Information is the heart of most security programs: By design, many of today's security technologies capture vast...
amounts of user, system and application data to provide a holistic view of your organization's vulnerabilities. Privacy and security should be designed to support each other, but oftentimes these big data security platforms create situations where the two practices conflict. There are practices and technologies you can implement, however, to help ensure privacy and data security coexist.
When navigating information security and privacy interests, it is very helpful -- and important -- to engage your legal team. Not only can general counsel assist with identifying where privacy and security mandates apply, but they can also arbitrate if and when one concept takes precedence over the other. In particular, international regulations such as the European Union data privacy laws can appear to clash with standard security principles such as user activity monitoring. In those cases, your legal team can provide guidance as to whether personal or employee privacy rights take precedence over the need to protect the organization through user activity monitoring.
Develop privacy-ready security tech
When it comes to technologies, it's important to consider that many of today's security tools such as SIEM, data loss prevention and even proxy servers are designed to capture as much user, system and application information as possible for monitoring and analysis. Configuring these tools properly according to your legal team's opinion regarding user privacy rights can also help maintain a high level of security.
For example, under the EU data privacy laws it would appear that the user activity captured by proxy servers, a very common security platform, conflicts with privacy rights. However, global security specifications such as PCI-DSS are very explicit regarding user and transaction-level logging. In many cases, it depends on your counsel's legal interpretation as to which type of litigation they are more concerned about defending: claims involving compromised security or complaints from employees about privacy rights violations.
One of the common techniques to avoid privacy concerns when configuring proxies is to simply record system information instead of user login information. Many of the protections that a proxy/content filtering solution offers are still effective, even without logging the authenticated user name. Also, many HR and legal teams can still act on system-level data such as workstation IP addresses should a user visit inappropriate sites or otherwise violate browsing policy.
Similar to proxies, discussions should be conducted with your organization's HR and legal teams to determine whether user-identifiable information should be recorded at all. But if is determined that this data absolutely needs to be recorded, another option is to mask any personally identifiable information (PII) recorded in application or system logs. In situations where numerous teams or staff members might be viewing PII, it is possible to record system or session information for monitoring purposes into one table, with user-identifiable information associated with that session logged in a separate, more discreet table.
One common scenario for this type of "anonymous monitoring" is watching IP information for anomalous network activity and, when such activity is detected and a specific incident confirmed, referencing DHCP tables to link the IP address to a specific user ID.
Educate security personnel
In addition to selecting and configuring security solutions in a manner that supports information security and privacy efforts, you should also educate security personnel on appropriate skills and techniques. Even though it may seem obvious that security staff be ethical and discreet when performing user activity monitoring and investigative tasks, it is not unusual for security staff to take liberties when communicating case details among themselves. That collaborative spirit can sometimes lead to eventual over-communication of details between security personnel and other teams or individuals within the company.
To help prevent privacy disclosures within the organization, periodically educate staff on the importance of keeping PII related to security monitoring or investigations on a need-to-know basis until the appropriate time. In most cases the ideal situation would be to suppress information about an event or case involving PII until HR or the legal department needs to be debriefed.
In addition to educating personnel on discretion, it is also worth reviewing your incident response plan and evidence gathering policies and procedures to ensure they adequately limit PII access to appropriate incident response personnel.
As individual concepts, information security and privacy are of paramount importance in today's business world. In certain situations, however, you may find that they have opposing interests. With assistance from your legal counsel, proper tuning of security platforms and education of personnel, you will find that most conflicts can be avoided to help fully satisfy both security and privacy objectives.