end goal, organisations don’t always realise the value that Identity can provide to simplify the process. Fortunately, Okta Identity experts are helping to change this, one case at a time–through education, collaboration, and insight. 

For this article, we asked several of Okta’s Identity architects to unpack data protection regulations and explain the role that Identity and Access Management (IAM) plays in securing sensitive data for their customers.

Praveen Atluri is a principal solution architect; Mike Witts is a regional technical strategist and solution architect for EMEA; and Rocco Martin is a technical strategist. 

Approaching regulation strategically

When customers request the hosting of specific information within a region to meet their data residency requirements, Praveen Atluri often provides organisations with information about Okta’s regional cell options to assess if they meet their needed specifications. In other instances, he has helped a customer integrate a locally-hosted LDAP with Okta, where the company’s configurations stored minimal information with Okta and delegated authentications properly to deliver consistent security and experience.

For organisations that need to retrieve encrypted personal health information under  Health Insurance Portability and Accountability Act (HIPAA) in real-time for authentication purposes, Atluri has had customers who have implemented Okta in-line hooks, which customers may use to minimise data storage across systems. He also notes the value of Okta Workflows: “It allows organisations to efficiently audit users, groups, and policies from time to time and trigger notifications.”

Mike Witts expands on other ways the Okta Identity Cloud has helped organisations execute their compliance objectives: “Strategies include leveraging adaptive MFA to ensure strong, modern authentication methods are used to verify Identity; implementing strong lifecycle management tooling to ensure the User lifecycle status is up-to-date within the downstream applications." he says.

“Since a common factor with data protection regulations is keeping track of a person’s personal data and assisting individuals’ requests to exercise their privacy rights, any feature that can reduce the number of places that personal data is held is vital,” notes Rocco Martin.

Compliance challenges organisations face

Whether organisations operate within regions or across them, legislative policies restrict the types of data they can collect, what they do with it, and how they store and secure it.

“My customer base is in North America, the European Union (EU), and China,” says Atluri. “We hear about HIPAA and personal data requirements in the United States, the General Data Protection Regulation (GDPR), and customer’s requests for data residency in the EU, and the Great Firewall (GFW) in China.” Most of these regulations keep changing and getting tighter, so mapping them onto business requirements is a moving target.

Witts often helps organisations concerned about the GDPR and the United Kingdom’s Data Protection Act (DPA). “The most common challenges businesses have are often the basics—understanding the requirements and what is considered personal data,” he says.

“Another core issue is data minimisation,” he adds. “Data privacy regulations specifically call out that organisations should only store and process personal data that is necessary for the specific reason for which it was collected.” In the past, organisations were accustomed to collecting as much data as possible to build a complete picture of the customer. Data minimisation represents a major shift in business perspective and operations.

Organizations also struggle to map the correct data to the right individual user and track where the data is stored. “This data is often replicated among systems and not tied to a single source of truth,” says Martin. “It’s often most challenging for companies that have undergone a merger or acquisition.”

The role of Identity in regulatory compliance

According to Witts, a well-designed IAM platform allows organisations to align themselves with data protection regulations in 3 critical ways:

• Controlling access to sensitive data and systems: “By requiring individuals to use strong, modern authentication options, we can have high levels of assurance that we are providing access to the right person.” 
• Ensuring robust compliance reporting: “By actively tracking who has accessed what data and when, organisations can use logging as part of demonstrating compliance with security requirements within data protection regulations.”
• Implementing data protection by design: “By building systems with IAM in mind from the start, organisations can ensure that data is protected by default.”

Martin agrees. “Identity is critical for keeping track of what systems are involved and what data is being used,” he says, pointing out that a solution like Okta provides a single unique user Identity across all systems while managing access management and permissions.

“For the workforce, Okta can be the source of truth, or it can work in concert with a human resources or Active Directory system to manage access to other systems,” says Martin. 

Putting compliance into practice with the Identity Cloud

There’s no single tool that organisations can simply “turn on” to manage regulatory compliance. It’s a continuous journey—but Identity is a powerful starting point. “Simply implementing a universal directory as a single source of truth for Identity-related data is a great first step on this journey to compliance,” says Witts.

Okta provides solutions that organisations can use to help simplify compliance by:

• Providing reports on access and usage for auditors
• Establishing that single source of truth through Universal Directory
• Simplifying the granting of access to sensitive applications without sacrificing security
• Helping you implement security measures to mitigate the risk of data breaches 

Because Okta built the platform to be both scalable and flexible, its solutions empower organisations to implement policy-based approaches to authentication across a range of systems and environments. This lets customers deliver their services and delight their users while standing up for data privacy and protection.

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.