GDPR Compliance: IDC blog

It's the Small Things That Can Make a Big Difference

Duncan Brown, IDC Associate Vice President

In the long list of actions to complete on the road to GDPR compliance, password resets typically appear towards the bottom of the schedule. Instead, the focus is typically placed on activities such as data classification and information governance process flows. I understand this emphasis, but companies seeking GDPR compliance should not lose sight of some of the elementary steps in protecting their organisation. Passwords — love them or hate them — underpin the vast majority of organisations’ processes and data, and preventing unauthorised access to personal data is a core principle of GDPR, as stated in article 5 (personal data shall be “processed in the manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing”).

Indeed, much of GDPR is about doing basic security well. GDPR is not at all prescriptive about security processes and technologies, and leaves the mechanics of security for individual companies to decide. The onus is on companies to determine appropriate processes and apply technical measures to support compliance. Importantly, companies must also evidence the fact that they are engaged in good practice. So how do password resets fit in to this objective?

One of the main objectives of GDPR is to encourage organisations to prevent personal data breaches. But the 2016 Data Breach Incident Report (DBIR) by Verizon states that 63% of confirmed data breaches involve weak, default or stolen passwords. Passwords are not perfect, and the weaknesses are well documented. However, they persist because they are cheap, familiar and easy to use. In fact, most breaches associated with passwords are a consequence not of an inherent weakness in the passwords themselves, but in password management.

Poor password management processes could have profound consequences if they lead to data breaches. But it’s not necessary even to have a data breach to be non-compliant with GDPR: A poor process, or lack of evidence of a process, is equally non-compliant. Poor password processes typically result from an extreme focus on cost. According to Service Desk Institute, 35% of service desks have no authentication process at all when resetting passwords. Under GDPR, however, this cost equation must shift, given the high fines and other sanctions levied for non-compliance. Spend a little more to be fined a lot less.

It can be tedious to use a helpdesk to reset a password, and so end users prefer a self-service approach. But user adoption rates of self-service resets are typically lower than 40%, with an average of 20% being typical for most organisations. When self-service approaches fail, a second person is involved, in a so-called assisted password reset process. This introduces an important vulnerability, that of privileged user credential abuse. There is usually no way to prove absolutely that an unauthorised administrator could know a user’s password.

The FastPass solution to password resets addresses this issue by eliminating the possibility that a second person can know a user’s password, even though they facilitate the reset. The assisted reset process also directs users back to the self-service process, thus reinforcing its usage and increasing adoption. It creates a virtuous circle of self-service password reset.

In the grand scheme of GDPR, password resets must seem the least of the worries of a compliance officer. But it is an indicator of attention to detail that an auditor or supervisory authority will note. It demonstrates a thoughtful consideration of identity and access control, and helps to evidence the prevention of unauthorised processing of or access to personal data.

North America T: +1 (212) 419-4921

Europe T: + 45 4810 0410

FastPassCorp A/S 1350 Avenue of the Americas, 2nd Floor, New York, NY 10019, USA FastPassCorp A/S Lyngby Hovedgade 98Kgs. Lyngby, DK 2800 Denmark

© FastPassCorp A/S. All Rights Reserved.