The GLBA (Gramm-Leach-Bliley Act) was passed into law in 1999. The purpose of the GLBA is to be a statute that impacts financial services organizations. Generally the focus is on banks and other organizations that process financial data on behalf of their customers, but it is also focused on protecting customer information and ensuring that it is not compromised. With more security breaches occurring every year, the GLBA compliance standard has become more critical than ever. This blog post describes how cloud identity management supports GLBA compliance.
Understanding What GLBA Is
In order to understand how a cloud IAM platform can support compliance with GLBA, we need to first understand the statute. The GLBA statute is broad and impacts a number of areas. When it comes to information security, the best place to focus is the so called “Safeguards Rule.” This part of GLBA is centered around information security. As with most Federal statutes (similar to HIPAA and unlike PCI), it is quite broad and nonspecific. IT admins will need to take their guidance and convert it into appropriate actions.
The core of the Safeguards Rule is located here. The text of the guidance is actually quite short:
- Information security program. You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. Such safeguards shall include the elements set forth in §314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section.
- Objectives. The objectives of section 501(b) of the Act, and of this part, are to:
- Insure the security and confidentiality of customer information;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Unfortunately because the guidance is nonspecific, IT admins are often left wondering what they can do to support compliance. To address this, there is some information that provides additional guidance on what IT organizations can do to meet these standards from the FTC.
The good news is that despite the broad requirements, IT admins can leverage specific areas of technology to support their GLBA compliance activities. One critical vector of attack aimed at compromising customer information is through the compromise of credentials. This is the so-called insider threat, or the threat of an identity being compromised and then subsequently being used to pilfer critical customer data. There is also the external threat of compromise, which is outside the scope of this article, but clearly within the scope of what IT organizations need to manage to achieve GLBA compliance.
How Cloud Identity Management can Support GLBA Compliance
With respect to controlling the loss of customer information via compromised access, a cloud identity management platform can support this initiative. A cloud directory platform ensures that users are who they say they are via strong passwords and multi-factor authentication. Further, the need to have shared accounts is not necessary with a cloud directory service. Access to servers and other critical machines can often be logged to provide evidence and data. As users are on-boarded and off-boarded, tight access controls can be maintained. Taken in conjunction with other GLBA activities, the very implementation of a cloud directory service can greatly enhance and simplify the act of compliance. On top of that, it provides excellent support for good security practices.
If you would like to learn more about how cloud identity management supports GLBA compliance, drop us a note. Alternatively, sign-up for our free Directory-as-a-Service® account and see how the platform can support your compliance needs. Your first 10 users are free forever.