Security And Privacy - Overview
Legal vs Compliance vs Security vs Privacy
- Legal: What can we do.
- Compliance: What must we do.
- Security: How can we do it.
- Privacy: What should we do.
Be careful about special types of data
- Accelerometer: detects acceleration by vibration, so it can be a kind of microphone to record user's voice.
- Timestamp: if it is down to milliseconds, it may be used as a join key to link to other datasets.
Wipeout vs Takeout
- Wipeout: all data related to the user will be removed. The right to be forgotten.
- Takeout: all data related to the user can be downloaded. Also serves the purpose of transparency: users know what we know about them.
Regulartions / Standards
- GDPR: General Data Protection Regulation (EU)
- HIPAA: Health Insurance Portability and Accountability Act. (US)
- PCI-DSS: Payment Card Industry Data Security Standard
- CCPA: California Consumer Privacy Act, similar to GDPR.
Data subject: the individual that information describes
6 GDPR DSRs: data subject rights
- the right to be forgotten
- the right to access
- the right to portability
- the right to restriction of processing
- the right to rectify
- the right to object
Methods to prove lawfulness of processing
- contractural necessity: processing required to fulfill an agreement between a company and an individual
- legitimate interests
Controllers vs Processors
- Controllers: decide how personal data will be processed. must meet obligations set forth in the GDPR
- Processors: process data at the direction of another entity
Authn, authz, audit
FIPS = Federal Information Processing Standard.
FIPS 140-3: Security Requirements for Cryptographic Modules. Issued by NIST.
NIST = National Institute of Standards and Technology.
NIST Cybersecurity Framework: a set of guidelines for mitigating organizational cybersecurity risks.
FedRAMP = Federal Risk and Authorization Management Program.
Required in order to do business with US government.
FedRAMP consists of a subset of NIST Special Publication 800-53 security controls specifically selected to provide protection in cloud environments.
Software Supply Chain Security (S3C)
- source integrity (OSS, internal developers, vendors): no bad/malicious code
- build integrity (code repo, CI/CD pipelines, package repo): build and delivery are tamper proof
- runtime/dynamic checks (malware/vulnerability scanning, safe deployment): ensure prod systems are not compromised
Intrusion detection systems (IDS) and intrusion prevention systems (IPS)