BreachExchange mailing list archives
Security by design - an essential requirement for privacy
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 26 Jan 2016 19:41:38 -0700
http://www.computing.co.uk/ctg/opinion/2443261/security-by-design-an-essential-requirement-for-privacy People have always valued privacy for their information. From locking systems developed by the Greeks, through the safes designed in the 1800s across Europe and the US to keep valuable goods secure, to today's encryption technologies to protect sensitive data, privacy is necessary for all organisations to function. However, the pace of change around IT has made it more difficult to manage security and privacy concerns. The development of the Privacy by Design (PbD) principles in 2009 was a response to this, but the IT security element of PbD is a big challenge, as the successful data breaches at the likes of TalkTalk, Ashley Madison, Carphone Warehouse and Hilton Hotels during 2015 attest. So why is it so difficult to get "security by design" - and the privacy benefits that would follow - taken up across a business? Pace of change One problem is the pace of change. The growth of cloud services, mobile computing and flexible working means that companies have spread their IT assets much more widely. Today, consumer data can be held on laptops that never see the inside of a company office, and also never get seen by IT teams to ensure that updates are made. This makes it much more difficult to enforce data security and data privacy across all the moving parts involved. Many companies are reliant on individuals "doing the right thing" as far as the business is concerned, but this still leaves the potential for human error. Alongside this, the internal IT network is shrinking as more IT services get moved to the cloud. This can also make it more difficult to enforce some of the principles of PbD, as IT can lose some control over how data is managed and stored over time. If a third-party service provider makes a mistake or changes its approach to handling data without making this clear to the organisation, then data security and hence privacy can be jeopardised. To ensure PbD initiatives are successful, it's important to go back to first principles of security across the whole IT organisation - whether this is made up of internal IT assets, external services or a mix. On the IT side, security by design has to cover collaboration across application development, IT asset management and use of third-party IT providers. There are also the business management and customer experience elements that make up a large part of the CIO role today. In application development, the role of security should be more prominent. While one of the goals of agile development is to deliver software to the business faster, and fix potential problems as they come up, this shouldn't be an excuse for security requirements to be fixed on that same basis. Instead, an ethos of "measure twice, cut once" should be in place. Focus on app security quality first to reduce the amount of re-work involved. This should improve the quality of software developed as well as keeping customer data secure and private. For IT asset management, maintaining visibility of all IT assets needs to be improved. Updates should be applied promptly to reduce the risk of attacks being successful. The challenge here is accurately tracking how updates were applied. The number of patches around operating systems like Windows continues to grow, while the Apple OS X had the highest number of CVE incidents published in 2015. Adobe Flash - one of the prominent routes for attacks - continues to see zero-day attacks patched. When devices are outside the corporate network, keeping track of how patches have been applied becomes more difficult and therefore more imperative for security. Adopting a continuous security policy can help here. By scanning the IT asset estate over time and checking that updates have been applied - whether these devices are inside the corporate network or not - IT teams can be sure that systems are as secure as possible. Alongside this, mobile, PC and tablet devices can have their security status checked to ensure that all the right steps have been taken. In the event of a lost device, data can be wiped to ensure data privacy is maintained. For companies that are making use of cloud services, there are two areas to consider. The first is the responsibility for ensuring that third parties are measuring up to their promises around security and data privacy. This should be outlined in any contract between the organisations, as well as being audited on a regular basis. The second element is how cloud security services can be used to track status of devices and implementation of updates to ensure that the organisation's vulnerability management strategy is enforced. Personalisation and privacy For CIOs, the role of online services in user experience has meant that there are more issues to consider around the deployment of user data. For example, digital initiatives like personalisation rely on user data to recommend the right products or services to customers. However, this is where many new data breaches have been caused. CIOs should therefore look at how to ensure that these new initiatives remain user-centric in their approach to privacy of data, even while new business opportunities are created. By understanding the technology behind data privacy, CIOs can collaborate with other parts of the business to ensure that issues don't develop over time and that data breaches or loss risks are minimised. Looking at these steps together, PbD is a set of best practices that all companies can, and should, implement within their business processes. By building security by design into the IT team, data privacy can be respected. With the EU General Data Protection Regulation (GDPR) finalised and due to be enforced in two years' time, there has never been a better time to start implementing better data privacy and continuous security practices.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which vendors to trust. Contact us today for a demo.
Current thread:
- Security by design - an essential requirement for privacy Audrey McNeil (Jan 27)