Biza.io calls for consistency in CDR security
Australia’s only pure play Consumer Data Right (CDR) vendor Biza.io has urged the federal government to ensure that any amendments to CDR legislation to increase the number of participants maintain the security and integrity of the scheme.
In its submission to the Treasury’s consultation on proposed Consumer Data Right amendments, the Brisbane-based company said in principle it strongly supports increasing the number of participants in the scheme.
But the company said it will be essential to ensure that “the security of the ecosystem remains such that all consumers and all participants can trust the transmission, storage and usage of consumer data”.
For this reason, all participants in the scheme, including in the new proposed categories of businesses and tiers of accreditation, should be protected by and subject to the equivalent information security rules as those of existing participants, the submission argues.
By way of example, the proposed amendments would allow new participants to join the scheme by being sponsored by an authorised data recipient with unrestricted access. The submission notes that communications between these participants may not use the same technologies required by direct participants in the scheme.
Under the CDR, user validation is conducted using Mutual TLS, but many APIs in non-CDR environments still rely on basic encryption, the submission notes.
“If Strong Authentication is not mandated within the client security model for new CDR participants, then we consider this to be a major flaw,” the submission argues.
“Indeed, one of the original intents of the CDR was to remove the need for screen scraping — the process whereby a Data Recipient requests a consumer’s username and password, then replays it to the Data Holder. In effect, allowing Basic Authentication in downstream participants of the CDR would be a very minor uplift in security from screen scraping.”
The company suggested that as a minimum, new participants be required to make use of MTLS by maintaining and using a certificate created by the ACCC Certificate Authority.
The submission also recommends the development of consistent information security controls for action initiation and data sharing, as well as consistent information security standards across designated sectors.
Tenable launches autonomous patch management tool
The new Tenable Patch Management add-on allows teams to prioritise and even automate the...
Veeam launches updated Veeam Data Platform
The newest release of the Veeam Data Platform introduces capabilities such as a recon scanner for...
CrowdStrike to buy Adaptive Shield
CrowdStrike is augmenting its SaaS security capabilities through the acquisition of Israeli-based...