What is hybrid identity? What are potential privacy issues with hybrid identity? What are the GDPR implications of identity privacy? What steps can I take today to improve my privacy position? Oxford Computer Group's Frank Drewes explains ...

1. Hybrid Identity
& Privacy
by Frank Drewes, Senior Architect,
Oxford Computer Group
• What is hybrid identity?
• What are potential privacy issues
with hybrid identity?
• GDPR implications of identity privacy
• Steps to take today to improve your
privacy position
oxfordcomputergroup.com

2. What is hybrid identity?
Hybrid identity refers to a single
identity existing in two places:
1 On-premises Directory
Usually LDAP / Kerberos based
(i.e. Active Directory)
2 Cloud Directory
Federation based (OpenID / SAML /
WS-FED)

3. Other hybrid identity concepts
• Hybrid identity uses some type of
synchronization process
• Mostly on-premises identity origination,
but ... most are moving to bi-directional
• Most products can do partial
synchronization of objects and attributes,
but default to ‘sync most or all objects and
attributes’

4. Why are directories not good
as general user data stores?
Security!
• Default settings allow authenticated users
(and even anonymous users) to view most or
all attributes of all users
• It is possible to apply ACLs to protect some
attributes, but it’s seldom implemented
because of:
• Performance (primarily)
• Lack of planning/awareness
• Most directories are designed such that
‘openness and sharing’ are ‘by design’

5. Consider the impact of GDPR
Things to consider:
• Anyone storing user data about EU citizens
is within regulatory scope
• GDPR establishes strict privacy
requirements governing how you manage
and protect personal data while also
respecting individual choice, no matter
where data is sent, processed, or stored
• GDPR became law in May 2016 – with a
2-year phase-in
• Fines for non-compliance are non-trivial

6. What can I do now? Where should I start?
Governance - Compliance - Risk
• Many large organizations have a Chief Privacy
Officer. Find this person and determine if any
regulatory controls apply to your directory data
Technical
• Start by looking at your ‘source’ directory
• Consider the privacy impact of all the attributes
• Look for ‘hidden data’ – usually stored in an
otherwise unused attributes
• Consider ‘intended use’ of attributes and avoid
having one attribute with multiple uses

7. And then…
Examine your hybrid synchronization tool and make sure you’re only
synchronizing attributes that are required to support the applications
you are signing into
• The default configuration options are specifically tuned for ‘fast
deployment’ – and not security or privacy
• You typically have advanced configuration options that allow you
to choose specific attribute combinations to support specific
scenarios
• Only enable those that are required
• Your cloud account will likely have a subset of your on-
premises attributes
• You may be doing this ‘after the fact’ and need to test prior to
changing in production

8. And also!
• Examine which user attribute ‘claims’
are provided to federated
authentication applications. Not all
apps should have the same attribute
access
• This is especially important for custom
application setups
• Consider ‘anonymous’ federated
identity concepts where appropriate

9. Summary
• Ask what should I be doing
to improve my privacy position?
• Review the user data in your directory
• Plan to eliminate as much privacy-sensitive
information as possible – thinking about
• Short-term changes
• Longer-term changes
• Make your cloud directory
a ‘lighter-weight’ replica of your
on-premises directory
oxfordcomputergroup.com
Need some help or
guidance with any of
these issues?
Contact
Oxford Computer Group
today