sign in sign up
<<
Home , Information security

LATEST THINKING

Security by design: embedding and into the enterprise architecture

Steve Jobs once said, ‘Design Embedding security into the fabric of high the penalties, regulation by itself an , and every aspect of the is not enough – particularly as many is a funny word. Some people way it works, is also to successfully operate a tick box think design means just how demonstrating compliance with the approach to compliance and/or audit. something looks. But of General Protection Regulation GDPR recognizes that the only way to course, if you dig deeper, it’s (GDPR). GDPR’s guiding principle is protect privacy in the digital age is to privacy by design. Although privacy make data protection a fundamental how it really works.’ by design and privacy by default were component, not only in the design and Designing and delivering something that originally introduced by the Canadian maintenance of systems, works is not just important in consumer Privacy Commissioner of Ontario as far but in every aspect of products: it should also underpin every back as the 1990s, these concepts and how organizations touch and use aspect of enterprise security, including have been embraced by regulators personal data. around the globe as the foundations for an organization’s enterprise security GDPR Article 25 (data protection by privacy protection. architecture (ESA). We all know what design and by default) codifies both happens when security puts barriers the concepts of privacy by design and in the way of people doing their jobs, GDPR – design over fine privacy by default. Under this article, but a well-designed ESA will reflect Putting privacy by design and data controllers and processors are the strategic goals of the organization privacy by default at the heart of required to implement the right technical and be flexible and scalable enough GDPR demonstrates that despite the and organizational control measures – to support new business ventures, noise surrounding penalties for non- not only when data is being processed, , processes and people. If an compliance, regulators don’t want to rely but when designing each of the data ESA is carefully designed to work the on fines to change the way organizations lifecycle stages: create, store, use, share, way the organization does, it will also treat personal identifiable data. With archive and destroy, by applying privacy facilitate the relevant regulatory and legal GDPR and other data protection laws, protection from the outset. An example requirements ‘by design’ – particularly legislators around the globe seek a of this is the use of of when integrating security operations and much wider transformation of enterprise personally identifiable information during governance with respect to culture. They understand that, however different lifecycle stages. and .

hello.global.ntt latest thinking | Security by design

The data controller must also ensure The seven principles of Managing this lifecycle in a way that, by default, only personal data which that works for every function in an is necessary for each specific processing privacy by design organization has often proved difficult purpose is actually processed. In Rather than bolt on data security at with the guardians of security and particular, this means ensuring that the end of a project or just ignore it privacy gaining an undeserved reputation personal data is not automatically made altogether, organizations that take for slowing projects down or increasing available to third parties without an a privacy by design approach will the costs. The age-old business tension individual’s consent. A practical example consider privacy and data protection of and reward can either result in of this is that if you were creating a compliance from the start when building roadblocks following failed security social media profile, the privacy settings new systems, considering sharing data risk or policy evaluation or worse – should, by default, be set on the most with third parties, or using data for with business functions circumventing privacy- friendly setting. Setting up new purposes. The organizations that , blasting through into profiles to be public by default will no take this approach will see trust, brand the unknown and taking on that longer be acceptable under the GDPR. reputation and commercial benefits very they do not fully understand or much in line with those delivered by a even consider. ESA – making privacy work, well- designed ESA such as: by design Solving these issues is much less about • reduced risk in failure to meet data technology and more about the culture, For enterprise security architecture protection compliance behaviour and understanding of data practitioners, the principle of privacy protection risk, and this is where we by design is nothing new. In many • increased awareness of privacy and return to the skills of the enterprise organizations, the function of ESA is not data protection culturally within the security architect. embedded into enterprise architecture; organization Our enterprise security architects as such, security is often an afterthought, • early identification of potential privacy are helping to challenge and change especially in the case of functions risks – reducing the time and money to and behaviours regarding new that process personal information on remediate issues data protection regulations in practical a regular basis such as marketing, HR, ways. Looking at GDPR and directives and finance. In our experience, the So let’s look at the seven principles of like Network and Information Security increase in brand- impacting cyber privacy by design: (NIS) and how these align with existing events, together with GDPR and other 1. proactive not reactive regulations across in other regions – compliance drivers are reigniting the need for ESA practitioner support in 2. privacy as the default setting projects and programs, as organizations 3. privacy embedded into design seek to align their operations against When using this model, we the inherent security risks of our second 4. full functionality encourage organizations to ask the following questions: industrial revolution. Enterprise security 5. end-to-end security architects have the skills and business • Is privacy by design applied at 6. visibility and transparency understanding to help those outside every SDLC phase? traditional security and governance 7. respect for privacy roles to design and apply privacy by • Are risks defined, measured design and default principles. Enterprise Of all these valuable principles, if we and managed? had to pick two that will make the most security architects have a holistic view • Are risks aligned with the impact on GDPR compliance and best of the business and its objectives, so are right control layers, are these practice security they would be ‘privacy able to advise on wider correctly applied and effective? strategies. Their job is to provide a embedded into design’ and ‘end-to-end security architecture that enables the security’. Both of these points reinforce • Is there an effective ESA business to meet its goals securely, the need for strong security controls at and governance to support not stop it in its tracks. A closer look every stage of the data lifecycle; from enablement of policies, at the principles of security by design before data is collected, right the way standards and processes? demonstrates the synergy with ESA. through to when it is destroyed.

Development Testing Production Disposal

• initiation • integration testing • operations • Decommis sion • concept • implementation • maintenance • planning • • design • development

Figure 1 Privacy by design – tuning SDLC model

hello.global.ntt latest thinking | Security by design

such as Privacy Shield in the US, Act on Transforming compliance – And so for many business functions, the Protection of Personal Information there appears to be little or no (APPI) in Japan or the Protection of more business understanding, understanding or context to their Personal Information (POPI) in South less box ticking decision making. This disconnect not Africa – our experts translate client- only leads to other business functions If new regulations and directives such operated models like the complaining of an apparent tick box as GDPR and NIS Directive are to be Development Life Cycle (SDLC, Figure approach to compliance that impacts successful in their aspiration to change 1) linking the application of security operational and project delivery – but cultures and implement enterprise controls and taxonomy. Tuning this in our experience, also tends to result privacy, data protection must emerge as familiar approach to consider (or perhaps in increasing operational cost, poorly- an integral element of how a business encapsulate) privacy by design can help defined enterprise security controls, works. Historically, some Governance, an organization focus on GDPR good inconsistent security practices and Risk and Compliance audit teams have practices and ensure that data protection greater organizational complexity. contributed to their less than glowing and security are applied, by design, end- reputation, by applying controls or As we have established in this paper, in to-end across the enterprise. standard industry templates and order to embed privacy and security into frameworks that are not in tune with every part of the enterprise, business the enterprise strategy, organizational leaders and security leaders must align objectives or Key Success with a clearly-defined enterprise risk Factors (KSFs).

Development Benefits of a well-designed ESA

The Business • Visibility: Proactive insight, essential for good corporate governance and executive decision making, helps mitigate or avoid security incidents, reducing impact on brand and bottom line. • Strategy: Business functions play a stronger part in strategy enablement, leading to improved operations and performance, and increased revenue through better utilization of security and business assets. • Risk management: Security by design is a business enabler – providing dynamic support for business challenges and change.

Central or Group • Visibility: Enterprise-wide insight into business unit and departmental Key Success Factors (KSFs). Functions • Strategy: Enables development of an umbrella strategy, flexible enough to take into consideration the individual objectives and needs of the business units. • Risk management: Provides essential data to technology operations, supporting the evaluation of current ‘known – unknowns’, as well as ‘unknown – unknowns’.

Departments and • Visibility: Wider business gains clear understanding of the individual missions and key business Business Units constraints that may affect business units’ go-to-market strategies. • Risk management: Focus on good practice to support, evaluate and mediate where objectives are at odds.

Investors / Shareholders • Visibility: Evaluate current control assets and security programs to identify business value and ROI. • Strategy: Identify improvements to current control assets that will reduce operational costs, improving operating profit. • Risk management: Helps management identify and prioritize cyber risks, to mitigate or avoid incidents, reducing likelihood of brand and share price volatility.

Customers • Strategy: Organization has effective corporate governance, with embedded ‘security by design’ culture that takes customer data and privacy seriously. • Risk management: Continuous service improvements in cybersecurity controls, processes, standards and responses help to grow brand trust.

Industry Stakeholders • Strategy: Organizations which invest in aspects such as customer data protection, cybersecurity and Regulators practices and embedded ‘security by design’ culture, will be recognized for market-leading ambition. • Risk management: ‘Security by design’ strategy will be seen as commitment to taking regulations like GDPR and the NIS Directive seriously, business wide.

Figure 2: Organizations with a business-aligned, privacy-focused ESA function can see trust, brand reputation and commercial benefits including those listed above

hello.global.ntt latest thinking | Security by design

strategy. Only when this is agreed can For some forward-looking organizations, Privacy by design and default are business analysts, enterprise architects GDPR has become the catalyst for more undoubtedly principles shared by and enterprise security architects work than just the creation of another tick box both GDPR and enterprise security together on the evaluation and design of compliance exercise. As those entrusted architecture. But as GDPR will not be the right enterprise security architecture with driving GDPR projects, generally not the last legislation organizations have to to support the enterprise data lifecycle, IT professionals, seek to work with their face, the sooner they enable a business- as well as addressing evolving business security colleagues, the privacy by design aligned ESA function, the better prepared risks. An enterprise security architect concepts are igniting new conversations they will be for whatever comes next. will fully understand and have agreed about enterprise risk management as with relevant executive stakeholders a way to evaluate return on investment the organization’s appetite for risk. Only in people, processes and technology. with this intelligence front of mind can Enterprise security architects, who are they support the design and alignment also more business professionals than of the relevant policies, standards and deep technologists, can often form an processes, with the organization’s goals effective bridge in these conversations and governance framework. about risk in terms of aspects such as: evaluation, return on investment Privacy by design – the (ROI), or annualized loss principle for ESA expectancy (ALE). We have also seen the focus on GDPR Taking a step back from day-to-day result in resourcing discussions. security activities and technology Ensuring the appropriate levels of activity maintenance can be difficult. The in areas such as alert management pressures of too many tasks and not and incident response has led some enough resources can force many organizations to use managed security organizations to become reactive and services to provide the right flexible tactical in their approach to security. But access to resource and response. Having for organizations that want to regain a well-designed ESA also helps establish control of how and where resources are the context for third- party partners invested for maximum impact, designing to be effectively deployed, briefed an enterprise security architecture not and managed to provide proactive only highlights security complexity, intelligence as part of an organization’s but can provide end-to-end visibility of end-to-end security. practices and controls and proactively bring privacy and risk management strategies in-line with the enterprise strategy and compliance.

Disclaimer: The work described in this thought leadership was performed while the company was known as NTT Security.

hello.global.ntt