PingDataGovernance Enables Policies on the Body of an API Call
API calls have both a request and a response, and each of them has a body. PingAccess and other resource server components acting as an API gateway can handle API authorization too, but not down to the body level. On API requests, fine-grained authorization policies at the body level can limit what a user can do in an otherwise authorized API call (e.g., if they're authorizing a payment that exceeds a certain limit, modifying a high volume of data entries, etc). On API responses, outbound data gets examined against policy and consent records for unauthorized, unintended, sensitive or restricted data that should be dynamically modified or removed from the response prior to release to the client.
How Fine-grained Authorization for Data Helps
Organizations turn to Ping Identity for help with data access controls for very different business initiatives.
Quick Question:
Which business initiative is driving you to look into fine-grained data access today?
A. Enforcing data privacy preferences & customer data consents
B. Complying with customer data protection regulations (e.g., GDPR, CCPA, etc.)
C. Enabling Zero Trust security (attribute-level access controls)
D. Securing customer data accessed by third parties through open business APIs
I suggest you scroll specifically to the business initiatives (A, B, C or D) that matter to you. There's a slight overlap because all of them point to the need for fine-grained access to customer data, but mostly these are separate business initiatives, and you may not find all of them relevant.
A. Customer Data Privacy Preferences & Consent Enforcement
Apparently we’re all getting a little suspicious of corporations tracking data about us and using it for who knows what. Technically, if it’s data about you, you should be the official owner and have rights regarding what’s being collected and how it’s used. Even when it’s not required by regulation, many enterprises are balancing data privacy and personalization by providing user-managed consent as a mechanism to build trust with consumers.
With so much user-related data including user profiles, transactions and browsing behavior, it’s one thing to provide a simple interface to be able to collect and allow customers to manage and revoke access to their data being shared or used. It’s another thing entirely to be able to request and enforce consents at the points where customer data is being requested. Data is everywhere, and it’s being accessed at a lot of different places; it’s critical to have an enforcement point that can span all those possibilities.
How PingDataGovernance Helps With Privacy Preferences and Consents
Centralized, fine-grained data authorization policies can enable delegated consent to data access, preference lookups and enforcement of data access decisions based on customers’ wishes, everywhere the data is stored or accessed.
B. Regulatory Compliance with Consumer Data Privacy Legislation
In the wake of consumer data breaches and exposure, many regulatory bodies aren’t leaving consumer data privacy up to corporations anymore. Around the world, a patchwork of data protection regulations imposes complex requirements for consumer data privacy and data rights, including transparency, consents and the ability to opt-in/opt-out of data collection and usage.
There are several types of consumer data protection regulations with similar motivations. For example, the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) are focused on consumer data privacy and require consent. The EU’s Revised Payment Services Directive (PSD2) and Australia’s Consumer Data Right (CDR) both require securely sharing customer data in open APIs, giving customers rights to share their own data with competitors in the hopes of increasing competition in the market. In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, are industry-specific Acts of Congress around data safeguarding of sensitive customer information beyond just personally identifiable information (PII).
In fact, what all these different data privacy regulations, acts and directives have in common is that they aren’t plainly limited to data that’s in a user profile; they apply to any type of sensitive customer data. Some also have complex rules around the age of the citizen, location, classification of data, contracts between companies, and so on.
How PingDataGovernance Helps With Data Privacy Regulations
Fine-grained authorization policies can enforce compliance with new and changing consumer data protection legislation, often requiring consents. Using the GUI, non-technical users in regulatory compliance functions can flexibly build and enforce policies to meet requirements, while also complying with future legislation.
C. Zero Trust (i.e., attribute-based/attribute-level access controls)
Many organizations are looking to implement attribute-level access rules on data. Some are even subscribing to a Zero Trust, an IT security model. Are you striving to implement the principle of “least-privilege access”? If so, you might be adopting a Zero Trust mindset without knowing it. Zero Trust is all about strict verification of all users trying to access resources, regardless of whether they are on the network or connecting remotely. Instead, IT security microsegments the security perimeter into smaller zones for more granular access control on an attribute-by-attribute basis.
How PingDataGovernance Helps with Zero Trust for Data
Think of fine-grained authorization policies as “micro perimeters” around customer data attributes. You can set up policies around any requester/client or any type of user data, and even use risk scores and data in sources outside what’s contained in an access token to make real-time authorization decisions so that only data that is needed and authorized is allowed.
D. Delegated Authorization to Customer Data APIs (i.e., Open Banking, Open Business)
Businesses in all industries are creating open APIs for better integration with partners and other third parties. We like to call this trend “Open Business.” Some APIs allow customers to share and access their own data with a third-party app or service. This means that there’s a lot of sensitive customer data in APIs with lots of complex rules as to who can see or do what.
The use case that is probably the first that comes to mind is the financial industry, where the term “Open Banking” is used not only in reference to a named regulation in the UK, but also as a global movement. All around the world, whether required by regulation or not, financial institutions are opting to provide customer account APIs. So when a bank gets a request from a data aggregator (e.g., Mint.com) to access a particular customer’s data through the API, it’s important to make sure it’s really their banking customer on the other side and that the customer consented to this data being shared with the third-party app.
How PingDataGovernance Secures Customer Data in APIs
API security requires fine-grained authorization to API operations and access controls on API data. PingDataGovernance's authorization policies fit right into a secure API access workflow to check and enforce complex rules and customer consents to begin, continue or revoke sharing sensitive customer data with third parties in APIs.