Privacy and Access Management: Insights from Michael Chertoff

Former DHS Secretary Michael Chertoff Talks About Privacy and Access Management at Gartner’s US Security & Risk Summit

On Tuesday morning at the Gartner Security & Risk Management Summit in National Harbor, Maryland, former DHS Secretary Michael Chertoff sat in conversation with Gartner’s Distinguished VP Analyst Leigh McMullen.  Although the bulk of the one hour guest keynote focused on terrorism, Chertoff did offer some insights around privacy and access management.

McMullan asked if we’re ten years too late for government regulation around consumer data privacy in the United States, acknowledging that some have already built companies around monetizing aggregated third-party data collection.

Chertoff started off by saying that the government today collects today far less data than some major companies. He reminded the audience that it’s not just data that you deliberately choose to share online, but also passive data collection (such as devices used and locations where a service is access) for which customers don’t currently have any recourse.  

Chertoff said today it’s possible in the US for an insurance company, for example, to have a granular view of how well we eat, how well we drive, and how we spend our money. He said the downside is that in the future, people will start to behave differently; they will start to question whether they will be rewarded or punished for certain activity that will be reported back to employers or third parties. And already today some people might be seeing consequences for past decisions.

Chertoff said such a world would make George Orwell’s 1984 surveillance state look more like a kindergarten state by comparison.

Chertoff said the European Union has started to address the problem with its General Data Protection Regulation (GDPR). It gives customers the right to see the data that is collected about them and also requires companies to seek the customer’s permission to sell or otherwise use the data with a third party. He said he expects to see more regulation  in general around returning the data to the customer, even after that data has already been collected. He told the audience he expects to see something like GDPR in the United States soon.

When challenged by McMullan about the effects this might have on corporate monetization, Chertoff proposed that companies in the future might continue to offer services for free as long as the customer is offered the alternative choice to pay for the service and not have their data collected or sold.

Chertoff also said he expects to see management of individual’s data become part of our national security strategy. For example, he speculated, what if other nations are collecting data about U.S. citizens abroad? What if those other nations then try to model our behavior as a means toward disinformation campaigns in the future?

According to Chertoff, user behavior is becoming an essential part of security. We no longer live in a world of fixed perimeters so how people access services becomes contextual.  He cited an example of a payroll company that had been breached. He said that while the network data may or may not have been compromised, clients were still using the service for processing. He said seeing a payroll request that came in every two weeks for roughly the same amount was, without independent verification, considered safe because the behavior was consistent.

That model, Chertoff said, carries over to individuals and he speculated that the days of Who you are, What You Know, and What You Have may be numbered as backend systems get more sophisticated. For example, seeing someone make an uncharacteristic service request -- because of a different location or device --would flag that one transaction while more routine transactions would go through without much challenge. Without him saying so, this the continuous or intelligent authentication that is being built into security and access products today, where the default is a frictionless transaction while any anomalies would escalate challenges appropriately. This, he said, will require more ML and AI on the backend.

For more information on privacy and access management, please visit us here and here. For more information on ForgeRock, please visit us here.