7 Places Where Privacy and Security Collide
Privacy and security can experience tension at a number of points in the enterprise. Here are seven — plus some possibilities for easing the strain.
June 21, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt5489a83778216dd2/64f0d668a0be27bda71e86e2/Image_1.jpg?width=700&auto=webp&quality=80&disable=upscale)
In a recent interview with Dark Reading, Cisco chief privacy officer Michelle Dennedy said that privacy was all about the contents of the metaphorical data pipe, while security concerned itself with the architecture of the pipe. For IT security professionals, issues arise when protecting the contents of the pipe, and the pipe itself, create tensions in how security operates.
There are a number of points at which these tensions arise in the "privacy versus security" dance. One of the most visible twirls around it is the topic of encryption, which can be used to both protect the privacy of individuals and shield the true nature of malware.
But that's not the only place where the needs of privacy and security can collide. Here, we take a look at seven — and want to know about others you have encountered. At which points have you seen privacy and security considerations collide? Let us know in the comments, below.
Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.
When security researchers are seeking the facts around an incident, it's almost impossible for them to have access to too much information. But to protect privacy, it's important to collect as little information as possible. The tension between the two is the first in the dance.
Security professionals will argue that strong security can protect information in the system. Privacy advocates will point out that no security regime is foolproof, and the easiest information to protect is that which you never collect in the first place.
The key to relieving this tension is to carefully define the information required for security (and "everything" is not a valid definition), and then keep it only as long as required for reasonable forensics. Then per the established policy, purge everything personally identifiable.
"My data, my dirt" is a snappy way of saying that sensitive data should be stored and processed in the jurisdiction where it was gathered. It has a nice, emotionally resonant ring to it, but security professionals know that mere geographical proximity doesn't translate to better security.
From a privacy perspective, there could be regulatory reasons to keep data in (or away from) particular legal jurisdictions. Security teams might think of that, but they might also feel that security issues are best addressed when all key data is behind a single security regime or within a certain tightly controlled environment.
Security and privacy professionals can come into conflict when each group is trying to store data in the location that is best from their functional perspective. It may be that the tension is resolved by the legal restrictions that carry the biggest penalties.
User authentication is based on certainty concerning a user's identity and privileges at all times. Privacy can be enhanced when users are authenticated, but information about the user is hidden or obfuscated when not in the challenge and authentication process.
How closely should a specific identity be tied to each application activity and network transaction? How much personally identifiable information (PII) should accompany each system identity? For security and forensics, the answer is "a lot." For privacy, not so much.
The tension is in how to anonymize information while still safeguarding the authentication process and allowing for meaningful forensics when something goes wrong. The relief lies in defined processes that specify how little PII can be tied to the user identity while still maintaining security.
In a recent interview with Dark Reading, Cisco chief privacy officer Michelle Dennedy said that privacy was all about the contents of the metaphorical data pipe, while security concerned itself with the architecture of the pipe. For IT security professionals, issues arise when protecting the contents of the pipe, and the pipe itself, create tensions in how security operates.
There are a number of points at which these tensions arise in the "privacy versus security" dance. One of the most visible twirls around it is the topic of encryption, which can be used to both protect the privacy of individuals and shield the true nature of malware.
But that's not the only place where the needs of privacy and security can collide. Here, we take a look at seven — and want to know about others you have encountered. At which points have you seen privacy and security considerations collide? Let us know in the comments, below.
Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024