11
© 2018 Oxford Computer Group WHITE PAPER Drive GDPR compliance with Azure AD B2C for web applications
© 2018 Oxford Computer Group
WHITE PAPER
Drive GDPR compliance with Azure AD B2C for web applications
White Paper Drive GDPR compliance with Azure AD B2C for web applications oxfordcomputergroup.co.uk Page 2 of 11
© 2018 Oxford Computer Group
WHITE PAPER
Contents Page
1. Introduction 03
1.1 What is Microsoft Azure AD B2C? 04
2. B2C and GDPR 06
2.1 B2C ‘as is’ support for GDPR 06
2.2 Microsoft’s B2C GDPR signposting 08
3. Assessment 09
3.1 Bridging the Gap 09
3.2 Microsoft’s commitment to GDPR 10
3.3 Recommendations 10
3.4 Next steps 10
4. Glossary 11
White Paper Drive GDPR compliance with Azure AD B2C for web applications oxfordcomputergroup.co.uk Page 3 of 11
© 2018 Oxford Computer Group
WHITE PAPER
1. IntroductionEvery enterprise organisation has adopted web services and web applications at an astonishing rate. But as many companies, most recently Equifax, are finding out, protecting web applications is a serious business. In the case of Equifax, this lack of protection led to a breach with estimated costs of over £400m. Had the General Data Protection Regulation (GDPR) been in effect, this would have led to further financial penalties.
It’s reasonable to suggest that web applications are one of the weakest technological links in the struggle against cybercrime. Web applications are vulnerable to customer account compromise from poor user behaviour or even complete compromise due to technical flaws or weak administrative passwords. Given the mandate of GDPR to protect subjects’ personal data, a web server hosted by a business could present a clear threat of a data breach.
All website services suffer from a severe challenge; authenticating legitimate users (and blocking out fraudulent ones). The issue revolves around the user ID and password combination people use to log in to a website service, whether a banking website, an ecommerce site, or online storage space. Organisations must have precautions in place to ensure any login attempts come from a genuine user rather than an imposter trying to gain unauthorised access.
Due to the rising threat of account compromises via website services, many website owners need to evaluate solutions that ensure legitimate users are protected. And with the increased obligations of organisations under GDPR, the stakes are even higher. As a website owner, you must do your best to safeguard your customers from fraudulent logins, if you want to avoid a potential data breach and severe penalties under GDPR - and to make sure your customers are safe.
If your organisation manages a public-facing website where users can create accounts for the purposes of accessing your services, there are certain aspects of GDPR which your organisation should be addressing, in particular:
■■ Individuals’ rights such as the right to “be forgotten”
■■ Subject access requests
■■ Consent and children
■■ Data protection
This document is written for GDPR compliance officers, technologists and business managers with an interest in implementing Microsoft AAD B2C (“B2C”) in their organisation, or a public-facing website architecture that does not adequately address these points.
The document describes and assesses Microsoft’s response to GDPR specifically relating to B2C.
It does not constitute legal advice.
According to the GDPR, “personal data means any information relating to an identified or identifiable natural
person,” which is called a data subject. As a provider of cloud services and products such as Azure, Microsoft serves as a data processor – an entity that processes data on behalf of its customers. Another party in this relationship is the controller. This is the entity that determines the purposes, conditions, and means for the processing of personal data that is carried out by a processor.
GDPR affects all organisations dealing with EU or UK citizens, and cannot be ignored.
White Paper Drive GDPR compliance with Azure AD B2C for web applications oxfordcomputergroup.co.uk Page 4 of 11
© 2018 Oxford Computer Group
An out-of-the-box B2C “sign-in or sign-up” policy as it appears to users
1.1 What is Microsoft Azure AD B2C?
Azure Active Directory B2C is a comprehensive cloud identity management solution for consumer-facing web and mobile applications. It is a highly available global service that scales to hundreds of millions of consumer identities. Built on an enterprise-grade secure platform, Azure Active Directory B2C keeps your applications, your business, and your consumers protected.
In the past, application developers who wanted to sign-in and sign-up consumers into their applications would have written their own code. And they would have used on-premises databases or systems to store usernames and passwords. Azure Active Directory B2C offers developers a better way to integrate consumer identity management into their applications with the help of a secure, standards-based platform and a rich set of extensible policies. When you use Azure Active Directory B2C, your consumers can sign-up for your applications by using their existing social accounts (Facebook, Google, Amazon, LinkedIn, etc.) or by creating new credentials (email address and password, or username and password)
B2C provides:
■■ A highly secure credentials store monitored by Microsoft toprotect against threats
■■ Secure integration with (multiple) web apps forauthentication
■■ The ability to authenticate “upstream” to other identityproviders (IDPs), e.g. social media IDPs to combatunnecessary form-filling and password fatigue
■■ The ability to configure user journeys (called “policies”in B2C) including sign-up, sign-in, profile editing andpassword reset
B2C is also highly extensible, allowing for custom IDPs and calls to attribute validators and attribute providers as part of the user journey. An attribute validator can check that user-provided attributes are correct, while an attribute provider can insert additional attributes into the journey. But as custom components, they can also execute other actions, to fulfil your requirements. Both are web services (REST APIs).
White Paper Drive GDPR compliance with Azure AD B2C for web applications oxfordcomputergroup.co.uk Page 5 of 11
© 2018 Oxford Computer Group
B2C architecture showing extensions bottom left
B2C does the heavy lifting of authenticating users, providing account management tools such as password reset, and protecting user account data.
White Paper Drive GDPR compliance with Azure AD B2C for web applications oxfordcomputergroup.co.uk Page 6 of 11
© 2018 Oxford Computer Group
2. B2C and GDPR2.1 B2C ‘as is’ support for GDPR
B2C currently addresses some of the key steps of GDPR readiness as follows:
GDPR concept Response
AwarenessThis relates to making sure that the key decision makers in your organisation are aware of the impacts of GDPR.
This step falls outside of the scope of B2C.
Information you hold
This relates to knowing what data your organisation holds, knowing where it comes from and who you’re sharing it with.
Some of the activities relating to this step fall outside of the scope of B2C.
B2C provides an interface for accessing audit logs¹, but the information gathered is limited in scope.
Communicating privacy information This activity is external to B2C’s off-the-shelf features, but can be assisted by B2C custom policies (see “Bridging the Gap”, below).
Individuals’ rights
Rights with a particular relevance to B2C technology are as follows:
■■ The right of access; the right to rectification. B2C Graph API currently supports user retrieval and modification via API functions². B2C also provides a “profile edit” policy out-of-the box which allows users to edit any or all of their stored attributes.
■■ The right to erasure. B2C Graph API currently supports a “Delete”³ function. This deletes the user record itself but not logs, instrumentation and analytics.
■■ The right to data portability. This is not yet supported out-of-the-box.
Subject access requestsIt is unlikely that B2C will contain all of the information held by your organisation about an individual, but it will contain part of the full picture. Graph API supports a “Get a User”⁴ function which returns the user’s attributes.
Lawful basis This step falls outside of the scope of B2C.
Consent There is no out-of-the-box feature relating to this step.
ChildrenThere is no out-of-the-box feature relating to this step. However, B2C policies can use a date picker to capture the user’s age at sign-up, and make a decision about whether to require parental consent (see “Bridging the Gap”, below).
Data breachesIn the event of a breach, Microsoft will contact the Azure subscription owner as well as the Security contact⁵ specified. This requires that the Azure AD B2C tenant be linked to an Azure subscription and that the information is up to date.
¹Audit activity reports in the Azure Active Directory portal - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-activity-audit-logs ²Graph API Reference – Operations on Users - https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/users-operations#GetAUser ³Graph API “Delete” function: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/users-operations#DeleteUser ⁴Graph API “Get a User” function: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/users-operations#GetAUser ⁵Providing security contact details - https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
White Paper Drive GDPR compliance with Azure AD B2C for web applications oxfordcomputergroup.co.uk Page 7 of 11
© 2018 Oxford Computer Group
GDPR concept Response
Data Protection by Design and Data Protection Impact Assessments
Microsoft processes billions of authentications daily⁶, and takes proactive steps to protect account data, including identifying accounts which may be at risk and blocking authentication on those accounts.
As Microsoft’s whitepaper on Azure and GDPR⁷ states, “All Azure services are developed using the Microsoft Security Development Lifecycle… [Microsoft] uses many service-level security measures to assure the ongoing confidentiality, integrity, and availability of [systems and data]. These [security] measures use a [strategy] that includes protections at the physical, logical, and data layers”.
Microsoft also provides some general documentation around protecting B2C from security threats⁸:
“Azure AD B2C uses detection and mitigation techniques like SYN cookies, and rate and connection limits to protect underlying resources against denial-of-service attacks.
Azure AD B2C also has mitigation techniques in place for password attacks. Mitigation includes brute-force password attacks and dictionary password attacks. Passwords that are set by users are required to be reasonably complex. By using various signals, Azure AD B2C analyzes the integrity of requests. Azure AD B2C is designed to intelligently differentiate intended users from hackers and botnets. Azure AD B2C provides a sophisticated strategy to lock accounts based on the passwords entered, in the likelihood of an attack.”
Data Protection Officers This step falls outside of the scope of B2C.
International This step falls outside of the scope of B2C.
6Azure Active Directory] service handles billions of authentications each day” - https://azure.microsoft.com/en-gb/services/active-directory/ 7How Microsoft Azure Can Help Organizations Become Compliant with the EU GDPR - https://gallery.technet.microsoft.com/How-Azure-Can-Help-788a4979 8Azure Active Directory B2C: Threat management - https://docs.microsoft.com/en-gb/azure/active-directory-b2c/active-directory-b2c-reference-threat-management
White Paper Drive GDPR compliance with Azure AD B2C for web applications oxfordcomputergroup.co.uk Page 8 of 11
© 2018 Oxford Computer Group
2.2 Microsoft’s B2C GDPR signposting
In the past Microsoft has shown commitment to upholding - and helping customers to uphold - European law:
■■ Investment in regard to regulations relating to transferring data across borders9
■■ GDPR resources under “Microsoft Trust Center”10
■■ The ability to authenticate “upstream” to other identity
■■ Microsoft Azure GDPR white paper11
■■ In April 201712 Microsoft made European data centres available to host B2C directories.
■■ GDPR conference sessions13
■■ Stating in promotional material that “Microsoft is committed to GDPR compliance”14
■■ Upcoming Microsoft whitepaper on GDPR15
It is clear from these activities that Microsoft is fully committed to supporting GDPR with B2C, and the flurry of activity16 relating to feature enhancements in B2C suggests that Microsoft has the resources to make the necessary changes.
9Investment in meeting requirements of the European model clauses relating to transferring data across international boundaries - https://www.microsoft.com/en-us/trustcenter/Compliance/EU-Model-Clauses 10Microsoft Trust Center - https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx 11How Microsoft Azure Can Help Organizations Become Compliant with the EU GDPR - https://gallery.technet.microsoft.com/How-Azure-Can-Help-788a4979 12Announcing General Availability of Europe-based Azure AD B2C directories - https://azure.microsoft.com/en-in/blog/azuread-b2c-ga-eu/ 13Microsoft Partner Identity (B2C/B2B) Conference, 11-12 September 201714Sales PowerPoint, “Features & Customer Value”, released to partners for public consumption (latest version: 7 Dec 2017)15Upcoming GDPR/B2C whitepaper, signposted to Microsoft Partners 13 October 201716B2C Service Updates - https://azure.microsoft.com/en-gb/updates/?product=active-directory-b2c
White Paper Drive GDPR compliance with Azure AD B2C for web applications oxfordcomputergroup.co.uk Page 9 of 11
© 2018 Oxford Computer Group
3. Assessment3.1 Bridging the Gap
The gap between the currently published B2C functionality and being fully GDPR compliant exists in two parts:
■■ B2C features not currently present, but which we reasonably expect Microsoft to fulfil before May 2018
■■ GDPR requirements which need to be met outside of the B2C off-the-shelf features, for example by customising B2C policies
GDPR concept Response
Information you hold
This relates to making sure that the key decision makers in your organisation are aware of organisations that might want to store their own audit or metadata about information that finds its way into the Azure B2C Directory.
For example, when a user signs up to B2C (and stores - at a minimum - their credentials) you may wish to sync other known information from your CRM system into the B2C directory. If you do this, you should either continually sync from your CRM system, or store in B2C the source (i.e. the CRM system), and the date the information was last valid.
You will also need to build up your own picture of the information you hold across systems.
Communicating privacy information
Some guidance relating to privacy notices can be found on the ICO website17.
By using B2C advanced policies, you can include information for your users about the treatment of their data as part of sign-up and/or sign-in policies. You can make sure that when this information changes, users who have not acknowledged the new privacy notice are taken through the route of acknowledging the new notice18.
Individuals’ rights
■■ The right of access; the right to rectification. As discussed above, B2C Graph API supports user retrieval and modification, and B2C provides a “profile edit” policy. With custom code, additional access and data modification can be programmed.
■■ The right to erasure. As discussed above, B2C Graph API supports a “Delete”19 function. Special provision needs to be made for related records which also need to be deleted such as directory data, logs, instrumentation and analytics, but Microsoft’s activity around GDPR suggests that this will be addressed.
■■ The right to data portability. This is not yet supported out-of-the-box. Microsoft’s activity around GDPR suggests that this will be addressed.
17Privacy notices, transparency and control - https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/ 18This functionality has been implemented by OCG using the Identity Experience Framework - https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom 19Graph API “Delete” function: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/users-operations#DeleteUser
White Paper Drive GDPR compliance with Azure AD B2C for web applications oxfordcomputergroup.co.uk Page 10 of 11
© 2018 Oxford Computer Group
20This functionality has been implemented by OCG using the Identity Experience Framework - https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directo-ry-b2c-overview-custom 21“Mobile first, cloud first” - http://uk.businessinsider.com/microsoft-ceo-satya-nadella-intelligent-cloud-build-2017-2017-5 Alex Simons’ blog - https://cloudblogs.microsoft.com/enterprisemobility/author/alex-simons/22 https://oxfordcomputergroup.co.uk/solutions/cyber-security-information-governance/
3.2 Microsoft’s commitment to GDPR
Microsoft is no longer a desktop software business. Time and again, from the most senior levels in the business21, Microsoft has emphasised their investment in cloud, and in cloud identity22.
Microsoft’s investment specifically into B2C and GDPR could have come earlier. But as discussed above, Microsoft appears fully committed to aligning the two, and our assessment is that the use of B2C as an authentication platform and a credentials store will not prevent an organisation from fulfilling any aspect of GDPR compliance.
3.3 Recommendations
Microsoft Azure Active Directory B2C is a platform with a long heritage, and enjoying heavy investment from Microsoft. As an identity platform it shares many features with other identity platforms, but what makes it stand out is certainly the ongoing investment and feature roadmap.
For any organisation with a currently non-compliant identity platform, we would recommend B2C as a platform, based on Microsoft’s very obvious commitment to GDPR.
GDPR concept Response
Subject access requests
Microsoft’s activity around GDPR suggests that the need to export additional data other than simply a user’s attributes will be addressed.
Your organization is responsible for exporting any data associated with that user that exists outside of Azure AD B2C. This includes all data associated with that individual that exists in applications, CRM systems, backups, etc.
Your organisation must supply a means to deliver this data to the individual. You may decide to expose this through your website, or your support team may have a means to share large files with consumers.
Consent
Using B2C advanced policies, you can include information for your users about the treatment of their data as part of sign-up and/or sign-in policies. You can make sure that when this information changes, users who have not given their consent are taken through the route of acknowledging the new notice20.
Children
As above, you can make use of B2C advanced policies to gain parental consent for children to use features on your website.
In addition, Microsoft’s activity around GDPR suggests that the need to block minors will be supported.
GDPR presents many challenges for businesses who want to offer customers a seamless experience, whilst effectively securing their data.
Take your CIAM Assessment and find out if you’ve got an appropriate customer authentication solution in place. It takes just a couple of minutes – and you’ll receive a tailored report with actions and recommendations for improvement.
Next steps
White Paper Drive GDPR compliance with Azure AD B2C for web applications oxfordcomputergroup.co.uk Page 11 of 11
© 2018 Oxford Computer Group
Oxford Computer Group6th Floor, Seacourt TowerWest Way, OxfordOxfordshireOX2 0JJ
T 0800 044 5009F 0800 044 5003E [email protected]
@OCGUKOfficial
About Oxford Computer Group (OCG)
Oxford Computer Group helps businesses facing identity management, cloud transformation and enterprise mobility challenges to stay in control. With employees, partners and consumers active anytime, anywhere and on any device, we ensure it’s not just anyone who has access to your corporate data.
Technology and the way people work are changing fast. Although cloud computing and a mobile workforce offer substantial productivity and cost saving benefits; they also bring complexity and security concerns.
Oxford Computer Group works closely with its customers to deliver solutions that better manage relationships, simplify IT and mitigate risks posed by significant technical and organisational change.
Our ability to achieve real business value for our customers has been recognised by Microsoft. We have been awarded either Winner or Finalist status for the last 10 years in either the Identity and Access or Enterprise Mobility categories. As Microsoft’s Alex Simons says, “There is no other partner in the world we work more closely with than OCG.”
Microsoft provides the market-leading technologies; we provide the vision and innovation to ensure our customers harness the opportunities new technology brings.
4. Glossary
Term Description
AAD Azure Active Directory, a cloud directory from Microsoft
GA General Availability (Product Release)
Graph APIGraph API (the API or Application Programming Interface for “Microsoft Graph” – Microsoft’s identity database) is the mechanism by which the B2C directory can be accessed or amended programmatically.
Identity Experience Framework
A fully configurable, policy-driven, cloud-based Azure platform that orchestrates trust between entities in standard protocol formats such as OpenIDConnect, OAuth, SAML, WSFed, and some non-standard ones (e.g. REST API-based system-to-system claims exchanges). The Framework creates user-friendly experiences (sign-in/sign-up related journeys) that support HTML, CSS, and javascript.
Policy (in B2C) An XML file containing instructions for orchestrating a user journey in B2C (part of the Identity Experience Framework).
