the nexus of security and privacy - tacticaledge · the nexus of security and privacy andrea little...
TRANSCRIPT
THE NEXUS OF
SECURITY AND PRIVACY
Andrea Little Limbago, PhDChief Social Scientist
11 September 2019
TRADITIONAL VIEW
SecurityPrivacy
2018 Inflection Point: The Perfect Storm
High Profile Attacks
Data Sharing & Misuse GDPR
THE GROWING INTERSECTION
THE GROWING INTERSECTION
Security
Proliferation
Technical Implementation
Security Focal Areas
AdversariesAttack Tactics, Techniques, Procedures
Security Incidents
Denial of Service Critical Infrastructure Compromise
Wiper Malware & Destructive Attacks
Phishing
Privacy
Proliferation
Legal Implementation
Privacy Focal Areas
Ethics Digital Rights
Privacy Concerns
Right of Access Right to be Forgotten
Opting In/Out Data Monetization
Security & Privacy: The Intersection
Unauthorized data access impacts both security and privacy
Organizations Focus on the Outcome
Public Opinion
Focuses on the
Outcome
Unauthorized Data Access Unifies Security and Privacy
1. Cyber Attacks
2. Third-Party Data Access
3. Misconfigured Cloud Servers & Databases
1. Cyber Attacks
2. Third-Party Data Access
3. Misconfigured Cloud Servers & Databases
The Bubble Charts Keep Getting Bigger….
UnitedStates
China IranIsraelRussia NorthKorea
Sudan
Vietnam Mexico
BinaryGuardians
UkraineCyber
Alliance
Rise of the Rest Counter-Warriors
The Usual Suspects
Who?
Lebanon
United Kingdom
Nation-states
Terrorist Groups
Criminal Groups
Mercenaries
Hacktivists
Lone Wolves
Corporations
Proliferation of Attackers
Tools & Tactics
Exploits
MalwarePhishing
Credential TheftRansomware
WiperMalwareCryptomining
A Broad Range of
Decoys & Deception Third-party attacks
1. Cyber Attacks
2. Third-Party Data Access
3. Misconfigured Cloud Servers & Databases
Supply Chain Risks
Undecipherable & Vague
User Agreements
Third-party Data
Sharing & Monetization
1. Cyber Attacks
2. Third-Party Access
3. Misconfigured Cloud Services
Cloud misconfiguration has exposed billions of records
Server misconfiguration, permission errors, and API oversights are the leading culprits
Gartner predicts by 2020 95% of cloud security failures will be the customers’ fault
Average enterprise has between 50-100 cloud-based applications
Localized Data Control
Localized
Data
Control
Data Localization – Requiring local data storage within sovereign boundaries
Cyber sovereignty – Governmental control of data within borders
Splinternet – National internets as opposed to a worldwide internet, AKA Balkanization
Vietnam Cybersecurity Law
India’s Information Technology Act Amendment
Venezuela Law of Cyberspace
Thailand Cybersecurity Law
Russia Sovereign Internet Bill
Security & Privacy at a Crossroads
A Tale of Two Futures
Privacy
is DeadAssume
Breach
Humans are
the Weakest
Link
Security and Privacy Challenges Require Socio-technical Solutions
Socio-technical Drivers of Change
1. Incentives
2. Trust
3. Usability
Socio-technical Drivers of Change
1. Incentives
2. Trust
3. Usability
Incentives
Growing demand in the U.S. for privacy regulations and data protection
Two-thirds believe current laws are insufficient for protecting people’s privacy
Greater concern over corporate misuse than government misuse
https://spreadprivacy.com/privacy-legislation-survey/
Movement for Policy Innovation
Global Regulations
Public Opinion
GDPR
Japan
Latin America
CCPA
Global Movement toward Data Protection
Security Standards within Privacy Regulations
Breach Notification Laws
Security Safeguards
Data Collection Standards
Movement for Policy Innovation & Digital Transformation
Global Regulations
Public Opinion
CorporateShifts
External Threats51%
Governance and Compliance Regulations 49%
When it comes to structuring your organization’s data management strategy, what is the biggest driver?
Source: Virtru Survey Coming Soon!
Socio-technical Drivers of Change
1. Incentives
2. Trust
3. Usability
For years there has been a persistent illusion of security and privacy....
For years there has been a persistent illusion of security and privacy....
that has fostered the current trust crisis
Only 20% of US consumers completely trust firms to protect their data
75% would stop doing business with a firm that misused their data
In Latin America, 70% of respondents stated that consumers very rarely understand how
data is collected, stored, and usedhttps://www.helpnetsecurity.com/2018/04/17/consumer-trust-data-privacy/https://www.mediapost.com/publications/article/334119/worrywarts-consumers-dont-trust-brands-with-thei.htmlhttps://www.consumersinternational.org/media/155133/gdpr-briefing.pdf
2018 Inflection Point: The Perfect Storm
High Profile Attacks
Data Sharing & Misuse GDPR
ProliferationShifting Privacy Narratives
Facebook”…a precedent that emboldens other governments to seek greater access to their citizen's data and therefore weakens privacy and security protections for people around the world. I think it's important…that our industry continues to hold firm against storing people's data in places
where it won't be secure.”
IBM Apple
“Privacy in itself has become a crisis…..You are not a product.”
“The genesis of the trust crisis is the irresponsible handling of personal data by a few dominant consumer-facing platforms...I would use a regulatory scalpel, not a sledgehammer.”
CEO Ginni Rometty, November 2018
CEO Tim Cook, May 2019
CEO Mark Zuckerberg, March 2019
https://usprivacybill.intel.com/legislation/
Trust is the New Currency
ProliferationShifting Security Narratives
PERIMETERMINDSET
Zero Trust
Zero Trust –Deny by default
Focus on least access/privilege and authentication
DataDevices & Applications
Users/Identity
A Trust Paradox?
Social system with
increasing reliance on
trust
Technical system built on the absence of trust
Socio-technical Drivers of Change
1. Incentives
2. Trust
3. Usability
Riding the Usability Wave
Credit: Kelly Shortridge, VP Product at Capsul8
https://medium.com/@kshortridge/infosec-startup-buzzword-bingo-2019-edition-d067fb1316cb
‘Demystifying’
Usability
User Outreach & Elicitation● User-driven requirements● User testing and feedback
UX Teams● Does one exist and do they help guide development
priorities?
Solutions Compliment Workflows● Otherwise users will find workarounds and negate any
investments
Impact on Security & Privacy● Must be an enabler● Can be core source of innovation and advancement● Can foster trust through transparency
If security and privacy do NOT integrate into workflows, users will
always find a workaround and negate investments
Usability can be a force multiplier in building trust and enhancing security and
privacy
Toward a Unified Security and Privacy Approach to Unauthorized Data Access
When focusing on unauthorized data access……..
SecurityPrivacy
Privacy and security can – and must – be reinforcing
Business benefits of data protection investments
Source: https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/dpbs-2019.pdf
Where
to
Begin?
Risk Assessments & Compliance
Incident Response & Prevention
Empowering Your Workforce
Building Trust
The pendulum is
starting to swing away from fear,
uncertainty, and doubt….
And toward aspirations focused on empowerment, innovation, and collaboration.
Data protection – and so much
more –will be
determined at this intersection