a good thing!
APIs are everywhere, and they allow you to open your enterprise systems to internal apps and partners. But regulated and sensitive data such as healthcare records, IoT device data and banking transactions are also being exposed through APIs. It’s a major challenge for organizations to set up data governance policies, including granular approaches to specify exactly who’s authorized to do what with your APIs. Even more, you may need dynamic authorization based on real-time context like client privileges and the sensitivity of what’s being accessed.
Consumer Data Regulations
Organizations need a way to centrally build and enforce policies to meet privacy requirements, without having to rely on engineers and app teams. Dynamic authorization delivers fine-grained access control to customer data based on consent. It can obfuscate an email address or an entire customer profile, show only the last four digits of a credit card number or anything in-between, making it easy to comply with regulations, including:
The EU’s General Data Protection Regulation (GDPR) requires a legal basis, including consent, for sharing and processing data of EU citizens. Stronger rules on data protection mean people have more control over their personal data, and businesses benefit from a level playing field.
The California Consumer Privacy Act (CCPA) gives consumers important new data privacy rights to take back control of their personal information. They have the right to know what information corporations are collecting about them, they can tell a business not to share or sell their data, and they’re protected against companies that are careless about data privacy.
Australia’s Consumer Data Right (CDR) is a competition and consumer reform that’s requiring several industries (banking, energy and telecommunications) to give consumers access to their own data through APIs. Consumers can require a company (e.g., their bank) to share their data with another service provider (e.g., a comparison site) in order to get more tailored, competitive services.
The Revised Payment Services Directive (PSD2) in the EU requires banks to provide open APIs so customers can securely access their own accounts through third parties. The directive seeks to open up payment markets to new entrants offering consumer-oriented services based on access to account information, leading to more competition, greater choice and better prices for consumers.
The Health Insurance Portability and Accountability Act (HIPAA) in the U.S. safeguards patient medical information. Recognizing that advances in electronic health technology could lead to an erosion of privacy of health information, the U.S. Department of Health and Human Services mandated the adoption of privacy, security, enforcement and breach notification rules.
Businesses generate and collect valuable data about customers. Companies have recognized the value of this data beyond just user profile data in a directory. Business stakeholders who collect and own customer data must be responsible stewards, but they’re not all experts in regulatory compliance, data security or IT. Providing a user-friendly interface on top of fine-grained access controls can empower these stakeholders to get involved in data protection initiatives and author and test data access control policies in collaboration with other stakeholders.
get the brief
Open APIs are changing the face of banking, allowing customers to securely access their own account data and make direct payments through third-party apps. Beyond banking, companies in every industry are looking to open APIs to enable new digital business models. Dynamic authorization complements existing API gateways to provide fine-grained authorization for API controls, inspect the content of API requests and responses, check user preferences and other attributes, and ultimately allow, deny or sanitize the API data.
learn about open banking