Endpoint Security
Guest Blog // Selected Security Content Provided By Intel
What's This?
5/23/2014
03:50 PM
Tom Quillin
Tom Quillin
Guest Blogs
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Why Is Privacy Important to Security Practitioners & Professionals?

David Hoffman, director of Intel's security policy and global privacy office, shares his ideas on how organizations can achieve data security, along with privacy protections that enhance business potential.

Too often we think of privacy and security as divergent forces -- pulling our focus in different directions. IT professionals know that privacy is one of the biggest issues surrounding the security of data, but they worry whether they are really doing enough to protect personal information and data belonging to users, customers and employees.

Today I will be interviewing a colleague of mine, David Hoffman, Director of Intel's Security Policy and Global Privacy Office. We will discuss how organizations can achieve robust data security, along with privacy protections that enhance business potential.

Quillin: Why is privacy important to security practitioners, security professionals?

Hoffman: People often see information security and privacy as very separate concerns, though there are large areas of interdependency between them, and there is a need for them to work together and reinforce each other. You can no longer just concern yourself with how you safeguard data using appropriate security measures without considering and respecting the needs of privacy of the individuals with whom that data is related.

Security is about protecting people and assets, either physical or digital. Privacy is a level of respect for an individual's desire to be left alone and/or have the ability to control the data that relates to them, so they are not negatively impacted by the use of that data in some form. In my opinion, organizations that are able to successfully align and connect these concepts in their practical implementation stand a better chance in establishing trust. Trust is what customers are looking for; it's a business enabler.

Quillin: OK, if it's important that privacy and security work together, how can we implement that relationship in practice?

Hoffman: One of the ways we do this at Intel is to use a framework called Privacy by Design, a foundational component used in the development of new products, services, and IT programs. Fundamentally, this means designing in privacy right from the very start, embedding it in, rather than bolting on solutions at the end during validation -- designing in versus bolting on.

Mapping the Privacy by Design framework into the Secure Development Lifecycle process (part of Intel's robust validation and quality procedures) allows us to provide designers with the right privacy information and resources at specific trigger points for each step of the project. This starts a very early education on the privacy needs for our architects and engineers.

Furthermore, we believe that organizations should act as "stewards" for individuals and their data, protecting their reasonable privacy interests, as well as the security of their personal data. The duty of the organization is to act in a transparent, responsible way and be accountable to that individual. We need to take the burden off the individual and help them be more effective in accomplishing better protection of their privacy.

Quillin: What are the bottom-line benefits when an organization builds privacy and security in at the foundational level?

Hoffman: It's the pragmatic and sincere way to build trust and win-win relationships with your customers and partners that will lead to concrete benefits for the business.

As individuals who are social by nature, we have the desire to use innovative products and services that often have little regard for our privacy needs. What's important to know here is that customers really do value their privacy. Research polls tell us that: Better protection is clearly their preference. This presents a real marketplace for competitive solutions that provide advantage using better privacy protection as the differentiator. We are beginning to see the early stages of this.

Not only should privacy protection be built in from the start, it also has to be communicated effectively to all stakeholders throughout the process. Failure to do so may incur financial implications. Take the recent example of inBloom, which was an effort to provide a more complete picture of student progress, so teachers can individualize instruction while saving time, effort, and precious resources. Despite an over $100 million investment from charitable foundations, including Carnegie and Gates, the decision was made to close down this strategic project to help improve education in the US. The fear around student data being sent out of district (for data analytics to help enhance student performance) caused pressure from parents and advocates, resulting in the project's ultimate demise. There is also some additional guidance on how embedding privacy into design can help avoid the potentially enormous costs of a data breach. It's a pay-me-now or pay-me-later equation.

Quillin: From a privacy perspective, what is the biggest concern we are facing today?

Hoffman: Organizations have to focus increasing attention on examining the data security and privacy protections of their supply chain as a whole. What do the third-party supplier contracts really look like: vendors, suppliers, cloud service providers, and other agents? Do we really understand all the data flows required in accomplishing the specified tasks? How are they managed, and how often are policies reviewed and audited? What are the consequences of any failures? The supply chain is only as strong as the weakest link. Many organizations are at only the early stages of looking at these questions, and some have not yet begun. I believe it will demand a lot of investigation and become one of our biggest challenges.

Quillin: What are your top recommendations that security professionals could do today?

Hoffman: Here are three things every organization should consider doing right now:

  1. Evaluate the burden you are putting on your customers when protecting their privacy. How can you help alleviate this? Take greater responsibility and become as transparent as you can. Be accountable for their personal data.
  2. Consider if you are making sufficient investment in your organization: IT security, budgets, processes, people, and technologies. Do you really have the appropriate safeguards in place for the data you are accountable for? What best-practices are you really following? If you need help initiating the conversation in your organization, I would encourage you to take a look at the new Cybersecurity Framework recently published by US NIST.
  3. Ensure that you have a robust process in place to manage your supply chain relationships. You are a steward for your customers' data, wherever it may be located or processed, and you must be accountable for how it is used.

Tom is responsible for identifying and addressing Intel product security risks as well as planning products that solve tomorrow's security challenges and also manages Intel's policy positions on security and privacy. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/26/2014 | 5:29:11 PM
Privacy and Security Complement
Although they are two separate focuses, there is no reason why Privacy can't complement/work together with InfoSec. If security safeguards are followed and properly in place, it will make it easier to maintain privacy regulations. The same is true in the reverse if people understand basic privacy principles it can help when security measures fail. 
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.