Need GDPR compliance now? Ask us how!
Worried about enterprise security, access control, and GDPR? Relax, the standards bods at European Telecommunications Standards Institute (ETSI) have you covered.
Covered, that is, if you implement its latest encryption standards. ETSI’s Technical Committee on Cybersecurity announced it has released two Attribute-Based Encryption standards designed to help organisations apply access controls to the personal data that European companies have to protect to comply with GDPR.
The aim is to make sure that personal data can only be decrypted if the attributes on a user’s key match the encryption attributes.
ETSI reckons attribute-based encryption makes it easier to protect data with “secure by default” access control – access isn’t bound to user name and password, for example, but rather to pseudonymous or anonymous attributes. Standardisation also makes interoperability easier, the standards body says.
ETSI’s announcement gives HR access as an example: a user could be restricted from accessing employee pay data if they have the attributes of an HR employee, and have been working in the organisation for more than 12 months.
The body said using encryption to enforce access control provides better security than software-based solutions, and a given data set can be protected by one encryption attribute, making it efficient.standards
The specifications in question are ETSI-TS-103-458 and ETSI-TS-103-532.
Its four use cases protect data when access is coming from an untrusted mobile network; WLAN access, in which data protection has to take into account end user credentials presented over different wireless networks; network edge and IoT environments, in which data access could be controlled either in the network or on the device; and cloud environments.
The standard, here (PDF), notes that in the mobile use-case, for example, a user’s IMEI might be exposed when travelling in a foreign country. Attribute-based encryption would, in that case, help protect stored data in the presence of a hostile listener on the network.
By providing user identity protection across its different use-cases, ETSI-TS-103-458 is designed to reduce the risk that a malicious third party could grab user credentials to access personal data in systems like corporate databases.
The other standard, ETSI-TS-103-532 (PDF here), goes into the technical implementation details of attribute-based encryption.
As ETSI’s announcement explained, this “provides a cryptographic layer that supports both variants of ABE- Ciphertext Policy and Key Policy”, with various levels of security assurance to suit the cloud, mobile and IoT use-cases.
ETSI-TS-103-532 includes an extensible cryptographic layer so it can be extended with new crypto schemes in the future, all the way up to the emerging “post-quantum cryptography” world.
Here at Dollar Destruction, we endeavour to bring to you the latest, most important news from around the globe. We scan the web looking for the most valuable content and dish it right up for you! The content of this article was provided by the source referenced. Dollar Destruction does not endorse and is not responsible for or liable for any content, accuracy, quality, advertising, products or other materials on this page. As always, we encourage you to perform your own research!