23 June 2015

Strong authentication in French local communities, a legal obligation


By Thierry Bettini, Ilex International and Hervé Fortin, Aisne department

The implementation of a strong authentication solution in a local community is most of the time considered as a technical issue by the IT department, which too often limits this type of project to the simple replacement of an obsolete login/pwd. In the context of budget restrictions within local communities, it is therefore difficult for the IT department to make the case for such a project, that is regarded as too costly and as a low priority.

However, beyond its technical dimension, the implementation of a strong authentication solution guarantees security and traceability of access to the Information System. Thus, local communities can comply with the legislation in force and, notably, with the personal data protection obligations defined by the CNIL (Commission nationale de l’informatique et des libertés – National Commission on Information Technology and civil Liberties).

Legal liability of the CIO/CISO


Many local communities validate the French Information Technology and civil Liberties declaration (“Déclaration Informatique et Libertés”) without having a good understanding of its resulting obligations. Indeed, the French law of 6 January 1978 on Information Technology, Data Files and Civil Liberties (which was modified in August 2004) defines the principles to comply with when collecting, processing and storing information about natural persons. The scope of this law is broad and concerns most of the processing or files used by local communities to manage their numerous services: civil status, electoral lists, school enrolment, social action and other services to the population, etc.

"The creation and processing of personal data (identifier number, name, address, telephone number...) are subject to requirements which aim at protecting individual liberties and the private lives of people filed", Thierry Bettini, Sales Director at Ilex International. The requirements vary according to the nature of the file and the purpose of the information collected: standard or simplified declaration or authorisation request. There are also security, confidentiality and information obligations.

Some data is particularly sensitive depending on the area and is subject to specific authorisations by the CNIL. This is notably the case with information processing in the social area where confidentiality is essential, such as "children at risk" information processing. Only authorised people can access specific information.
With digital transformation, local communities manage more and more personal data but how many of them actually know exactly who has access to what?

Controls performed by the CNIL show that many local communities do not comply with some basic rules from the Information Technology, Data Files and Civil Liberties law. In most cases, this is the result of unawareness or carelessness but still, the infringements are real . "Decision makers and local officials must be aware of this because they are directly impacted in case of non-compliance with the law: they can be held legally liable. In some cases, they can even be subject to penal sanctions (a 5-year emprisonment sentence and a €  3,000.000 fine)", Hervé Fortin, CISO and IT and liberties correspondent  for the Aisne department.

Strong authentication, a guarantee of compliance with the CNIL regulatory framework


To meet these strengthened regulatory constraints, access control and security must remain the priority of local communities.

"Strengthening authentication mechanisms and access control rules to Information System applications helps prevent breaches/fraud ", Thierry Bettini explains. Thus, it is essential to provide several authentication mechanisms, with n factors ("what I know", "what I have", "what I am") according to uses (for example, some agents may use smart cards, others USB keys, etc.) and the criticality level of the applications used. Some packaged solutions are already provided by integrators and software providers and efficiently address these issues.

Once the agent is authenticated, it is possible to control access rights according to various criteria such as the primary authentication level (n factors), timeframe, user profile retrieved in a company directory, etc.

In addition, "authentication, authorisation and delegation operations concerning agents must be traced in order to properly comply with the legislation in force and meet auditing requirements".

The CIO/CISO of a local community needs to homogenise and strengthen authentication on the applications for which he controls and tracks accesses. Thus, he will not have to fear any legal penalty about the confidentiality of the data processed within the community.

"Whatever their size, all local communities are concerned", Hervé Fortin concludes. However, not all of them realise the commitment they make by declaring that they are compliant with legislation, nor the risks they take in case of a CNIL control. Awareness about legal obligations needs to rise as in other sectors (for example, the banking sector) in order to make access management a real priority.