Endpoint Security
Guest Blog // Selected Security Content Provided By Intel
What's This?
5/23/2014
03:50 PM
Tom Quillin
Tom Quillin
Guest Blogs
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Why Is Privacy Important to Security Practitioners & Professionals?

David Hoffman, director of Intel's security policy and global privacy office, shares his ideas on how organizations can achieve data security, along with privacy protections that enhance business potential.

Too often we think of privacy and security as divergent forces -- pulling our focus in different directions. IT professionals know that privacy is one of the biggest issues surrounding the security of data, but they worry whether they are really doing enough to protect personal information and data belonging to users, customers and employees.

Today I will be interviewing a colleague of mine, David Hoffman, Director of Intel's Security Policy and Global Privacy Office. We will discuss how organizations can achieve robust data security, along with privacy protections that enhance business potential.

Quillin: Why is privacy important to security practitioners, security professionals?

Hoffman: People often see information security and privacy as very separate concerns, though there are large areas of interdependency between them, and there is a need for them to work together and reinforce each other. You can no longer just concern yourself with how you safeguard data using appropriate security measures without considering and respecting the needs of privacy of the individuals with whom that data is related.

Security is about protecting people and assets, either physical or digital. Privacy is a level of respect for an individual's desire to be left alone and/or have the ability to control the data that relates to them, so they are not negatively impacted by the use of that data in some form. In my opinion, organizations that are able to successfully align and connect these concepts in their practical implementation stand a better chance in establishing trust. Trust is what customers are looking for; it's a business enabler.

Quillin: OK, if it's important that privacy and security work together, how can we implement that relationship in practice?

Hoffman: One of the ways we do this at Intel is to use a framework called Privacy by Design, a foundational component used in the development of new products, services, and IT programs. Fundamentally, this means designing in privacy right from the very start, embedding it in, rather than bolting on solutions at the end during validation -- designing in versus bolting on.

Mapping the Privacy by Design framework into the Secure Development Lifecycle process (part of Intel's robust validation and quality procedures) allows us to provide designers with the right privacy information and resources at specific trigger points for each step of the project. This starts a very early education on the privacy needs for our architects and engineers.

Furthermore, we believe that organizations should act as "stewards" for individuals and their data, protecting their reasonable privacy interests, as well as the security of their personal data. The duty of the organization is to act in a transparent, responsible way and be accountable to that individual. We need to take the burden off the individual and help them be more effective in accomplishing better protection of their privacy.

Quillin: What are the bottom-line benefits when an organization builds privacy and security in at the foundational level?

Hoffman: It's the pragmatic and sincere way to build trust and win-win relationships with your customers and partners that will lead to concrete benefits for the business.

As individuals who are social by nature, we have the desire to use innovative products and services that often have little regard for our privacy needs. What's important to know here is that customers really do value their privacy. Research polls tell us that: Better protection is clearly their preference. This presents a real marketplace for competitive solutions that provide advantage using better privacy protection as the differentiator. We are beginning to see the early stages of this.

Not only should privacy protection be built in from the start, it also has to be communicated effectively to all stakeholders throughout the process. Failure to do so may incur financial implications. Take the recent example of inBloom, which was an effort to provide a more complete picture of student progress, so teachers can individualize instruction while saving time, effort, and precious resources. Despite an over $100 million investment from charitable foundations, including Carnegie and Gates, the decision was made to close down this strategic project to help improve education in the US. The fear around student data being sent out of district (for data analytics to help enhance student performance) caused pressure from parents and advocates, resulting in the project's ultimate demise. There is also some additional guidance on how embedding privacy into design can help avoid the potentially enormous costs of a data breach. It's a pay-me-now or pay-me-later equation.

Quillin: From a privacy perspective, what is the biggest concern we are facing today?

Hoffman: Organizations have to focus increasing attention on examining the data security and privacy protections of their supply chain as a whole. What do the third-party supplier contracts really look like: vendors, suppliers, cloud service providers, and other agents? Do we really understand all the data flows required in accomplishing the specified tasks? How are they managed, and how often are policies reviewed and audited? What are the consequences of any failures? The supply chain is only as strong as the weakest link. Many organizations are at only the early stages of looking at these questions, and some have not yet begun. I believe it will demand a lot of investigation and become one of our biggest challenges.

Quillin: What are your top recommendations that security professionals could do today?

Hoffman: Here are three things every organization should consider doing right now:

  1. Evaluate the burden you are putting on your customers when protecting their privacy. How can you help alleviate this? Take greater responsibility and become as transparent as you can. Be accountable for their personal data.
  2. Consider if you are making sufficient investment in your organization: IT security, budgets, processes, people, and technologies. Do you really have the appropriate safeguards in place for the data you are accountable for? What best-practices are you really following? If you need help initiating the conversation in your organization, I would encourage you to take a look at the new Cybersecurity Framework recently published by US NIST.
  3. Ensure that you have a robust process in place to manage your supply chain relationships. You are a steward for your customers' data, wherever it may be located or processed, and you must be accountable for how it is used.

Tom Quillin is the Director of Cyber Security for Technologies and Initiatives at Intel Corp. He is responsible for identifying security risks, as well as contributing to product planning that addresses future security challenges. He also manages Intel's policy positions on ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/26/2014 | 5:29:11 PM
Privacy and Security Complement
Although they are two separate focuses, there is no reason why Privacy can't complement/work together with InfoSec. If security safeguards are followed and properly in place, it will make it easier to maintain privacy regulations. The same is true in the reverse if people understand basic privacy principles it can help when security measures fail. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.