GDPR Summit London 2017

I today attended GDPR Summit 2017 in London, I am intrigued by GDPR as it gives power and rights to common citizens and many countries are following the same. As one of the speakers put it IT  has  led societies transformation and evolution however it has to now be balanced or normalized with other aspects of life. GDPR is primarily meant for the good of the citizen, and the society, the purpose of GDPR is to make sure that companies use personal information with the consent of individual which can be their employees (current, past or people they might have interviewed), suppliers and customers. The Individual would have the right to take back their consent as and when required and their data would be deleted from company’s system. 

The deterrent for GDPR non-compliance is not just the 4% or 20 million Euro fine but also the fact that the companies can also be barred by the regulator from processing data temporarily or even permanently. The positive side is making Data ethics a competitive advantage.

The stake holders in organisation GDPR implementation are Legal, Human Resource, Information Technology and Marketing. DPIA – Data privacy impact assessment under article 35 of GDPR is another aspect. High-risk processing activity under article 35(7)a of GDPR processing is an important factor. Employee consultation and survey for the customer is recommended. Also in case of cloud computing the responsibility would be with the controller. Some of the addition to Article 30 include article 7, article 15-19, article 20, article 32, article 44 – 46.

Data Privacy Officer is the mandatory position for all companies, and privacy officer and Data privacy officer is two different roles. Data Privacy officer can also be a part-time role. Another aspect was right to be forgotten, and the fact that ERP does not delete the data but red flags it and the data do not pop up in the system but resides in the system is understood. Hence analyzation and tokenization of data are recommended. In tokenization audit, trail and Login function match should be conducted analyzed and blocked.

Another aspect of data privacy came out on Application security and IoT – Internet of things. While Application security primarily included session hijacking, phishing, etc., IoT can also lead to a possible source of infiltrating into the network and accessing the data. Hence Application level and IoT security are an important aspect. Security monitoring is another key aspect function of data privacy. Cloud is another area where need for security  was  emphasized. While Ben Westwood - Data protection Officer of  eBay explained the complexity involved in data privacy management for an eCommerce company.

Marketing is further another function that gets impacted by GDPR, email campaign, cookies tracking, search engine optimisation can no longer be conducted without the consent of the customer, and customer consent form should be simplified for the understanding of an ordinary computer or smart phone user. It was also acknowledged that the Personal data of non-corporate users is almost around 80% of the data under GDPR which is processed by companies, while 20% is the employee data and hence solutions need to be planned and designed basis same. 

It was acknowledged that countries like India, Singapore, Hong Kong have also adapted data privacy apart from Europe. Countries like South Africa have their own data privacy law POPI.

The IT adaptation in every individual life has penetrated to a large extent, in fact, it has impacted the way we live our lives and conduct our business, and this has rapidly involved in past 15  to 20 years and needs some form of governance hence idea to bring principles and ethics into the equation. The intent and heart to introduce GDPR is in the right place and companies would need to live with this new reality and comply. However to over seeing GDPR regulation would require highly intellectual indivituals with high integrity and conviction as there is possibility of alternative narrative been given and they would have to distinguish between narrative in interest of people and society against vested interested.

Security Operations Centre (SOC)

Security Operations Center:

A Security operations center (SOC) is that facility or multiple facilities of an organization or an organization’s service provider having qualified people using string set of technology solution and a strong set of process. The operation conducted by a SOC is of continuous monitoring, analyzing and responding to security posture and the threat to an organization.

The Three tenant of a Security Operating Center are People, Process and System. The harmonic synchronization of the three provides the organization with Visibility, Analysis, and Action.

- People: Includes trained people with certification, knowledge and vendor specific experience and skills.

- Process: Includes preparation, analysis, recovery, identification, containment, learning and knowledge retentions & transfer.

- System: Includes the End Point Protection, Perimeter Security, Data Center Security, Forensics and Incident Detection Management.

This allows for Data Aggregation, Data Analysis and 360 degree real time dashboard for the organization to detect, prevent and respond to any threat at the same time to do Forensics.

https://youtu.be/uj8PuaXyygU

The SOC operation typically can be broken up into Monitoring, Analyzing and Responding to Insider threat and that too of outsider threat.

-    The insider threat would typically be from employees or value chain partner like supplier and buyers. And organization would want the SOC to monitor Identity & Access Manager (IAM), Privileged Access Manager (PAM), Active Directory, Data Leakage Prevention(DLP), Compliance tools, etc.

-    The Outsider Threat is monitoring of Network Security – Firewall, Network IPS, Network Security Appliance for Email, The Web, etc., End Point Security, Data Center Security, NAC, Network Access Control.

A typical SOC would have some form of SIEM – Security Incident Event Monitoring and a Log collector to collect log from various security tools at various sites and some for security intelligence.

However, the security landscape has changed SIEM alone is no more as effective since the security and digital landscape has evolved. The threat landscape now also includes Social Engineering, Mobile devices & BYOD – Bring your own device has new challenges and threat thrown at the organization for application and content security. IoT – Internet of things present new form of security challenges, Industrial Security & Physical Security are as important as IT- Information technology security. And cloud migration brings new form of security integration challenges at least in short term. There is a lot happening outside the organization echo system in their industry and deep dark web which can affect the organization, its IT & Industrial asset, intellectual property and bring down their operation.

An organization should look at the tool and solution that address these new challenges to security in their Security Operating Center. All this requires to look into various facets of security, and this would involve data monitoring inside and outside of organization which is structured and unstructured at the same time would be in high volumes, varsity, and velocity hence organization or their service provider would need Artificial Intelligence (AI) to help them.

Future looking SOC would not just monitor IT, but also OT  (Operational Technology /Industrial) asset should have various advance treat analytics solution embedded along with threat intelligence, Integrated real-time dash board along with Forensic capabilities to allows access to the SOC provider customer in case organization use a third party SOC. Most importantly the SOC should be global and be having redundancy. It is imminent that Artificial intelligence is plugged to the SOC and the organization ties up with the external academics research center to get updates on research being carried out in the Security landscape.

Operating System Security

Security is a negative goal, and an attacker can break the system by many ways like permissions, disk locks, reuse memory, backup, steal disk, attackers grades.txt. The goals of Policy goals of an organization are Information Security and Liveness, which are as follows:

Information security goals include: Privacy- Limit who can read the data & Integrity: limit who can write the data.

Liveness Goals are: Availability- which is to ensure services are operational.

Operating system Security (OS Security) is the process of ensuring OS integrity, confidentiality, and availability. OS security refers to specific steps used to protect the OS from threat, viruses, malware or remote hacker intrusions.

Risk model of assumption: Threat modeling is a process by which potential risk can be identified, enumerated and prioritized from a possible attackers point of view. An adversary can be inside the organization or can be outside the organization. The adversary can be a hardware vendor, software vendor, administrator, employee or competitor, enemy state etc someone outside the network.

The threat model in this case are:

-   Adversary control some computers or network.

-   Adversary controls some software on computers.

-   The adversary is privy to some information such as password or keys.

-   Social engineering attacks.

- Adversary trying to hack or attack the network or system from outside.

Guard model of Security:

Typically in a client-server architecture, we would have some resource (data) on a server which would be accessed by the client. In guard model, the server would consult a guard for all access control decision. Hence this model follows complete mediation as the only way to access the resources which are via the guard.

The design of the guard model is on two basic principles which are Authentication and Authorisation, and this simplifies security.

The model works on following principles.

1.   Complete mediation: All resources are accessed only via the guard.

2.   Policy and Mechanism: High level concise and clear policy and well lined up security mechanism.

3.   The interaction between layers and components.

4.   Taking into cognizance social engineering and phishing attacks.

The challenges with model are:

1.   Complete mediation is challenging: Backdoor access also needs to checked.

2.   Software bugs in mediation.

3.   The disparity between Policy and Mechanism.

4.   Difficulty in enforcing policy and getting the desired outcome.

The Guard model does not provide full prove solution to all security challenges, another option we have is the separation of privilege. We can split the system into modules and give each module the least privilege to do its job.

1.   Use multiple physical machines. Separate machines for database and websites.

2.   Use of virtual machine to split.

3.   Application to be split in components.

Challenges in the Privilege separation

1.   The need for modules to share.

2.   Performance.

3.   The configuration of privileges.

4.   Reduce trusted software.

Trust computing base (TCB)

TCB is the set of hardware, firmware or software components, which are critical to its security systems. The bugs or vulnerability might affect the security property of the entire system. The principle is that all software that must be trusted to achieve security. The another theory is that less software would lead to fewer bugs and this would eventually lead to fewer exploits.

Challenges in TCB:

1.   Undermining of privilege separation.

2.   New and undiscovered class of bugs.

3.   Many bugs.

We also face security challenges due to Program, Compilers, and codes. We would need to take measures like disabling certain optimization, use bugs finding tools, look out for undefined behavior.

Cyber Security.

With the rise of acceptability and usage of Information Technology most of our data now resides in digital world and Information security is very critical aspect for today’s companies, institution, government and public sector. The companies’ data are vulnerable from external malicious attacks, through internal triggered data leakage and via information passed by emails or social network. As the concept of Bring your own devices to work place further catches up it is bringing new challenges for CXO’s at the work place. For Government as well the challenges are monitoring and securing their own Infrastructure at the same time with the evolution of social media, VOIP, Mobile etc which has many advantages but also possess potential treat and data monitoring is another aspect of Security surfacing. In future war would not be fought on battle field but in cyber world and cyber security is the most critical aspect, if a country targets top 10 Companies of a country and penetrate their IT infrastructure they can possibly bring down the economy, similarly different Government departments like Income tax, CBEC, EPFO, Defense etc are again very critical and cyber security has to be upmost priority. We recently had a case where Sony pictures in US was hacked by a Government of a country and Just last week Russian banks found out that their IT network for penetrated and around 2 billon per annum was transferred that exposed the Information Security vulnerability of these organizations. Information security not just requires right products like, HIPS, DLP, End Point protection, Control Compliance Suit, Encryption, MDM, Asset Management, and Patch Management etc but requires regular Audit and Monitoring. As we step in future we would have to manage legacy infrastructure with latest new and evolving technology and trends, Cloud commuting is inevitable and Organization would need to be ready to secure their Infrastructure from all possible threats.