Security by design - an essential requirement for privacy

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computing.co.uk/ctg/opinion/2443261/security-by-design-an-essential-requirement-for-privacy

People have always valued privacy for their information. From locking
systems developed by the Greeks, through the safes designed in the 1800s
across Europe and the US to keep valuable goods secure, to today's
encryption technologies to protect sensitive data, privacy is necessary for
all organisations to function.

However, the pace of change around IT has made it more difficult to manage
security and privacy concerns. The development of the Privacy by Design
(PbD) principles in 2009 was a response to this, but the IT security
element of PbD is a big challenge, as the successful data breaches at the
likes of TalkTalk, Ashley Madison, Carphone Warehouse and Hilton Hotels
during 2015 attest. So why is it so difficult to get "security by design" -
and the privacy benefits that would follow - taken up across a business?

Pace of change

One problem is the pace of change. The growth of cloud services, mobile
computing and flexible working means that companies have spread their IT
assets much more widely.

Today, consumer data can be held on laptops that never see the inside of a
company office, and also never get seen by IT teams to ensure that updates
are made. This makes it much more difficult to enforce data security and
data privacy across all the moving parts involved. Many companies are
reliant on individuals "doing the right thing" as far as the business is
concerned, but this still leaves the potential for human error.

Alongside this, the internal IT network is shrinking as more IT services
get moved to the cloud. This can also make it more difficult to enforce
some of the principles of PbD, as IT can lose some control over how data is
managed and stored over time. If a third-party service provider makes a
mistake or changes its approach to handling data without making this clear
to the organisation, then data security and hence privacy can be
jeopardised.

To ensure PbD initiatives are successful, it's important to go back to
first principles of security across the whole IT organisation - whether
this is made up of internal IT assets, external services or a mix. On the
IT side, security by design has to cover collaboration across application
development, IT asset management and use of third-party IT providers. There
are also the business management and customer experience elements that make
up a large part of the CIO role today.

In application development, the role of security should be more prominent.
While one of the goals of agile development is to deliver software to the
business faster, and fix potential problems as they come up, this shouldn't
be an excuse for security requirements to be fixed on that same basis.
Instead, an ethos of "measure twice, cut once" should be in place. Focus on
app security quality first to reduce the amount of re-work involved. This
should improve the quality of software developed as well as keeping
customer data secure and private.

For IT asset management, maintaining visibility of all IT assets needs to
be improved. Updates should be applied promptly to reduce the risk of
attacks being successful. The challenge here is accurately tracking how
updates were applied. The number of patches around operating systems like
Windows continues to grow, while the Apple OS X had the highest number of
CVE incidents published in 2015. Adobe Flash - one of the prominent routes
for attacks - continues to see zero-day attacks patched. When devices are
outside the corporate network, keeping track of how patches have been
applied becomes more difficult and therefore more imperative for security.

Adopting a continuous security policy can help here. By scanning the IT
asset estate over time and checking that updates have been applied -
whether these devices are inside the corporate network or not - IT teams
can be sure that systems are as secure as possible. Alongside this, mobile,
PC and tablet devices can have their security status checked to ensure that
all the right steps have been taken. In the event of a lost device, data
can be wiped to ensure data privacy is maintained.

For companies that are making use of cloud services, there are two areas to
consider. The first is the responsibility for ensuring that third parties
are measuring up to their promises around security and data privacy. This
should be outlined in any contract between the organisations, as well as
being audited on a regular basis. The second element is how cloud security
services can be used to track status of devices and implementation of
updates to ensure that the organisation's vulnerability management strategy
is enforced.

Personalisation and privacy

For CIOs, the role of online services in user experience has meant that
there are more issues to consider around the deployment of user data. For
example, digital initiatives like personalisation rely on user data to
recommend the right products or services to customers. However, this is
where many new data breaches have been caused. CIOs should therefore look
at how to ensure that these new initiatives remain user-centric in their
approach to privacy of data, even while new business opportunities are
created. By understanding the technology behind data privacy, CIOs can
collaborate with other parts of the business to ensure that issues don't
develop over time and that data breaches or loss risks are minimised.

Looking at these steps together, PbD is a set of best practices that all
companies can, and should, implement within their business processes. By
building security by design into the IT team, data privacy can be
respected. With the EU General Data Protection Regulation (GDPR) finalised
and due to be enforced in two years' time, there has never been a better
time to start implementing better data privacy and continuous security
practices.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.