EUID Sharing
In the context of EUID, sharing is a process for distributing raw EUIDs from one EUID sharing participant to another.
For EUID, a sharing participant is a company that takes part in sharing, either as a sender or a receiver.
Security Requirements for EUID Sharing
All EUID participants have a core responsibility to ensure that the EUID ecosystem is safe. The following are standard security practices for all EUID participants and their sharing recipients. If you are sharing raw EUIDs with recipients the below security requirements are required and must all be met consistently.
The security requirements are as follows:
Authentication
Authenticating involves verifying the identity of an entity using various methods to ensure that they are who they claim to be. Online, this is commonly accomplished through email verification, and in person this would often be accomplished using a government-issued form of identification.
Issuing a username and password, an API key, or other credentials convenient for the purpose of the authentication check allows the issuer of those credentials to identify the entity for subsequent authentication checks.
A multi-layered approach, known as multi-factor authentication (MFA), significantly enhances security by requiring multiple forms of verification, which makes unauthorized access much more challenging. MFA might include two-factor authentication (2FA), where users must provide a second form of identification such as a code sent to their mobile device or generated by an authentication app at the time of transfer.
Security questions, email verification links, or SMS verification codes are also commonly used to strengthen online authentication processes.
Authorization
Authorization online determines what resources a user can access and what actions they can perform after they have been authenticated. This process involves:
- Setting permissions and restrictions based on the user's role or account details.
- Ensuring that users can only access information and functionality relevant to their privileges.
Accounting
Accounting means that there is a record of the transaction, so that activity can be reviewed or audited if necessary. To ensure a comprehensive and attributable transaction log for data transfers between two sharing participants, it's important to record specific fields that capture the details and context of each transaction.
The following table shows the key fields you should consider including in the transaction log.
| Data | Explanation |
|---|---|
| Timestamp | The exact date and time when the data transfer occurred. |
| Data recipient ID | The identifier of the participant who is receiving the data. |
| Transaction ID | A unique identifier for each transaction. This ID can be used to track and reference specific transactions in the log. |
| Data volume | The amount of data transferred, typically measured in terms of lines (number of distinct EUIDs) or file size (for example, megabytes or gigabytes). |
| Transfer method | The method or protocol used for the data transfer, such as HTTPS, SFTP, or an S3 presigned URL. |
| Status of transfer | The outcome of the transfer, such as successful, failed, or partial. |
| Error codes/logs | If the transfer fails or encounters issues, recording error codes or a brief log of the error can assist in diagnosing and resolving the problem. |
| Authorization details | Information about who authorized the transfer, including relevant permissions or approvals. |
| Checksum or hash value | A checksum or hash value to verify the integrity of the data after the transfer. This helps in ensuring that the data was not altered during the transfer. |
Additional logs, such as network logs, application logs, and cloud audit logs, can also help by providing additional information such as source and destination IP addresses or cloud platform account IDs.
Secure Transport
Secure transport helps protect raw EUIDs from being accessible or modifiable by an onlooker during the transition of data from sender to receiver, end to end. Examples of secure transport include:
- HTTPS or TLS
- Message-based encryption