Cyber

No Access by Default

A "zero trust" network means that, by default, no user or device is trusted on the network. Each user, whether internal or external to the organization must be verified on the network and then can only access resources to which they have explicitly been granted access.

To manage zero trust the network must know:

• Who the user is
• What the device is and whom it is associated with
• What that user and device should have access to Zero

Zero trust security means that users have the fewest privileges that they need to fulfill a task referred to as "least privilege access." In addition, zero trust applies to devices: each device must explicitly be granted access to any resource.

A zero trust environment also segments data to the highest degree possible. This means that each type of data requires separate access privileges. For example, storage areas for human resources data and financial data could each require different permissions. Employees in one group would not be able to access data in the other group.

Multi-factor authentication is also a core tenet of zero trust security. Users must both know something (a password) and have something (a device with a code, for example) to authenticate to the network.

1. Identity is one of the biggest pain points for consumers. Many people are excluded from government and financial systems, and therefore are exploited and trafficked more easily, because they lack government-recognised identities
2. Existing identity systems cost hundreds of billions of dollars per year in resolving identity theft, resolving fraud, and handling false declines.
3. Verifying identity is critical to building trust within a business ecosystem.
4. Digital identity can provide for more inclusiveness for people left out of financial systems.
5. Al and machine learning can solve some of the impediments to proving identity and seek to erase the need to produce reams of documentation.
6. In the future, identity will live on devices, and will be easy to share securely.

The General Data Protection Regulation (GDPR) is the most prominent data governance law today. GDPR, established by the European Union (EU), sets rules for the handling of personal data. The rules' aim is to protect people's privacy by regulating how organizations can use their data.

Although GDPR is the law in the EU, organisations headquartered elsewhere that use the data of people in the EU must abide by GDPR. That rule affects a wide range of businesses from around the world.

Principles of GDPR

Following is a summary of the seven principles of the GDPR that relate to personal data For the full text of the agreement, see Article 5: Principles relating to processing of personal data on the GDPR.EU website (2018).

1. Lawfulness, Fairness, and Transparency

Personal data must be processed "lawfully, fairly, and in a transparent manner".

2. Purpose Limitation

Personal data is only to be used for specified, explicit, and legitimate purposes". This means that, for example, you cannot tell your customers you are collecting their information to better understand their market, then sell it to other parties.

3. Data Minimisation

The personal data collected must be adequate, relevant and limited to what is necessary for the explicit purpose. You cannot collect data that is not needed for the use case you have defined.

4. Accuracy

Personal data collected must be "accurate and, where necessary, kept up to date. All reasonable efforts must be made to correct or delete inaccurate data.

5. Storage Limitation

Personal data that can be used to identify an individual must not be stored for longer than is necessary for the stated purpose. Data can be archived when it is in the public interest, as long as any technical and organisational measures that GDPR requires are in place to protect the data subject.

6. Integrity and Confidentiality

Personal data must be managed in a manner that ensures appropriate security of the personal data" to prevent unauthorised or unlawful use, loss, or destruction of the data.

7. Accountability

The data controller is responsible for complying with these principles.