THE NEXUS OF

SECURITY AND PRIVACY

Andrea Little Limbago, PhDChief Social Scientist

11 September 2019

TRADITIONAL VIEW

SecurityPrivacy

2018 Inflection Point: The Perfect Storm

High Profile Attacks

Data Sharing & Misuse GDPR

THE GROWING INTERSECTION

THE GROWING INTERSECTION

Security

Proliferation

Technical Implementation

Security Focal Areas

AdversariesAttack Tactics, Techniques, Procedures

Security Incidents

Denial of Service Critical Infrastructure Compromise

Wiper Malware & Destructive Attacks

Phishing

Privacy

Proliferation

Legal Implementation

Privacy Focal Areas

Ethics Digital Rights

Privacy Concerns

Right of Access Right to be Forgotten

Opting In/Out Data Monetization

Security & Privacy: The Intersection

Unauthorized data access impacts both security and privacy

Organizations Focus on the Outcome

Public Opinion

Focuses on the

Outcome

Unauthorized Data Access Unifies Security and Privacy

1. Cyber Attacks

2. Third-Party Data Access

3. Misconfigured Cloud Servers & Databases

1. Cyber Attacks

2. Third-Party Data Access

3. Misconfigured Cloud Servers & Databases

The Bubble Charts Keep Getting Bigger….

UnitedStates

China IranIsraelRussia NorthKorea

Sudan

Vietnam Mexico

BinaryGuardians

UkraineCyber

Alliance

Rise of the Rest Counter-Warriors

The Usual Suspects

Who?

Lebanon

United Kingdom

Nation-states

Terrorist Groups

Criminal Groups

Mercenaries

Hacktivists

Lone Wolves

Corporations

Proliferation of Attackers

Tools & Tactics

Exploits

MalwarePhishing

Credential TheftRansomware

WiperMalwareCryptomining

A Broad Range of

Decoys & Deception Third-party attacks

1. Cyber Attacks

2. Third-Party Data Access

3. Misconfigured Cloud Servers & Databases

Supply Chain Risks

Undecipherable & Vague

User Agreements

Third-party Data

Sharing & Monetization

1. Cyber Attacks

2. Third-Party Access

3. Misconfigured Cloud Services

Cloud misconfiguration has exposed billions of records

Server misconfiguration, permission errors, and API oversights are the leading culprits

Gartner predicts by 2020 95% of cloud security failures will be the customers’ fault

Average enterprise has between 50-100 cloud-based applications

Localized Data Control

Localized

Data

Control

Data Localization – Requiring local data storage within sovereign boundaries

Cyber sovereignty – Governmental control of data within borders

Splinternet – National internets as opposed to a worldwide internet, AKA Balkanization

Vietnam Cybersecurity Law

India’s Information Technology Act Amendment

Venezuela Law of Cyberspace

Thailand Cybersecurity Law

Russia Sovereign Internet Bill

Security & Privacy at a Crossroads

A Tale of Two Futures

Privacy

is DeadAssume

Breach

Humans are

the Weakest

Link

Security and Privacy Challenges Require Socio-technical Solutions

Socio-technical Drivers of Change

1. Incentives

2. Trust

3. Usability

Socio-technical Drivers of Change

1. Incentives

2. Trust

3. Usability

Incentives

Growing demand in the U.S. for privacy regulations and data protection

Two-thirds believe current laws are insufficient for protecting people’s privacy

Greater concern over corporate misuse than government misuse

https://spreadprivacy.com/privacy-legislation-survey/

Movement for Policy Innovation

Global Regulations

Public Opinion

GDPR

Japan

Latin America

CCPA

Global Movement toward Data Protection

Security Standards within Privacy Regulations

Breach Notification Laws

Security Safeguards

Data Collection Standards

Movement for Policy Innovation & Digital Transformation

Global Regulations

Public Opinion

CorporateShifts

External Threats51%

Governance and Compliance Regulations 49%

When it comes to structuring your organization’s data management strategy, what is the biggest driver?

Source: Virtru Survey Coming Soon!

Socio-technical Drivers of Change

1. Incentives

2. Trust

3. Usability

For years there has been a persistent illusion of security and privacy....

For years there has been a persistent illusion of security and privacy....

that has fostered the current trust crisis

Only 20% of US consumers completely trust firms to protect their data

75% would stop doing business with a firm that misused their data

In Latin America, 70% of respondents stated that consumers very rarely understand how

data is collected, stored, and usedhttps://www.helpnetsecurity.com/2018/04/17/consumer-trust-data-privacy/https://www.mediapost.com/publications/article/334119/worrywarts-consumers-dont-trust-brands-with-thei.htmlhttps://www.consumersinternational.org/media/155133/gdpr-briefing.pdf

2018 Inflection Point: The Perfect Storm

High Profile Attacks

Data Sharing & Misuse GDPR

ProliferationShifting Privacy Narratives

Facebook”…a precedent that emboldens other governments to seek greater access to their citizen's data and therefore weakens privacy and security protections for people around the world. I think it's important…that our industry continues to hold firm against storing people's data in places

where it won't be secure.”

IBM Apple

“Privacy in itself has become a crisis…..You are not a product.”

“The genesis of the trust crisis is the irresponsible handling of personal data by a few dominant consumer-facing platforms...I would use a regulatory scalpel, not a sledgehammer.”

CEO Ginni Rometty, November 2018

CEO Tim Cook, May 2019

CEO Mark Zuckerberg, March 2019

https://usprivacybill.intel.com/legislation/

Trust is the New Currency

ProliferationShifting Security Narratives

PERIMETERMINDSET

Zero Trust

Zero Trust –Deny by default

Focus on least access/privilege and authentication

DataDevices & Applications

Users/Identity

A Trust Paradox?

Social system with

increasing reliance on

trust

Technical system built on the absence of trust

Socio-technical Drivers of Change

1. Incentives

2. Trust

3. Usability

Riding the Usability Wave

Credit: Kelly Shortridge, VP Product at Capsul8

https://medium.com/@kshortridge/infosec-startup-buzzword-bingo-2019-edition-d067fb1316cb

‘Demystifying’

Usability

User Outreach & Elicitation● User-driven requirements● User testing and feedback

UX Teams● Does one exist and do they help guide development

priorities?

Solutions Compliment Workflows● Otherwise users will find workarounds and negate any

investments

Impact on Security & Privacy● Must be an enabler● Can be core source of innovation and advancement● Can foster trust through transparency

If security and privacy do NOT integrate into workflows, users will

always find a workaround and negate investments

Usability can be a force multiplier in building trust and enhancing security and

privacy

Toward a Unified Security and Privacy Approach to Unauthorized Data Access

When focusing on unauthorized data access……..

SecurityPrivacy

Privacy and security can – and must – be reinforcing

Business benefits of data protection investments

Source: https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/dpbs-2019.pdf

Where

to

Begin?

Risk Assessments & Compliance

Incident Response & Prevention

Empowering Your Workforce

Building Trust

The pendulum is

starting to swing away from fear,

uncertainty, and doubt….

And toward aspirations focused on empowerment, innovation, and collaboration.

Data protection – and so much

more –will be

determined at this intersection

Andrea Little Limbago, PhD

alimbago@virtru.com

@limbagoa

Thanks!

75