The intent behind your security requirements are not always in line with privacy requirements that you can derive from internal and external sources. In this video, learn how to distinguish security requirements from privacy requirements, as well as where the two may overlap.
- [Host] When you're trying to protect the security of an application, and when you're trying to ensure that you're not exposing a user's private information, you're likely to land on similar courses of action. That's one of the reasons many people think of security and privacy is the same thing. The truth is though, that they're not. Yes, they often go hand in hand but security and privacy are actually two distinct practices. We use the term security when our goal is to keep bad things from happening, or to at least reduce the likelihood or impact of those bad things. When we implement security controls, our ultimate goal is to protect the confidentiality, integrity, and or availability of the app as well as the data processed and stored by that app. We use the term privacy when our goal is to empower a user to determine how much of their personal information if any, they would like to share with other people or organizations. There's a clear overlap between privacy controls and security controls when it comes to confidentiality. Although integrity and availability come into play to a lesser extent. The biggest difference is that privacy controls are driven by what the user wants, even if the organization may want something else. Personally identifiable information, or PII, and personal health information, or PHI are two specific types of information that are frequently impacted by privacy concerns and controls. We'll discuss these in more detail in a later video dedicated to types of data. When you're tapped to determine the right privacy controls for an app, chances are you'll start with these three. Data anonymization, ensures that you can remove sensitive data elements in a way that ideally satisfies the user's privacy expectations without breaking the app. User consent ensures that you've actively engaged the user to make sure they know how their private data is going to be used and that they've agreed to those terms. Disposition is one of the trickier privacy controls. Your users need to be able to request that you remove their private data, and you need to have a plan for how you're going to remove that data, again without breaking the app. Understanding the basic distinction between security and privacy, as well as a handful of common privacy controls will help you begin to understand the distinction between security risk and privacy risk. A SQL injection vulnerability for example, represents both a security risk and a privacy risk to your app. From a security standpoint, an attacker could potentially steal passwords. From a privacy standpoint, the attacker could potentially use that same flow to steal personal information. When it comes to backups though, the risk of data corruption has very different implications. If your backup data becomes corrupted, that's clearly an availability risk. But if you have personal information in that backup data, then corrupted backups are actually a privacy win. It's the ability to extract data from backups that represents a privacy risk, especially if you've told your users that you deleted that data. When it comes time to determine which privacy controls are appropriate for your app, you won't need to start from scratch. Truth is you may not have a choice in the matter. There's plenty of privacy regulation on the books that spells out what you are and are not allowed to do with your users personal data. While GDPR and CCPA have received a lot of press, mainly because of the fines that come with non compliance, financial organizations who have been complying with GLBA since 1999, are no strangers to privacy controls. Even if you put all of the required preventative privacy controls in your app, there's still a chance that an attacker might find a way around those controls. If that happens, these regulations require that you notify your users in a timely manner. Each regulation varies a bit on the details of what you need to tell users and when, so you'll need to apply your policy decomposition skills to determine exactly what your response should look like. If you can demonstrate compliance and if your breach notification process holds true, then the regulatory bodies are more likely to create you safe harbor. This means that when it comes time to start handing out fines, you're much less likely to be impacted because you were following the rules. Consumer privacy is becoming increasingly important as technology continues to advance. As a CSSLP, it's your responsibility to stay informed of those expectations, so your apps can meet both security and privacy requirements.