Privacy v. Security | TL;DR


Privacy management sits at the intersection of information security, data management and analytics, but is more than the sum of the parts.

It’s been a longstanding point of contention within information security circles that compliance does not equal security. Certainly, devastating data breaches and attackers gaining access to sensitive data at enterprises that were deemed to be in compliance with PCI DSS requirements or other regulations would support the argument. But does the same relationship hold for the governance and management of customer identity data and information security? The answer is yes, but for very different reasons.

One of these things is not like the other

Compliance requirements are better understood as a subset of information security: they represent a baseline for adequate security — or what cynics might describe as lowest common denominator. Also, because of a mismatch between the rate at which compliance requirements or other regulations are put in place and the rapid proliferation of new attacks, the specific technical details of compliance requirements often lag the measures needed to effectively contain threats and prevent attacks.

Privacy management and protection of customer identity data involves not simply assessing if adequate security controls in place, but how are they being implemented to protect specific types of data against unauthorized access. In this sense, the management and protection of private data is more complementary to information security infrastructure and processes than traditional compliance might be.

What this also implies is that an organization can be secure, but could still be in violation of privacy regulations — the mirror opposite of the relationship between PCI DSS compliance, for example, and information security. Another element that distinguishes the relationship is that consumer expectations of data privacy — and not only data security — have outpaced the implementation of regulations, including even new data residency provisions as part of Safe Harbor 2.0.

Here is another major distinction: organizations have well-defined processes to determine what systems and data lie within compliance scope. Defining what customer data is in scope for privacy protection is far less mature. This challenge has multiple facets — organizations have to discover where the data resides, and then map what regulations such as HIPAA, internal privacy policies and data residency should apply to the data. These requirements are further complicated by the proliferation of Big Data Platforms across the organizations, driven by trends like digital transformation, and by new regulations that have mapped to silos of identity data that have been built because of disconnected customer or patient engagement initiatives.

Risk isn’t instagram viewer private always binary

It’s a truism that can’t protect what you don’t know. Especially when we consider that access to private customer data may be allowed under some circumstances, but not in others. For instance, many organizations have data sharing relationships with third parties, or consume data from third parties through APIs. The data passing in either direction could have been assembled under terms that aren’t consistent with internal policies or in violation of data residency provisions. Without visibility into the transfer of private data, and some way to evaluate the risk of the action, information security tools are of limited to no use.

In an ideal situation, intelligence and risk analysis about potential violations of customer data privacy, whether by internal or external actors, would inform how security enforcement is performed. Information security tools — including identity and access management and data security– take a binary model: either you should or shouldn’t have access. Behavioral analytics may be able to detect when activity is not normal, but can’t apply intelligence to detect when activity may be in violation of privacy policies.

To deliver effective enforcement, security tools need to know where to look, and what to look for. Privacy risk and intelligence about usage in the context of privacy requirements complete the circle.

@bigidsecure |