For the purposes of this book, privacy protection is primarily about regulating authorized access to and use of data. Information security (InfoSec for short, or cybersecurity), which is primarily about stopping unauthorized access to information, is what makes privacy protection possible. Without controlling unauthorized access, building a privacy protection regime for authorized users is moot because any protection that can be easily circumvented is no true protection at all.
Whereas the implementation of privacy and security are concerned with guarding against different threats, they do make use of the same technologies such as encryption, auditing, logging, access controls, separation of concerns, alerting, active monitoring, and investigation. It could therefore be quite understandable for an organization that has not thought extensively about the underlying distinctions to mistake privacy for security. But an architecture is an arrangement of things to constitute a whole with desired properties, and the desired properties for protecting privacy and for securing against unauthorized access are not the same. Each requires unique design considerations.
If your organization does not have a dedicated information security team, get one. If your organization already has a dedicated InfoSec team, bring them into the design process early. As the experts on your network security, they will have invaluable advice on building a system that meets the security and compliance requirements for your organization.
Security requirements can have a huge impact on every aspect of system design. Data architecture, the ability of services to be co-located on the same machine, system performance, and even hardware budgets can be significantly affected by security requirements. If you wait until the end of designing your architecture to bring your InfoSec team into the discussion, you may find yourself throwing out large parts of your design to meet security needs you forgot to consider.
There are several high-level information security best practices that every enterprise should adopt. The technical details of implementing these are further documented elsewhere, and it’s worth considering them in your designs.
Encrypting network traffic ensures that data cannot be intercepted by an attacker who is snooping on network traffic. As of 2014, the use of encryption to protect network traffic traveling over the open Internet is widespread, usually in the form of SSL/TLS connections. But inside data centers, server-to-server communications are often not encrypted. An attacker that gains access to such a network, even without access to the servers holding the data themselves, could still intercept privacy-protected data in transit between servers in a multi-machine cluster. Additionally, organizations are increasingly recording and analyzing their own network traffic to detect network intrusions. As a result, full copies of network traffic may be stored for long periods of time in these monitoring systems. This could lead to an inadvertent leak of privacy-protected data into a system that does not implement the same levels of control and oversight.
It’s important for all network links that move privacy-protected data to use encryption. This applies not only to connections made by authorized users to access the system from outside the data center but also to network links between nodes in a multi-server system. In practice, this almost always requires an SSL/TLS or similar VPN layer between the users and the system. Inside the system itself, communications can be secured using SSL/TLS, IPSec, or some other point-to-point VPN technology.
Encryption-at-rest ensures that data is not stored as plain text. With this technique, as data is written to disk (or solid state drive, or tape, etc.), it is encrypted using a set of secret keys known only to privileged administrators of the system. This technique not only guards against data being compromised in a system breach where an attacker gains remote access to the storage system, but also against physical theft where the actual data-storage devices are stolen for later data extraction.
Encryption-at-rest can complicate system management, as the secret keys need to be supplied by a person at system startup and restart, rather than allowing for fully automated cycling of the system. Encryption-at-rest also requires careful auditing of all places where the data might be temporarily stored, such as temporary storage or caching servers.
As its name suggests, two-factor authentication requires two pieces of information to be presented by a user before access to the system is granted. This makes compromising a legitimate user’s account much more difficult that just figuring out their password.
While the first factor is usually a password, the second factor is typically a one-time passcode supplied by a specialized piece of hardware or software such as an RSA SecurID token or a smartphone application that performs the same function (like Google Authenticator or Duo Security). It could also be a one-time passcode supplied via an out-of-band communication mechanism such as an SMS text message or an automated phone call.
Though this makes authentication a bit more cumbersome, it forces any would-be attacker to not only compromise the user’s password but also a physical device that is under their control. For even further security, three-factor authentication can follow up on every successful login with an email or SMS message so that a user can quickly be alerted of unauthorized account access and report it immediately.
If you’re interested in learning more about the field of information security and some of the topics above, here are a few resources worth checking out:
Bruce Schneier’s book lays out the proper framework for thinking about security: understanding how security technology works and how it fails, understanding the mindset of attackers, and how to look at security as a risk mitigation problem rather than a pass/fail challenge. His free monthly newsletter, Crypto-Gram, is an excellent resource for interesting and notable news covering security research, technology, policy, and incident reports.
SANS offers training in the practice of information security and cyber defense. They also publish high-quality guides on different aspects of information security.
The National Institute of Standards and Technology (NIST) has more exhaustive information on encryption-at-rest. In addition, most modern operating systems natively support encrypted disks, so your vendor documentation might not be a bad starting place.
You should now have a solid grasp of some of the main technical and legal themes at work in the privacy sphere. Within this context, sound data collection and information security practices are necessary foundations upon which to build specific privacy controls. By understanding your data, you can understand the forces at work upon it and how to protect it accordingly. In the next section, we’ll dig into the many ways to design and control authorized access points to data.