Defining the (Technical) Requirements: A Privacy-First Security Approach
In the wake of recent privacy regulation coming into effect and privacy-centric discussions dominating the global stage, we here at Dtex have been taking a lens to the relationship between privacy and enterprise security. While historical perspectives typically put the two at odds, it’s our adamant belief that one can actually enable the other - working together to support business values and goals. The plain and simple truth is that protecting privacy is, in fact, nearly impossible without strong security.
What we’ve found concerning, however, is that in working to ensure the privacy and security of key external stakeholders – such as customers and constituents – we’ve largely impeded and intruded the privacy of another: the users inside our organizations. And what has become alarmingly clear is that this tradeoff - while previously justified by a lack of available, viable solutions or a muted sense of urgency - is no longer acceptable or sustainable.
Recently, we zeroed in on the concept of ‘Privacy by Design’ to make the case for why, both strategically and philosophically, it makes clear business sense to pursue a privacy-first security approach. We underlined the myriad of benefits, from ensuring compliance and avoiding fines or penalties to gaining a competitive advantage and future-proofing organizational security strategy.
Once those benefits are acknowledged, however, it becomes much more difficult to actually put a privacy-first security approach into action. Why? Most notably, there seems to be a shortage of resources that go much beyond the philosophical - lacking pragmatic direction that’s rooted in the technical.
To address this gap, we looked to the Seven Foundational Principles that comprise the ‘Privacy by Design’ framework as a starting point and source of inspiration. And using these Principles as a foundation, we’ve outlined what we see as the key requirements and technological capabilities of a comprehensive, privacy-first security approach.
Foundational Principle 1: Be proactive, not reactive
The first Principle emphasizes the need to take preventative, rather than strictly remedial, action. This aligns closely with the guidance we consistently offer to our customers: it’s imperative to have a layered security approach, encompassing prevention and detection as well as mitigation and response.
Organizations with legacy security investments proven to be heavy, resource-intensive, and impossible to scale have been forced to resort to a forensics-only style of security, piecing together events after a threat or breach has been identified. This is why we consistently advise that, from a technology perspective, the first critical step in building this layered approach is gaining real-time, scalable visibility into all activities and events happening across your environment – and investing in solutions that can deliver on such.
Foundational Principle 2: Load with privacy as the default setting
This Principle emphasizes that no action should be required on the part of the individual to protect their privacy. Legacy security technologies like employee monitoring solutions are in direct conflict with this particular requirement - typically using highly invasive data collection methods such as keylogging, screenshots, and video capture. These methods can capture highly-sensitive data such as medical information, bank account details, personal account passwords, and more.
In order to truly protect user privacy, security solutions should focus on collecting and analyzing metadata - and even then, collection should be limited to behavioral data needed to detect threats. Organizations should also leverage the significant innovation in advanced capabilities like data anonymization, which can keep a user’s identity hidden and behavioral data protected until suspicious activity is detected. This not only helps alleviate employee privacy concerns, but also provides a layer of protection against security threats and data breaches.
62% of employed Americans would be comfortable with their employer monitoring their digital activities on work devices if it was for security purposes and the activity data was anonymized.
Foundational Principle 3: Embed privacy into design
The third Principle demands that privacy measures be embedded into the design and architecture of systems and business practices. This aligns with, and underscores, our belief that a privacy-first approach requires purpose-built solutions - developed from the ground up with an inherent respect for user privacy integrated into their very core.
While the pressure to achieve compliance or avoid hefty fines can drive the temptation to take shortcuts or use a bandage approach, attempting to retrofit privacy-conscious capabilities into existing security infrastructure is likely to provide only short-term relief - and prove to be ineffective and more expensive in the long run.
Foundational Principle 4: Ensure end-to-end security
The fourth Principle emphasizes the need for full lifecycle protection - ensuring that all data is securely collected, used, retained, and destroyed in a timely fashion. This means it is critical to have a complete understanding of how your organization generates, analyzes, and stores data.
Invasive legacy security solutions are likely to not only harbor sensitive personal information but also bog down a network – meaning that they often can only be deployed to a select group of users or parts of the enterprise. This kind of partial visibility is not sufficient if the goal is to truly understand exactly when and where data might be compromised… across all users, environments and locations.
Privacy-first security solutions that leverage lightweight - and ideally, anonymized - metadata collection will prove much more capable of delivering visibility that spans all users, endpoints, and environments. And, they are far less likely to impact system or human performance and invade personal privacy.
Foundational Principle 5: Retain full functionality
In other words, according to the fifth Principle, privacy-first security should be a positive-sum - not zero-sum - endeavor. It demands that we ‘avoid the pretense of false dichotomies’ and the tendency to pit privacy against security. Organizations need to abandon the idea that respecting and maintaining privacy or productivity compromises security.
Many legacy security solutions, in addition to carrying a heavy footprint, are largely dependent on blocking or prohibiting user access. This approach has largely backfired in many cases – not only severely impeding user productivity and efficiency, but actually elevating organizational security risk levels. The good news is that technological innovation has made it entirely possible have comprehensive security without requiring trade-offs in user privacy or productivity.
We’ve already established that a privacy-first security solution is one that is capable of delivering scalable, near real-time visibility. It’s this visibility enables another imperative: the ability to generate a high-fidelity signal that can immediately pinpoint when a user or endpoint may be compromised. And with this powerful, reliable signal, it is no longer necessary or warranted to invade user privacy by trying to be everywhere and see everything.
Foundational Principle 6: Maintain visibility and transparency
This Principle emphasizes the need for trust and open communication. In the context of privacy-first security, this means that all parties must be fully aware of organizational security practices, policies and supporting technologies. More specifically, users should have a complete understanding of all behavior or activity monitoring programs in place - as well as the purpose and objective of these programs - and how data is being collected, used, and analyzed.
Rather than rely on secrecy or ambiguity, a privacy-first security approach is centered on building trusted and empowered insiders. Why? Because the users who understand how their organizations generate and use data will ultimately be in a better position to play an active role in organizational security – which carries the potential to both minimize careless or irresponsible security habits and make them feel more empowered and engaged.
77% of employed Americans would be less concerned with their employer monitoring their digital activity on personal or work devices as long as they are transparent about it.
Foundational Principle 7: Keep it user-centric
This last Principle demands a commitment to understanding users as individuals - who come with unique behaviors, motivations and needs, and have a fundamental right to personal privacy. It also demands that we acknowledge that every user is human and therefore, equally capable of human behaviors - whether negligent or malicious - that put an organization at risk.
It’s the presence of the human element that turns what we once thought of as black and white into shades of grey. The simple fact is that what presents as potentially dangerous or suspicious activity for one person does not necessarily represent suspicious behavior for another. This underscores the need not only for a continuous monitoring system that delivers unobstructed visibility into all user activity, but one that is powered by technologies capable of recognizing context, and applying advanced analytics or machine learning, to generate a detailed understanding of each individual user.
DTEX AND PRIVACY-FIRST SECURITY
The Dtex Advanced User Behavior Intelligence Platform is purpose-built to detect insider threats, developed from the ground up as a privacy-first solution. Designed to support ‘Privacy by Design’ security approaches, Dtex helps enterprises comply with privacy regulations and is deployed at Global 2000 customers doing business in countries with even the strictest privacy laws.
Learn more about how Dtex’s patented Anonymization capabilities – a core feature of the Dtex Advanced User Behavior Intelligence Platform – power a privacy-first security approach by downloading our overview of Dtex's Anonymization features.