Virtualization Technology News and Information
Data Privacy Day 2019: Views and Tips from Top Industry Experts

Data Privacy Day, an international "holiday" that occurs each year on January 28th, was created to raise awareness and promote privacy and data protection best practices.  The National Cyber Security Alliance (NCSA) assumed leadership of Data Privacy Day from the Privacy Projects back in August of 2011.  A nonprofit, public-private partnership dedicated to promoting a safer, more secure and more trusted Internet, NCSA is advised by a distinguished advisory committee of privacy professionals.

Data Privacy Day's educational initiative originally focused on raising awareness among businesses as well as users about the importance of protecting the privacy of their personal information online, particularly in the context of social networking.  In addition to its educational initiative, Data Privacy Day promotes events and activities that stimulate the development of technology tools that promote individual control over personally identifiable information; encourage compliance with privacy laws and regulations; and create dialogues among stakeholders interested in advancing data protection and privacy.

With this in mind, we've compiled some detailed perspectives, as well as some tips for better protection of sensitive corporate data, from a few industry experts in advance of Data Privacy Day 2019. 



Heather Paunet, Vice President of Product Management at Untangle, a San Jose, Calif.-based provider of comprehensive network security for SMBs:

"Data privacy has become a hot topic over the last few years, especially with the recent large-scale data breaches. It is important that organizations of all sizes take data privacy seriously and proactively ensure personally identifiable information (PII) is protected. Protecting data in the event of a breach is crucial to maintain the trust and respect of the public. Businesses can take some simple steps to protect the data they are collecting. Storing the private data on a network or server that is separate from the public, or even separate from the main corporate network, can provide an extra layer of protection. Encrypting the data, especially PII, is another standard practice to comply with a variety of regulations like PCI and HIPAA in the United States and GDPR in Europe. With GDPR in full effect, data privacy and transparency is now more relevant than ever. Businesses must realize that the GDPR rules are not a hindrance, but a chance to show consumers that they can trust them and that they are taking a proactive approach to data privacy.

On a consumer level, protecting your data is becoming more and more difficult as apps and websites demand the information. However, consumers can be proactive and choose what they share. For example, don't fill out social profiles completely (address, high school/college, birth date are all considered PII). The Facebook breach is a prime example of sharing too much information through a "fun, free quiz"; those participants' information was sold to advertisers without their knowledge. Sharing your social security number is never a good idea. The only businesses that need that information are your work, bank and possibly your healthcare provider; anyone else asking is just phishing for more of your PII. For citizens in Europe, GDPR rules allow consumers to request their data from any company, so you can see what they have gathered about you. You can then further ask the company to delete that data. With this new privacy law in place, the hope is that other countries will enforce similar rules so consumers globally have more control and rights over their personal data."

Ali Golshan, CTO and co-founder at StackRox, a Mountain View, Calif.-based leader in security for Kubernetes and containers:

"Considering the volume and range of data being collected from services and users, targeting and reaching the user has become a very personal experience. We can clearly see the negative impacts of it in politics and American culture.

Analytic infrastructures allow for powerful insights into data, but they create compliance and security risks for companies because data is often dumped into data lakes without proper labeling, auditing, or policy enforcement. We are seeing companies such as Apple building trust with customers by providing visibility and transparency into how that data is used. Additionally, Europe's GDPR require all companies serving European citizens, regardless of the company's HQ location, to implement controls around data privacy.

Due to development timelines, developers often have to delay building granular privacy permissions into their applications. Such permissions enable individual customers to define how their data can be used, or the right to be forgotten - both of these parameters are cornerstones of GDPR compliance.

One key feature for data privacy is ensuring up-to-date controls and configurations around access. To ensure data is protected from unauthorized access, systems need controls such as identity and authentication of users. Limits to access must also extend to developers of platforms as well, to avoid situations such as Ring is experiencing, with reports of broad access to customer videos:

All services working with personal and private data should apply crypto best practices for data in motion and data at rest or stored. Beyond encryption, the best way to secure data is to not collect it, so applying principles of minimal data collection or applying additional layers of obfuscation. One method of obfuscation is differential privacy, which allows providers to offer customized services for users while maintaining privacy for individual users."

Shahrokh Shahidzadeh, CEO at Acceptto, a Portland, Oregon-based provider of Cognitive Continuous Authentication:

"Assume all of your credentials have already been stolen, even those credentials that haven't been created yet.

Due to the frequency of data breaches, we all must operate under the assumption that it's only a matter of time that we become aware of the fact that our credentials and personal information are compromised. Protecting our citizens' identity and privacy requires new regulatory measures and the collaboration of private and public sectors including all (large or small) companies that today are taking overt advantage of harvested consumer data that is readily available for corporate welfare but not well protected.

2019 is the year of new solutions that employ a combination of multi-modal and contextual controls that continuously and accurately protect user identity and privacy with the assumption that all your online credentials are already compromised."

Joseph Carson, chief security scientist at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions:

"Is Data Privacy Day turning into Data Privacy Remembrance Day? Is it even reversible? The answer is yes. The end of privacy as we know it is closer than you may think.  Privacy definitions are very different between nation states and cultures, however, one thing that is common is that privacy is becoming less and less of an option for most citizens.  In public, almost everyone is being watched and monitored 24/7 with thousands of cameras using your expressions, fashion, walk, directions, interactions and speech to determine what you need, what you might be thinking, who you are going to meet, who is nearby and even algorithms that determine what your next action might be.  All of this is used to help provide a custom experience unique to everyone as well as predict and prevent security threats.  The term 'if you have nothing to hide you have nothing to fear' is quickly becoming reality and privacy and could certainly disappear in the near future.  Can we ever regain back our privacy?" 

Rishi Bhargava, Co-founder at Demisto, a Cupertino, Calif.-based provider of security automation and orchestration and response technology:

Str!ct P@ssw0rds 

"Make sure that employees use strong passwords and that they use different passwords across systems. A single password used across applications might be convenient but it then takes just one vulnerability to compromise all the employee's accounts. For guidelines on password strength, you can refer to NIST's latest identity guidelines.  

Historically, lengthy passwords with a combination of letters, numbers, and special characters are less likely to get breached through brute force. Contrary to popular opinion, NIST recommends against changing passwords regularly. Employees usually change just a couple of characters from password to password this way, leading to confusion without increased security.

VPNs Are A Must

Whether employees are working from home or any other public location, organizations should ensure that Virtual Private Networks or VPNs are used.  By combining encryption protocols and virtual P2P connections, VPNs protect any sensitive company data that employees might access while connected to non-enterprise public/private networks.

There are various VPN protocols out there: some provide encryption, some facilitate connections, and some do both. Protocols such as SSH, SSL, or TLS fulfill both duties (encryption and connection) and should be preferred by organizations that aim for security as well as convenience.

Awareness Programs With A Twist 

Security awareness programs delivered through dry, text-heavy presentations are unlikely to have the intended effects, no matter how positive the intent. A few tactical tweaks to awareness programs can drastically improve uptake:

  • Including interactive, engaging assignments as part of the training. For example, a ‘design your own phishing email' contest where employees come up with their best phishing emails.
  • Encouraging and rewarding employees that show ‘good security behaviors' and sharing their successes with the group.
  • Learning from security failures and sharing with transparency to avoid repetitive mistakes.
  • Creating a culture of openness and blamelessness so that employees that have made mistakes come forward honestly without fear of being punished.

Update, Patch, Maintain

Devices with out-of-date software, certificates, and agents create conditions where compromise becomes easier and more likely. Organizations should monitor the version recency of operating systems, SSL certificates, and security software (such as firewalls and endpoint tools) on all employee devices and especially those that avail of remote work.

Although any deficiencies along these lines won't create security incidents on their own, they will weaken a device's ‘immune system'. Attackers will usually scan devices for these deficiencies and target accordingly.

These solutions are by no means exhaustive, but they represent ‘first-pass' guidelines that organizations can set up and build upon. Even with all these precautions (and more) in place, it's inevitable that breaches will occur. But by being proactive in defense and agile in response, organizations and their remote workers stand a good chance of coming out on top."

David Ginsburg, Vice President of Marketing at Cavirin, a Santa Clara, Calif.-based provider of cybersecurity risk posture and compliance for the enterprise hybrid cloud:

"Data Privacy Day is upon us, and there is no need to mention the our just concluded ‘Annus horribilis,' and I'm not talking about US or EU politics.  Over the last twelve months, we've endured a constant barrage of news regarding the latest hacks, vulnerabilities, or organizations paying the price for just plain stupidity.  Though IoT and critical infrastructure vulnerabilities as well as foreign attacks were top of mind, ongoing thefts of confidential financial, healthcare, and other PII data presented greater risk to enterprises and individuals.  As related at BlackHat, the hackers are definitely on the offensive, with organizations playing catch-up across an increasingly complex hybrid cloud infrastructure.  However, 2019 doesn't need to be a repeat of 2018.

The intent of Data Privacy Day is to raise the awareness of data privacy within organizations as well as for individuals.  Focusing on the former, recommendations in fact follow the universal five-phase approach outlined in the NISF CSF - Identify, Protect, Detect, Respond, and Recover.  This approach is in fact a great baseline for organizations of any size, from the corner dentist to the Fortune 100.

Cavirin has taken the lead in leveraging the CSF as one of our building blocks for CyberPosture Intelligence.  Our eBook, The Enterprise Journey to the Hybrid Cloud, describes the mapping from the CSF to typical deployment concerns, outlining a path for success.  And, a recent Cavirin Playbook, Leveraging the NIST CSF, looks at high-risk critical infrastructure verticals and how to adopt best practices.  We've also done quite a bit of work to help ensure organizations are equipped for GDPR as well as looking ahead to the California Consumer Privacy Act."


Published Thursday, January 24, 2019 7:31 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2019>