5 Methods for Data Privacy Enhancement
Introduction
If orange is the new black, then privacy is the new security — or at least security’s indispensable accessory. We can thank the Facebook/Cambridge Analytica debacle for raising the awareness of just how important digital privacy is. And the fact that 2017 saw a doubling of cybersecurity attacks just brings the whole dystopian data-privacy fiasco into sharp relief.
Data privacy benefits everyone. If an organization takes privacy seriously, it will put measures in place to prevent data exposure – benefitting the entire user base as well as the organization itself. Conversely, the respect shown by doing so should go towards creating better customer relationships and building trust.
So what can organizations do to ensure that they play their part in enhancing data privacy?
1) Minimize What Data You Collect
Data minimization is the first step towards an all-encompassing approach to data privacy. If you don’t need it, don’t collect it. This action reduces the privacy overhead of a system and is sometimes referred to as the “minimal dataset,” or MDS.
The minimal collection of data usually impacts the collection of personal data such as name, address and so on. For example:
- Don’t collect name prefixes such as Mrs. or Mr. unless required
- Ask yourself: do you need to know a person’s full address; could a country or state location suffice?
- Do you really need a full date of birth, or will age range do?
Data minimization also extends to any questions asked in, for example, a survey. Avoid collecting sensitive information in such surveys — if you don’t need to ask for personal data during a survey, don’t.
Reducing the amount of sensitive or personal data you collect is beneficial for both your customers and your business. If you don’t have something, you don’t have to look after it.
2) Minimize the Data You Release
In a similar manner, you can configure your system to minimize the data you release. This is, of course, dependent on the IT tools you are using, but many systems now come with privacy-enhancement settings. One example is an age request for purchase of an age-restricted item. Instead of offering, or requiring the user’s date of birth to complete the transaction, an age-over request could be made: the response would return the answer yes/no to the request “is this person over 21?”
Modern protocols such as OAuth 2.0 can accommodate this type of exchange.
3) Controlling Data Access
The data you do collect needs to be only accessible on a need-to-know basis. Data access is the devil in the detail of data privacy. You can do all of the minimization you like, but if a malicious entity accesses these data and decides to expose them, all privacy enhancements are out the door — literally.
Access control is also one of the more difficult areas in security to establish. And, in a consumer system there are two sides to the coin and both need to have robust authentication measures applied:
- Admin Access: Compromised administrator access to databases is one of the top cybersecurity attack points. Only those administrators who need to have access to sensitive data should have permission. Authentication should be two-factor, using as robust an option as possible. For example: the second factor should be out-of-band and, if possible, limited to company internal IP addresses. Access should be audited.
- Data Owner (Customer) Access: Customers often have an account manager which allows access to the personal data held in their account. They may also be able to update this information using that account manager. Under regulations like GDPR, data-access rights such as access to data and data rectification can be accommodated using account managers. However, this is also an attack vector in a system which can lead to data exposure. Ideally, use two-factor authentication to control access to customer accounts and to also ensure that account recovery is secure.
4) Data Encryption is Your Friend
Every day, 4.8 million data records are exposed. Of those, only 4% are encrypted; the rest are open to full exploitation. Encryption is Security 101 and should always be used where sensitive or personal data is collected, stored and shared.
Encryption at rest and during transit needs to be configured to ensure that the data remains private and that any breach impact is minimized.
There is no one-size-fits-all encryption product, so you have to be aware of certain things. These include, is the encryption tool based on a standard algorithm, for example, AES 256. Does it meet expected standards such as the NIST FIPS 140-2 requirements?
Data should be encrypted:
- At rest,e. when stored in a database on a server or mobile device. If you hold personal or sensitive data on a hard drive you will need to use hard-disk encryption.
- During transmission, e.g. browser-based HTTPS using the standard protocols SSL/TLS. Implementation of HTTPS is vital and can be easily misconfigured. It is important to make sure all aspects of your site have encryption enabled. If you use email to transfer sensitive or personal data, you should also look at security measures such as email encryption and/or data-leak prevention software.
5) Respect of Personal Data
Having respect for the privacy of an individual's data will go a long way towards a general enhancement of privacy across a system. Adopting a culture of privacy in your organization begins by understanding that personal data should be given the same respect as you would give a person.
The expression of this respect starts with permission. Taking permission from a user when collecting and using their personal information has three key aspects:
- Consent: To use the data. Set out what purpose you require the data for in plain language
- Granular: Take consent in a granular fashion. If you need to use the collected data for more than one purpose, take consent for each purpose to allow users to pick and choose what they wish to allow
- Revocable: Make sure the consent can easily be revoked
Creating a system that is built with privacy-by-design (PbD) is a key design remit and it is becoming as important a requirement as hardening against cybersecurity attacks. In fact, the two are intrinsically linked. These five key requisites of a privacy-enhanced service, shown above, give you a basic blueprint for data privacy that hopefully will help to ensure that you have a system which takes privacy seriously.
Sources
Online Trust Alliance Reports Doubling of Cyber Incidents in 2017, Online Trust Alliance
Breach Level Index, Gemalto
Cryptographic Module Validation Program, NIST
FREE role-guided training plans
10 HTTPS Implementation Mistakes - SEMrush Study, SEMrush
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- 5 Methods for Data Privacy Enhancement
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security