Security vs. Privacy: Simplified
When it comes to security and privacy, whether for business or personal information, it's always a good idea to maintain both as a best practice.
In fact, there are standards in place, such as NIST, CIS, ISO/IEC, and HITRUST (to name a few), that aim to ensure businesses are implementing infrastructures that support data security and privacy.
Likewise, laws and regulations like GDPR, COPPA, HIPAA, FISMA, GLBA, PCI-DSS, FFIEC, DFAR, SOX, SOC I-II, etc., are in place to provide guidelines and best practices for an organization's security and privacy strategy, and assure they are meeting regulatory and compliance requirements. Non-compliance of these regulations can potentially result in severe fines, data breaches, loss of trust, loss of revenue, or even damage to a company's reputation and brand.
It's no surprise that security and privacy are somewhat of a big deal.
But what's the difference? Aren't security and privacy the same thing?
The difference really depends on how you look at the data and from which vantage point. From an individual's standpoint, data considered "private" is largely determined by that individual's personal experience. As a result, the privacy characteristics for individuals tend to be vague, changeable and very subjective.
For example, Pat may be okay with sharing his impressive weight loss on social media, until, due to some unforeseen circumstance, Pat regains all the weight - plus some. Then someone on his timeline asks, "How much did you say you weigh again???" To which Pat responds, "That is none of your [insert expletive here] business!!!"
In the business world, however, the criteria for "privacy" tends to be less subjective – although oftentimes not clearly – relying on an objective model and a high-level definition to fundamentally outline the privacy criteria (i.e., data that can identify an individual). Therefore, from a business standpoint, it is imperative that a fundamental definition be offered as a means of defining and delineating the differences between security and privacy.
Quite simply, when it comes to data, the difference between security and privacy is this:
Security is the protection of "information." Privacy is the protection of "identity."
Now, when determining what constitutes "information" data versus "identity" data there are some similarities and overlaps that tend to make this a little bit of a gray area. After all, can one derive information from identity data? Yes. And, can one derive identity from information data? Also, yes.
They are essentially two sides of the same coin. However, the difference lies in how you look at or use that coin (i.e., data).
Let's use the analogy of a window to simplify this. No, not the operating system, but quite simply, the structure commonly made of glass and wood that lets you see the outside world from the inside of your home. From behind this window, we protect all things of importance to us, albeit family, valuables, food, pets, memories, etc.
For the sake of this analogy, we compare all of this to "data," which is of utter importance to an organization and in constant need of protection.
You will take measure to secure your windows. You will have locks on the inside, perhaps alarm sensors or cameras mounted to them. They may even be composed of shatter-proof glass or have a protective screen installed. The list goes on.
These are all data security features/controls that are designed to protect information.
But no matter how you secure it, a window is still a clear pane of glass, transparent in nature to let light in and out, and thus presents a degree of vulnerability by way of accessibility.
For example, you might be strolling around one day and look through someone's window, only to find Pat, wrapped in cellophane and sweat balm, doing a rigorous jumping jacks routine to an old Richard Simmons video in an attempt to lose the reacquired weight (pardon the visual, but I'm trying to make a point here).
Therefore, as a means of protecting Pat's privacy, and you from having to witness such an unsightly scene, Pat can install blinds or curtains, or even a reflective covering over his window, and choose when to open or close them based on his privacy preferences.
These coverings are all data security features/controls that are designed to protect identity.
Occasionally, however, one may encounter a feature/control that offers both security and privacy protection for critical data.
Keeping up with our window analogy, a prime example of this type of control would be exterior shutters, that in addition to protecting the window from being broken or accessed from the outside, also prevents or limits one from seeing inside.
So, what would be the point of telling you this? What challenges are we confronted with today?
As a result of the COVID-19 pandemic – the social-distancing requirements, in particular – the proverbial "window" that used to sit securely in the middle of the wall has been forced to expand from floor to ceiling, as well as from edge to edge, to allow greater visibility and access to those who have moved to a remote location. In fact, some windows have had to extend so far that they now reach the clouds (get it, clouds?).
Consequently, the expansion of windows has inherently expanded the threat landscape being there is greater width and depth in the range of visibility.
The thinned out glass makes the window considerably more fragile than before. And more likely than not, because the expansions were presumed to be short-term, the property owners never custom-ordered the new blinds, curtains or shutters to fit and accommodate the growing windows, resulting in gaps and vulnerabilities for unwelcomed guests to view and enter the environment.
That being said…which solutions should a responsible property owner consider? What type of locks, monitors, alerts, alarms, curtains or blinds will assure the security and privacy of an environment? Well, taking it back to organizational data, here are some viable suggestions:
- Zero Trust Architecture. Lock everybody out! Trust no one! Trust IS the vulnerability. Cyber-frisk everyone – your users, networks, applications, and devices – before granting anyone access to anything. Implement segmentation as a means of creating a "protect surface" for your most critical data which would effectively minimize the attack surface; particularly if a mini-perimeter is created around the "protect surface" by the use of hardened controls.
- IAM (Identity Access Management, including the domains of PAM and PIM). Maintain one digital identity per individual. Disable/remove standing privileged accounts. Have admins use accounts with time-bound privileges. Review IAM-PAM reports at least weekly and perform continuous privileged access reviews at least quarterly. Lengthen passwords and/or passphrases. Eliminate/change default accounts and passwords.
- Encryption/Hashing. Protect/hide the sensitive data. Use strong and vetted encryption and hashing algorithms to minimize the exposure of data at rest and in transit. Keep encryption keys and data separate by using HSMs with the appropriate FIPS 140-2 Level 2 or Level 3 certifications.
- Tokenization. If sensitive data cannot be removed from your environment entirely, do so by substituting the data for randomized or anonymous values (i.e., tokens). Unlike encryption, tokenization is irreversible, rendering the values themselves useless to a threat actor provided the secure data vault is adequately protected. Additionally, a proper tokenization installation removes environments from scope for various regulatory assessments (i.e., PCI).
Monitors, Alerts, and Alarms
- SIEM. At a minimum, have a SIEM (Security Information and Event Management) solution in place. SIEMs are a fundamental control that organizations should have for the centralization of their security and log data, allowing them to aggregate and correlate alert data from a variety of security sources. A SIEM tool is ideal for detecting and alerting upon potential and actual threats but does little in the way of actively protecting against them.
- EDR or XDR. Monitor the activity of every interface on your network. As that EDR (Endpoint Detection and Response) solutions are more so designed to provide monitoring, protection, and response services for a particular endpoint, XDR (Extended Detection and Response) solutions extends this capability by integrating security visibility across an organization's entire infrastructure, including endpoints, cloud architectures, and mobile devices. Considering the heterogeneity of large, distributed networks coupled with the adoption of cloud technologies and mobile devices to meet the demands of remote work, an XDR solution can be a befitting and adequate solution to scale along with these changes.
- SOAR. Increase and streamline your even management and response processes. A SOAR (Security Orchestration, Automations, and Response) solution more or less combines the concepts of SIEM and EDR into one system by not only ingesting signals from a variety of technologies – such as firewalls, SIEM, EDR, and gateways – but also by automating workflows and processes in order to provide quick and repeatable responses to incidents and events. Such a feature significantly improves uptime and productivity by reducing time spent managing threat intel.
Curtains and Blinds
- Anonymization over Pseudonymization. Protect the identity of your clients and employees. While pseudonymization is good, it still, however, allows an individual to be identified through indirect or additional information. Anonymization on the other hand replaces the clear data with a value that is both irretrievable and unrelatable to the original data, thus, providing a stronger layer of protection.
Again, these are only some solutions to consider.
Determining the best solution(s) would require a complete and thorough assessment of the environment in order to clearly identify the gaps and vulnerabilities.
Plus, in addition to these technical solutions, there will also be a need to levy hardened administrative controls in the form of policies, standards, guidelines, and procedures in order to provide clear direction on how to properly operate the "window." That's information for another post.
Lastly, the next time your boss catches you aimlessly peering out of the window, just tell her that you're analyzing the technical intricacies of security and privacy in order to devise an effective and scalable solution to best protect the company's most valued assets. Good luck!