Security And Privacy - Overview

Legal vs Compliance vs Security vs Privacy

• Legal: What can we do.
• Compliance: What must we do.
• Security: How can we do it.
• Privacy: What should we do.

Be careful about special types of data

• Accelerometer: detects acceleration by vibration, so it can be a kind of microphone to record user's voice.
• Timestamp: if it is down to milliseconds, it may be used as a join key to link to other datasets.

Wipeout vs Takeout

• Wipeout: all data related to the user will be removed. The right to be forgotten.
• Takeout: all data related to the user can be downloaded. Also serves the purpose of transparency: users know what we know about them.

Regulartions / Standards

• GDPR: General Data Protection Regulation (EU)
• HIPAA: Health Insurance Portability and Accountability Act. (US)
• PCI-DSS: Payment Card Industry Data Security Standard
• CCPA: California Consumer Privacy Act, similar to GDPR.

GDPR

Data subject: the individual that information describes

6 GDPR DSRs: data subject rights

• the right to be forgotten
• the right to access
• the right to portability
• the right to restriction of processing
• the right to rectify
• the right to object

Methods to prove lawfulness of processing

• contractural necessity: processing required to fulfill an agreement between a company and an individual
• consent
• legitimate interests

Controllers vs Processors

• Controllers: decide how personal data will be processed. must meet obligations set forth in the GDPR
• Processors: process data at the direction of another entity

FIPS

FIPS = Federal Information Processing Standard.

The set of standards that dictates how data should be encrypted and transmitted, which has seen several revisions over the years.

FIPS 140-3: Security Requirements for Cryptographic Modules. Issued by NIST.

NIST

NIST = National Institute of Standards and Technology.

NIST Cybersecurity Framework: a set of guidelines for mitigating organizational cybersecurity risks.

FedRAMP

https://www.fedramp.gov

FedRAMP = Federal Risk and Authorization Management Program.

Required in order to do business with US government.

FedRAMP consists of a subset of NIST Special Publication 800-53 security controls specifically selected to provide protection in cloud environments.

Marketplace:

https://marketplace.fedramp.gov/#!/products?sort=productName

Software Supply Chain Security (S3C)

• source integrity (OSS, internal developers, vendors): no bad/malicious code
• build integrity (code repo, CI/CD pipelines, package repo): build and delivery are tamper proof
• runtime/dynamic checks (malware/vulnerability scanning, safe deployment): ensure prod systems are not compromised

IDS/IPS

• IDS: Intrusion Detection Systems.
• IPS: Intrusion Prevention Systems.

What are YARA Rules?

YARA = Yet Another Ridiculous Acronym.

YARA is a framework for large-scale pattern matching, used to identify and classify malware samples.

https://github.com/virustotal/yara

Data governance

• moral?
• ethical?
• legal?
• fair?

Security

Authn, authz, audit

Resources

• IAPP (The International Association of Privacy Professionals) https://iapp.org/
• https://blackhat.com/