Endpoint Security
Guest Blog // Selected Security Content Provided By Intel
What's This?
5/23/2014
03:50 PM
Tom Quillin
Tom Quillin
Guest Blogs
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Why Is Privacy Important to Security Practitioners & Professionals?

David Hoffman, director of Intel's security policy and global privacy office, shares his ideas on how organizations can achieve data security, along with privacy protections that enhance business potential.

Too often we think of privacy and security as divergent forces -- pulling our focus in different directions. IT professionals know that privacy is one of the biggest issues surrounding the security of data, but they worry whether they are really doing enough to protect personal information and data belonging to users, customers and employees.

Today I will be interviewing a colleague of mine, David Hoffman, Director of Intel's Security Policy and Global Privacy Office. We will discuss how organizations can achieve robust data security, along with privacy protections that enhance business potential.

Quillin: Why is privacy important to security practitioners, security professionals?

Hoffman: People often see information security and privacy as very separate concerns, though there are large areas of interdependency between them, and there is a need for them to work together and reinforce each other. You can no longer just concern yourself with how you safeguard data using appropriate security measures without considering and respecting the needs of privacy of the individuals with whom that data is related.

Security is about protecting people and assets, either physical or digital. Privacy is a level of respect for an individual's desire to be left alone and/or have the ability to control the data that relates to them, so they are not negatively impacted by the use of that data in some form. In my opinion, organizations that are able to successfully align and connect these concepts in their practical implementation stand a better chance in establishing trust. Trust is what customers are looking for; it's a business enabler.

Quillin: OK, if it's important that privacy and security work together, how can we implement that relationship in practice?

Hoffman: One of the ways we do this at Intel is to use a framework called Privacy by Design, a foundational component used in the development of new products, services, and IT programs. Fundamentally, this means designing in privacy right from the very start, embedding it in, rather than bolting on solutions at the end during validation -- designing in versus bolting on.

Mapping the Privacy by Design framework into the Secure Development Lifecycle process (part of Intel's robust validation and quality procedures) allows us to provide designers with the right privacy information and resources at specific trigger points for each step of the project. This starts a very early education on the privacy needs for our architects and engineers.

Furthermore, we believe that organizations should act as "stewards" for individuals and their data, protecting their reasonable privacy interests, as well as the security of their personal data. The duty of the organization is to act in a transparent, responsible way and be accountable to that individual. We need to take the burden off the individual and help them be more effective in accomplishing better protection of their privacy.

Quillin: What are the bottom-line benefits when an organization builds privacy and security in at the foundational level?

Hoffman: It's the pragmatic and sincere way to build trust and win-win relationships with your customers and partners that will lead to concrete benefits for the business.

As individuals who are social by nature, we have the desire to use innovative products and services that often have little regard for our privacy needs. What's important to know here is that customers really do value their privacy. Research polls tell us that: Better protection is clearly their preference. This presents a real marketplace for competitive solutions that provide advantage using better privacy protection as the differentiator. We are beginning to see the early stages of this.

Not only should privacy protection be built in from the start, it also has to be communicated effectively to all stakeholders throughout the process. Failure to do so may incur financial implications. Take the recent example of inBloom, which was an effort to provide a more complete picture of student progress, so teachers can individualize instruction while saving time, effort, and precious resources. Despite an over $100 million investment from charitable foundations, including Carnegie and Gates, the decision was made to close down this strategic project to help improve education in the US. The fear around student data being sent out of district (for data analytics to help enhance student performance) caused pressure from parents and advocates, resulting in the project's ultimate demise. There is also some additional guidance on how embedding privacy into design can help avoid the potentially enormous costs of a data breach. It's a pay-me-now or pay-me-later equation.

Quillin: From a privacy perspective, what is the biggest concern we are facing today?

Hoffman: Organizations have to focus increasing attention on examining the data security and privacy protections of their supply chain as a whole. What do the third-party supplier contracts really look like: vendors, suppliers, cloud service providers, and other agents? Do we really understand all the data flows required in accomplishing the specified tasks? How are they managed, and how often are policies reviewed and audited? What are the consequences of any failures? The supply chain is only as strong as the weakest link. Many organizations are at only the early stages of looking at these questions, and some have not yet begun. I believe it will demand a lot of investigation and become one of our biggest challenges.

Quillin: What are your top recommendations that security professionals could do today?

Hoffman: Here are three things every organization should consider doing right now:

  1. Evaluate the burden you are putting on your customers when protecting their privacy. How can you help alleviate this? Take greater responsibility and become as transparent as you can. Be accountable for their personal data.
  2. Consider if you are making sufficient investment in your organization: IT security, budgets, processes, people, and technologies. Do you really have the appropriate safeguards in place for the data you are accountable for? What best-practices are you really following? If you need help initiating the conversation in your organization, I would encourage you to take a look at the new Cybersecurity Framework recently published by US NIST.
  3. Ensure that you have a robust process in place to manage your supply chain relationships. You are a steward for your customers' data, wherever it may be located or processed, and you must be accountable for how it is used.

Tom Quillin is the Director of Cyber Security for Technologies and Initiatives at Intel Corp. He is responsible for identifying security risks, as well as contributing to product planning that addresses future security challenges. He also manages Intel's policy positions on ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/26/2014 | 5:29:11 PM
Privacy and Security Complement
Although they are two separate focuses, there is no reason why Privacy can't complement/work together with InfoSec. If security safeguards are followed and properly in place, it will make it easier to maintain privacy regulations. The same is true in the reverse if people understand basic privacy principles it can help when security measures fail. 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.