Data Strategy and ArchitectureApplication & API SecurityCloud SecurityData Protection & Cyber RecoveryCybersecurity Risk & StrategySecurity TransformationAI & DataCloudData Center
Blog • • 5 minute read

Security vs. Privacy, the Difference is Epic

Cyber teams need to understand the difference between security and privacy and apply them to every system in production.

The ideals of security and privacy are often comingled, even used interchangeably in certain circles. In most circumstances, especially in large enterprises, it is important to separate the two as distinct and mutually exclusive goals. Yet we, as cyber professionals, should strive to balance the two: Ensuring the security controls we apply do not erode the reasonable expectation of privacy, while also ensuring that the implementation of privacy mechanisms are not exploited to circumvent security policies. It is a tough ask, but we must be up to the challenge.

One real-world example of this need for balance is monitoring employee web access. Enterprises need to ensure users are not exposing corporate data or customer information to unapproved parties through unapproved channels. This is made more complicated by decentralized users who are working from home and the ever-increasing availability of cloud services and data brokers, creating a monitoring and compliance nightmare. But crazy enough, that is the easy part.

Now comes the hard part: Monitoring the data. What is it? Is it tagged? Does it need to be scanned? When do we scan it? Where is it going? Who is it shared with? Mitigating controls for this need cross many boundaries, including data posture and data loss prevention, user and platform mitigations. If we implement all this, where does that leave user privacy?

Case law supports employers' right to monitor employee use of company-owned assets; however, privacy laws dictate the information collected must be relevant to published policies, and any private information collected must be protected and/or destroyed. Any exposure of that information, collected in compliance or not, opens the company up to litigation. In other words, if your company monitors your internet traffic to make sure you don't email or post company secrets on the internet and they capture your social security number because you filled out your child's school registration page on your work computer, your employer has to protect that information from exposure and delete it if not relevant to protecting company assets. But what about information not deemed "sensitive," how do we prevent that from being used inappropriately?

In the course of your work day, your employer captures all kinds of information about you, such as dating sites, where you shop, sports teams you like, and schools you attended. These bits of information can be used to profile you and, in the wrong hands, be used to discriminate against you. In this case, under the veil of security controls, your privacy can be compromised. Without controls in place to manage the lifecycle of that data, your career is at risk. Imagine, though, if this proliferation of data collection continued unchecked and impacted your health or even your life.

With the public's increasing awareness of data privacy issues, I was shocked to learn the EPIC medical billing platform has integrated voter registration data into their charts.

Image

Although it is illegal to take a picture of your ballot in a polling place, how you vote and what party you register with is considered public data. In and of itself, this bit of information about you is not significant. However, once populated into an unrelated medical chart, it could impact your health. During an emergency, is it now necessary to ask ourselves, "What controls are in place to ensure that this data is not used to de-prioritize my wait time in the ER?" When scheduling surgeries, is our voting information being taken into account? Are we being assigned doctors based on party affiliation or if we agreed to register to vote in the doctor's office? Typical cyber teams are not asked to take these matters into account when approving systems for use, but these are not typical times. Security and privacy matter more than ever, and should not be implemented at the expense of either.

As cyber professionals, we must balance the security and privacy of all parties involved when approving the use of these systems. This is not a time to meet the minimum requirements of a framework to satisfy regulations. We must go deeper and take our ability to monitor and control data lineage and the complete lifecycle into account, especially with COTS (Commercial Off The Shelf) applications or platforms like Epic. Data ingress and egress of these platforms can change without notice and vendors rarely provide an updated SBOM (Software Bill of Materials) or DFD (Data Flow Diagram) to assist in evaluation. Although vendors often keep us in the dark, we must stay vigilant and go beyond framework minimums to do what is right.

Ensuring application environments, including transit and edge networks, are architected with observability in mind is crucial. Our systems should detect flow and session changes, API spec changes, and inspect data in transit. Introducing mitigating controls such as API security tools to monitor data exchanges of COTS applications and services is especially important. Without these controls, how can we ensure actual data flows are what we expect and the request/responses match our documentation? More importantly, how do we ensure the integrity of our data and meet our customer's expectations of confidentiality and responsiveness?

Data is the new currency. Most people are tasked with making data exchange happen, so it falls to cyber teams to ensure responsible use of data, sensitive or not. As Cyber professionals, we must be able to attest to the confidentiality, integrity and availability of our systems. As consumers, we must demand this accountability as if our lives depend on it.