Biza.io calls for consistency in CDR security


By Dylan Bushell-Embling
Monday, 16 August, 2021
Biza.io calls for consistency in CDR security

Australia’s only pure play Consumer Data Right (CDR) vendor Biza.io has urged the federal government to ensure that any amendments to CDR legislation to increase the number of participants maintain the security and integrity of the scheme.

In its submission to the Treasury’s consultation on proposed Consumer Data Right amendments, the Brisbane-based company said in principle it strongly supports increasing the number of participants in the scheme.

But the company said it will be essential to ensure that “the security of the ecosystem remains such that all consumers and all participants can trust the transmission, storage and usage of consumer data”.

For this reason, all participants in the scheme, including in the new proposed categories of businesses and tiers of accreditation, should be protected by and subject to the equivalent information security rules as those of existing participants, the submission argues.

By way of example, the proposed amendments would allow new participants to join the scheme by being sponsored by an authorised data recipient with unrestricted access. The submission notes that communications between these participants may not use the same technologies required by direct participants in the scheme.

Under the CDR, user validation is conducted using Mutual TLS, but many APIs in non-CDR environments still rely on basic encryption, the submission notes.

“If Strong Authentication is not mandated within the client security model for new CDR participants, then we consider this to be a major flaw,” the submission argues.

“Indeed, one of the original intents of the CDR was to remove the need for screen scraping — the process whereby a Data Recipient requests a consumer’s username and password, then replays it to the Data Holder. In effect, allowing Basic Authentication in downstream participants of the CDR would be a very minor uplift in security from screen scraping.”

The company suggested that as a minimum, new participants be required to make use of MTLS by maintaining and using a certificate created by the ACCC Certificate Authority.

The submission also recommends the development of consistent information security controls for action initiation and data sharing, as well as consistent information security standards across designated sectors.

Image credit: ©stock.adobe.com/au/maciek905

Related News

Akamai adds secure browser to ZTNA portfolio

Akamai has partnered with Seraphic to incorporate secure enterprise browser capabilities into its...

Rubrik announces CrowdStrike Falcon integration

Rubrik has announced the integration of its Rubrik Identity Resilience solution with the...

Palo Alto unveils Prisma SASE 4.0

Palo Alto Networks’ new SASE 4.0 solution aims to neutralise in-browser attacks and other...

Content from other channels on our network

1900 MHz 5G radio network deployed on Deutsche Bahn test track

Hytera continues to use Motorola's trade secrets, court finds

New tool helps NZ emergency services locate people at risk

UQ drone platform to help Aust research soar

Motorola to enhance reliability of Polish power grid

Light-based chip boosts AI power efficiency

Australian sonar sensor designed for shallow water

Planning for Machine Learning Success

Choosing the right surface finish for your PCB

EMC: Designing for Compliance Courses

The DTA opens registrations for its Digital Governance Program

SWEAR digital content security platform validated by ESI Convergent

Overcoming the AI hype for Australia's public sector

WA digital health systems hit milestone

Government invests in counter-drone capabilities for Defence Force

  • All content Copyright © 2025 Westwick-Farrow Pty Ltd