Last week, TikTok CEO Shou Chew testified before United States Congress with regards to the security and privacy of TikTok user data. While there’s much to be said about the lack of a federal US privacy law, the security risks of social media applications in general, and a myriad of other lenses through which the testimony can be analyzed, the event highlighted some of the most significant topics in information security and privacy today.
Access Control is one aspect of TikTok’s security program that was included in Congress’ line of questioning. Representative Armstrong (R-ND) referenced TikTok’s user agreement when he asked Mr. Chew which entities have access to the data of US TikTok users. Both Armstrong and Representative Dan Crenshaw (R-TX) inquired whether there are third-party entities that can access user data and whether US data can be accessed by TikTok or ByteDance (TikTok’s parent company) employees in China.
The conversation may sound familiar to those who work in security and privacy for tech companies. Having spent many years as a Sales Engineer for tech startups, I have been in the hot seat getting grilled by prospective customers on my company’s privacy practices and Access Control Policy. I’ve responded to extensive security questionnaires and to interrogations from CISOs and privacy professionals about how many employees have access to user data, where the user data is stored, and how often my company reviewed the access of all employees. I have logged many hours combing through the details of internal policies and privacy notices with prospective customers.
To see a conversation I have lived many times occur on the public stage between the CEO of TikTok and members of US Congress was just a tad bizarre - but it reinforces how critical Identity and Access Management (IAM, also known as Access Control) is to the security and privacy of technology platforms and products.
IAM is one of the most basic lines of defense in securing user data. Why is it so impactful? Well, “your security is only as strong as your weakest link”, and many times that weak link is one of your employees.
In recent years, social engineering and phishing attacks on employees have increased. If an employee falls for a phishing scam and accidentally shares login credentials with a threat actor, that threat actor can then access all data that employee has access to. Alternatively, a not-so-security-minded employee could potentially leave their laptop open in a public space, allowing a threat actor to access their work systems. A disgruntled employee might download company data before they leave the organization. There are many scenarios where customer data can be leaked intentionally or unintentionally by an employee.
In order to minimize risk, organizations should be sure to implement a strict access control policy that limits and minimizes the amount of data employees can access. Access should be granted on a “need-to-know” basis or a policy of “least privilege,” which means that the employee should only have access to the user/customer data they absolutely need in order to do their job. For example, an employee on the Marketing Team should not have access to personal information or personal data of end users, though they may have access to aggregated data they can use for marketing purposes. On the other hand, a Customer Support Engineer may have access to personal information because they might need to look into an end user’s account to troubleshoot an issue. (Ideally they’ve signed an Acceptable Use Policy and Privileged Access Logs are in place!)
Further, access should be reviewed by your IT Team at a regular cadence - such as quarterly or every six months - and should be updated as employees switch roles within the company.
Lastly, IAM is essential because it allows IT to quickly update the access of an employee (or employees en masse) when there is an incident. One of our first recommendations to companies building their security program is to use an Identity Provider (IdP) so that access can easily be revoked or granted when necessary.
While there are many layers to the conversation around the potential ban of TikTok in the US, we consider it a positive that there is a growing international conversation around security and privacy risks and best practices.