International Data Privacy Day is right around the corner. How can organizations ensure their information and that of their customers is secure and protected?
On January 28, the world will recognize International Data Privacy Day, observed in Europe as Data Protection Day.
This takes place around the globe in an international effort to empower and encourage individuals and businesses to respect privacy, safeguard data, and enable trust between all people.
At Progress, we have a strong commitment to protecting our data and that of our customers, employees and vendors/service providers, especially during this time of new legal challenges caused by rapid technological development. To act on this commitment, we have in-house experts who run internal and external programs to oversee data and information security programs.
Privacy is still challenging, and new COVID-19 applications are growing with the intent to trace your location, your recent exposures to COVID-19, and capture your vaccinations status. Privacy isn’t going away. In fact, it’s probably more important now than ever, because the world we live in is forcing organizations to quickly adopt new and additional digital practices than your company was accustomed to due to the evolving world of remote connectivity. Therefore, there is more data that is captured, stored or processed.
How should organizations develop their applications or systems with privacy in mind?
Build applications with the Privacy by Design concepts. Be proactive and anticipate the threats to your applications and ability to stay private. All developers following the standard system development lifecycle, early on in the lifecycle process, start with design. By designing your application with privacy in mind, your application has a better chance to achieve privacy for your users or processes. Define privacy of data as a key requirement for your application.
Understand what data you plan to capture and if the data has any data implications such as capturing personal email addresses or vaccination information, age, or religion just to name a few. Knowing what data your system actually needs could result with a decision to limit the type of data submitted or stored in your application.
Be aware of how data flows through your system. Be transparent and open on how the data is protected from attackers. Easier said than done, right? No system is perfect.
Take a systematic and iterative approach and focus on understanding on the user personas interfacing and using your application and how. Will the user need to share information with other parties thru email or chat messages? Will your application need to interface with other systems? How do you protect who can access your data and the governance of the data within? These are all good questions to ask during the design phase so you can highlight which areas of your application needs to be tackled first to achieve privacy.
We defined what needs to be private and how to protect our data. What’s next?
Obviously, you start to code or develop your application. And when you are done with building your awesome application, you should have a detailed test plan. Trust but verify and ensure that your application is free from logic flaws, resulting in unauthorized access. As part of your quality assurance, have specific test cases that make sure one system profile can’t access additional information that it wasn’t originally entitled to.
That takes care of the logic. Don’t forget metadata. Does your system collect metadata that can be patched together and subvert all your privacy designs? Include testing the application code and check for flaws or insecure system’s configurations. Talk to your security team or hire a security expert that incorporates privacy as part of their test and not just security vulnerability tests with the intent to hack your system. Once you have all your test results, more than likely you will have some gaps that you will need to address.
Wait, I have a deadline to meet, and we promised we would release our app next week?
Sounds familiar—you will have to prioritize and identify the risks of not fixing your application. Is fixing one part of the application more important than the other? Only you and your business know that answer and have a sense of what is valuable to your business and your customers.
Don’t forget some of the trends to watch for in 2022. How can companies get ahead of what is coming next?
Last year was full of software supply chain incidents and ransomware attacks, which can pose a risk your applications’ privacy. I foresee it won’t change much this coming year. If you understand how you built your application, what technology stack it was developed on, the associated threats to your organization and who is likely to attack your application, you are ahead of the game. You will have prepared for the worse and taken the necessary steps to keep the bad guys away from your system or made it that much more expensive to attack.
In conclusion, know what data you need to capture and what needs to be private. Design your system knowing how your application will be used and how it can maintain privacy. After you’ve designed and purpose built your application, test, test, and test. You will find flaws, and you will need to determine if you must fix your gaps now because it is important to your business and your customers.
Or, if you can delay the fix because the privacy impact or risk of not fixing an area of your application makes business sense to fix in the next release and still achieve privacy.
Richard Barretto
Richard Barretto is the Chief Information Security Officer at Progress. Richard and his team are responsible for overseeing and developing the data protection strategy for Progress enterprise. He joined the company back in 2020 and has 20-plus years of experience as a cyber security professional. In his free time, he likes playing tennis and spending time with family.