Security And Privacy - Overview
Legal vs Compliance vs Security vs Privacy
- Legal: What can we do.
- Compliance: What must we do.
- Security: How can we do it.
- Privacy: What should we do.
Be careful about special types of data
- Accelerometer: detects acceleration by vibration, so it can be a kind of microphone to record user's voice.
- Timestamp: if it is down to milliseconds, it may be used as a join key to link to other datasets.
Wipeout vs Takeout
- Wipeout: all data related to the user will be removed. The right to be forgotten.
- Takeout: all data related to the user can be downloaded. Also serves the purpose of transparency: users know what we know about them.
Regulartions / Standards
- GDPR: General Data Protection Regulation (EU)
- HIPAA: Health Insurance Portability and Accountability Act. (US)
- PCI-DSS: Payment Card Industry Data Security Standard
- CCPA: California Consumer Privacy Act, similar to GDPR.
Data subject: the individual that information describes
6 GDPR DSRs: data subject rights
- the right to be forgotten
- the right to access
- the right to portability
- the right to restriction of processing
- the right to rectify
- the right to object
Methods to prove lawfulness of processing
- contractural necessity: processing required to fulfill an agreement between a company and an individual
- legitimate interests
Controllers vs Processors
- Controllers: decide how personal data will be processed. must meet obligations set forth in the GDPR
- Processors: process data at the direction of another entity
Authn, authz, audit
FIPS = Federal Information Processing Standard.
The set of standards that dictates how data should be encrypted and transmitted, which has seen several revisions over the years.
FIPS 140-3: Security Requirements for Cryptographic Modules. Issued by NIST.
NIST = National Institute of Standards and Technology.
NIST Cybersecurity Framework: a set of guidelines for mitigating organizational cybersecurity risks.
FedRAMP = Federal Risk and Authorization Management Program.
Required in order to do business with US government.
FedRAMP consists of a subset of NIST Special Publication 800-53 security controls specifically selected to provide protection in cloud environments.
Software Supply Chain Security (S3C)
- source integrity (OSS, internal developers, vendors): no bad/malicious code
- build integrity (code repo, CI/CD pipelines, package repo): build and delivery are tamper proof
- runtime/dynamic checks (malware/vulnerability scanning, safe deployment): ensure prod systems are not compromised
Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
HSM vs TPM
- TPM: Trusted Platform Module
- a chip on a system board on a computer.
- stores special encoding information and holds the keys that your system needs to encrypt certain data relating to your system.
- e.g. used for FDE, or Full-Disk Encryption: if your hard drive is cloned and connected to another machine, it will not be readable without the cryptographic data contained on the TPM, making the data useless to anyone but you.
- HSM: Hardware Security Module
- a standalone piece of hardware: not soldered directly to motherboard, but as a USB device or be mounted to the rack.
- KMS: Key Management System
- a newer technology than both TPM and HSM.
- can operate across multiple platforms like cloud and hybrid environments.
Security information and event management: provides real-time analysis of security alerts generated by applications and network hardware.
- use Splunk to collect and analyze logs to detect security issues.
- GCP provides Chronicle SIEM, part of Chronicle Security Operations.