Security And Privacy - Overview
Legal vs Compliance vs Security vs Privacy
- Legal: What can we do.
- Compliance: What must we do.
- Security: How can we do it.
- Privacy: What should we do.
Be careful about special types of data
- Accelerometer: detects acceleration by vibration, so it can be a kind of microphone to record user's voice.
- Timestamp: if it is down to milliseconds, it may be used as a join key to link to other datasets.
Wipeout vs Takeout
- Wipeout: all data related to the user will be removed. The right to be forgotten.
- Takeout: all data related to the user can be downloaded. Also serves the purpose of transparency: users know what we know about them.
Regulartions / Standards
- GDPR: General Data Protection Regulation (EU)
- HIPAA: Health Insurance Portability and Accountability Act. (US)
- PCI-DSS: Payment Card Industry Data Security Standard
- CCPA: California Consumer Privacy Act, similar to GDPR.
GDPR
Data subject: the individual that information describes
6 GDPR DSRs: data subject rights
- the right to be forgotten
- the right to access
- the right to portability
- the right to restriction of processing
- the right to rectify
- the right to object
Methods to prove lawfulness of processing
- contractural necessity: processing required to fulfill an agreement between a company and an individual
- consent
- legitimate interests
Controllers vs Processors
- Controllers: decide how personal data will be processed. must meet obligations set forth in the GDPR
- Processors: process data at the direction of another entity
FIPS
FIPS = Federal Information Processing Standard.
The set of standards that dictates how data should be encrypted and transmitted, which has seen several revisions over the years.
FIPS 140-3: Security Requirements for Cryptographic Modules. Issued by NIST.
NIST
NIST = National Institute of Standards and Technology.
NIST Cybersecurity Framework: a set of guidelines for mitigating organizational cybersecurity risks.
FedRAMP
FedRAMP = Federal Risk and Authorization Management Program.
Required in order to do business with US government.
FedRAMP consists of a subset of NIST Special Publication 800-53 security controls specifically selected to provide protection in cloud environments.
Marketplace:
https://marketplace.fedramp.gov/#!/products?sort=productName
Software Supply Chain Security (S3C)
- source integrity (OSS, internal developers, vendors): no bad/malicious code
- build integrity (code repo, CI/CD pipelines, package repo): build and delivery are tamper proof
- runtime/dynamic checks (malware/vulnerability scanning, safe deployment): ensure prod systems are not compromised
IDS/IPS
- IDS: Intrusion Detection Systems.
- IPS: Intrusion Prevention Systems.
What are YARA Rules?
YARA = Yet Another Ridiculous Acronym.
YARA is a framework for large-scale pattern matching, used to identify and classify malware samples.
https://github.com/virustotal/yara
Data governance
- moral?
- ethical?
- legal?
- fair?
Security
Authn, authz, audit
Resources
- IAPP (The International Association of Privacy Professionals) https://iapp.org/
- https://blackhat.com/
YARA-L
YARA-L is inspired by YARA — invented by Google’s VirusTotal team, for malware analysis and applied to logs (hence the “L”) and other security telemetry inside the Chronicle platform.
What is CSPM?
Cloud Security Posture Management (CSPM) is a cybersecurity solution that identifies and remediates misconfigurations and security risks in cloud environments, providing automated visibility, continuous monitoring, and remediation workflows to improve security and compliance.
What is CNAPP?
CNAPP is an end-to-end cloud-native security solution that combines key functionalities like posture management, workload protection, runtime protection, and data security.
CNAPP represents a consolidation and evolution of multiple cloud security technologies, including Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), Cloud Infrastructure Entitlement Management (CIEM), Infrastructure as Code (IaC) scanning, and more