Wendy M. Grossman examines why security and privacy find it so hard to live together in the corporate world
If security and privacy were your parents, security would be the one filling you with anxiety: “don't leave the door open, check under the bed before you go to sleep, don't climb the jungle gym into the sky because you might fall head-first onto the tarmac below.” Privacy would be the rigid, stern parent armed with checklists, asking stentorian questions: “did you do your homework? Did you brush your teeth? Did you feed your pet anaconda?”
All of which is fine until ‘security-parent’ hears you have a six-foot snake, investigates, and realizes it's not a harmless anaconda but a highly venomous spectacled cobra and has it killed. Or ‘privacy-parent’ discovers that the ban on climbing jungle gyms means you've taken up a hobby involving a telescope pointed at the school locker rooms and you're in danger of being expelled, a risk security-parent didn't consider because, well, that's not their job and what are you, an idiot?
What we have here, as Strother Martin's captain said to his prisoners in the 1967 movie Cool Hand Luke, is a failure to communicate. Many organizations face this problem daily: privacy personnel are based in legal departments and focus on compliance, while security people come out of the IT department and focus on countering threats and eliminating risk. Misha Govshteyn, vice-president for emerging products at Houston-based Alert Logic, says privacy is hardly ever raised as an issue by the security people he encounters, except in areas where it's a specific concern, such as the healthcare industry, or companies that maintain customer payment records. That said, he notes that the fact that breaches are being discovered more slowly – given the rise of persistent, long-term attacks – means logs may need to be kept for longer.
An Incompatible Duo?
At the national security level, we tend to see security and privacy portrayed as incompatible alternatives, as politicians and security services tell us we must sacrifice privacy to the needs of safety. At the organizational level, the issues play out similarly, but on a much smaller canvas.
“The area where it tends to come most deeply into focus is monitoring,” says Ruth Boardman, head of the international privacy and data protection group at London-based law firm Bird & Bird. “Often it's the same laws and issues.”
Organizations argue, for example, that preventing the leakage of intellectual property and customer data requires them to monitor all communications including email, phone calls, and web use. “That then rubs up against communications secrecy requirements and/or privacy requirements, which vary country by country,” she adds. “It's not that they can't do it, but that they have to do it in a way which is sensitive to the laws and the cultural differences in different countries. Usually it means operating differently.” The drive for journaling in modern data loss prevention systems is a particularly touchy area, as are the ‘smart’ products many vendors now sell to analyze audit logs for subtle patterns indicating an attack in progress.
It's a paradox: finding the right level of behavior monitoring such that you can detect threats without violating the good guys' privacyTK Keanini, Lancope
“One of the key things with big data is purpose-limitation and fairness,” she says, agreeing that these principles clash with retaining data for future crunching for purposes as-yet unknown.
The difficulty, says TK Keanini, CTO at Lancope, is that often it's not clear at the outset what will be an invasion of privacy - or what customers will perceive as one. “While regulators might not say that disclosing a person's weight or age is a violation of their privacy, some people really would rather give you their Social Security number,” he tells Infosecurity. Attackers, however, will exploit any gap they can find. “It's a paradox: finding the right level of behavior monitoring such that you can detect threats without violating the good guys' privacy. It's the difference between keeping detailed records in phone systems so billing can occur, and a wiretap.”
Mohan Koo, co-founder and CEO of the Australian security company Dtex Systems, has working examples of how the lack of communication between those two dysfunctional parents works out in practice.
“One of our projects had a big Fortune 100 company wanting to implement our solution in a certain way. We wanted to consult the privacy team, and they wouldn't allow us to do so,” he explains. “We made specific recommendations about how it should be used and it wasn't implemented in that way. Privacy put a stop to it until it was implemented the way they wanted — so the implementation cost doubled.”
A worse scenario, he says, plays out when the ‘privacy people’ block a specific security project. The breach then hits, and the cost of the resulting reputational damage is far greater than that of the security project, had it been in place in time. “This has happened to us,” he says. “It happens time and time again.”
Time to Team Up
So what's needed is collaboration. “Privacy is a key issue in information security,” says Simon Crosby, CTO and co-founder of the California-based security company Bromium.
And yet, it's rarely a priority. “Enterprises only think of privacy in terms of their data. If they own personally identifiable information on their customers, then they care to the extent of regulations. But I haven't found one that cares otherwise.”
Equally, the security practitioners he encounters within companies rarely bring up privacy as a concern and when they do, they mean the privacy of the enterprise itself, not that of its customers or employees.
“Bromium believes there is no escape for the enterprise,” he warns.
By this, Crosby means that employees expect to be able to do everything, including accessing personal data with an enterprise device over an insecure network with malware risks ever-present. He believes the industry must adopt ‘least privilege’ techniques to isolate applications from each other, and that policing the boundaries between them is the key to both privacy and security.
One key myth about privacy that Chris Pounder, director and co-founder of the data protection and security training company Amberhawk, is anxious to debunk is that it is equivalent to data protection.
“Data protection is more than privacy legislation,” he says, stressing that it's wrong to think that if something is not private, no data protection rules apply. For example, something posted on the open internet isn't private, but if an employer reads that item in performing a background check on a prospective hire, the fairness requirements in data protection law still apply. The personal information being inspected must be relevant to the job being filled and pertaining to the right person. Plus, if the data consulted in making the decision is kept, the individual concerned has a statutory right of access.
Companies that don't collaborate within themselves won't go anywhere farMohan Koo, Dtex Systems
It’s Good to Talk
Ruth Boardman thinks that regulators and lawmakers could do more to smooth the conflicts that exist, rather than, as in the EU, viewing privacy in black and white terms as a fundamental right that must prevail.
“The actual reality is more subtle and nuanced than that,” she says. “It can make people think they have to throw all privacy requirements out if they want to achieve their objective, which isn't the case.” On the other hand, nuanced, complex regulations add inefficiency as organizations pick their way through varying thickets of complex legislation, country by country - and in the EU this is the direction of travel. “There's a trick that's been missed,” argues Boardman.
For enterprises struggling with these issues, the primary trick that's being missed comes back to ending the failure to communicate.
“It's usually at the most imbalanced state when it's a one-sided conversation — for example, one side deciding what the characteristics of privacy are without consulting the other,” says Keanini. “The groups that are highly functional and effective have great conversations on a daily basis. The ones that don't — it's like a dysfunctional family.”
Even so, he says, it's not necessarily bad that the two functions are separate because “both require a domain expert.” The key is that they should work as partners so both have enough information to make good decisions. Security needs change constantly as threats evolve so firms must “figure out a process to constantly keep the conversation going.”
Mohan Koo, raising the same point, notes that one way to do this is to schedule regular meetings for the heads of compliance, risk, security, and privacy and to follow those up by seconding staff from each department to work in the others. One privacy director he knows took that even further, swapping staff with the Information Commissioner's Office in order to bridge the gap between real world and regulator.
“Companies that don't collaborate within themselves won't go anywhere far,” he says.
Case Studies: The Wrong Side of the Law
A couple of cases demonstrate the complex interplay of the demands of security, privacy and regulatory requirements coupled with the variations of national laws.
In France, where the line is particularly firmly drawn in favor of privacy, Ruth Boardman recollects cases in which employers engaged in monitoring attempted to use that information to dismiss an employee. Even though the individual had been clearly breaching company rules, the organization was sanctioned and barred from firing them because it had breached individual secrecy requirements.
On the other hand, in the 2008 discrimination case I v. Finland, a HIV-positive nurse being treated in the same hospital where she was employed became convinced when her contract was not renewed that her colleagues had accessed her records. The hospital had insufficient access controls but also had no audit records that could have settled the question. The European Court of Human Rights ruled that not being able to demonstrate who had viewed her records in itself constituted an invasion of her privacy.
“It shows the two aren't necessarily opposed,” says Boardman, who adds that although audit trails in themselves can be invasive of privacy the solution is not to stop keeping them but to solve the problems they pose.