Biza.io calls for consistency in CDR security


By Dylan Bushell-Embling
Monday, 16 August, 2021

Biza.io calls for consistency in CDR security

Australia’s only pure play Consumer Data Right (CDR) vendor Biza.io has urged the federal government to ensure that any amendments to CDR legislation to increase the number of participants maintain the security and integrity of the scheme.

In its submission to the Treasury’s consultation on proposed Consumer Data Right amendments, the Brisbane-based company said in principle it strongly supports increasing the number of participants in the scheme.

But the company said it will be essential to ensure that “the security of the ecosystem remains such that all consumers and all participants can trust the transmission, storage and usage of consumer data”.

For this reason, all participants in the scheme, including in the new proposed categories of businesses and tiers of accreditation, should be protected by and subject to the equivalent information security rules as those of existing participants, the submission argues.

By way of example, the proposed amendments would allow new participants to join the scheme by being sponsored by an authorised data recipient with unrestricted access. The submission notes that communications between these participants may not use the same technologies required by direct participants in the scheme.

Under the CDR, user validation is conducted using Mutual TLS, but many APIs in non-CDR environments still rely on basic encryption, the submission notes.

“If Strong Authentication is not mandated within the client security model for new CDR participants, then we consider this to be a major flaw,” the submission argues.

“Indeed, one of the original intents of the CDR was to remove the need for screen scraping — the process whereby a Data Recipient requests a consumer’s username and password, then replays it to the Data Holder. In effect, allowing Basic Authentication in downstream participants of the CDR would be a very minor uplift in security from screen scraping.”

The company suggested that as a minimum, new participants be required to make use of MTLS by maintaining and using a certificate created by the ACCC Certificate Authority.

The submission also recommends the development of consistent information security controls for action initiation and data sharing, as well as consistent information security standards across designated sectors.

Image credit: ©stock.adobe.com/au/maciek905

Related News

CrowdStrike to buy Adaptive Shield

CrowdStrike is augmenting its SaaS security capabilities through the acquisition of Israeli-based...

LockBit named nastiest malware of 2024

LockBit, a ransomware malware known to have been used to attack Australian targets, has been...

Extreme Networks launches ZTNA solution

Extreme Networks' new ExtremeCloud Universal ZTNA solution combines cloud network access...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd