SESSION ID: LAB4-R08 Demystified – You too can be a Privacy

Michele D. Guel Deepika Gupta Khadija Amin Distinguished Engineer Security Architect/ Technical Leader Cloud Security Architect, Security Business Group Security & Trust Organization Collaboration Security Cisco Cisco Cisco @MicheleDGuel @deepika00gupta @khadijamin

#RSAC #RSAC Workshop Flow

Facilitator intro Table set-up & Handouts Ice Breaker Activity Foundations Class Exercises (5) Class Discussion & Wrap

This Photo by Unknown Author is licensed under CC BY-SA

2 #RSAC Ice Breaker Activity

1. Introduce yourself (name only) 2. Share one of your most used mobile apps (e.g.,Wayz) 3. Provide one example of personal information you provided to app.

3 #RSAC

Why this class?

“The rapid pace of technology innovation, paired with the maturation of the Internet of Things, automation efforts and big/deep data analysis, creates a world where ensuring data privacy seems impossible… But we must keep trying!”

4 #RSAC Workshop Goals

Understand the critical role privacy engineering plays. Understand the impact of the changing privacy landscape. Gain basic understanding of the main steps of the privacy engineering process. Gain experience in working through a sub-portion of the privacy engineering process.

5 #RSAC What is Considered Personal Information?

• Any data that identifies an individual or from which you can derive, identify or contract information of an individual. • This includes otherwise non-personal information when you associate or combine with .

This Photo by Unknown Author is licensed under CC BY-ND

Data Privacy is the fair and authorized processing of personal information or PII.

6 #RSAC Privacy Regulation is Evolving Rapidly

7 years

1980 1995+ 2013 2020 OECD Privacy By Updated California Consumer Guidelines Design OECD Guidelines Privacy Protection

1995 2011 2018 Beyond 2020 European Privacy General Data Many more to Union Data by Protection come Directive Redesign Regulation

43 years #RSAC A Key Principles of GDPR and CCPA

GDPR CCPA Lawfulness, fairness and transparency The right to know what data is being Purpose limitation collected. Data minimization The right to say “no” to sharing of data. Accuracy The right to know if their personal Storage limitation information is sold or disclosed. Integrity and (security) The right to access their personal Accountability information.

8 #RSAC Failure to Uphold the Principles Leads to Fines #RSAC

Class Discussion

What are some examples of an application design flaw that violates privacy principles? #RSAC Some Example Design Flaws

• The online portal does not use multi-factor authentication and accounts are easily compromised. • The app stores personal information on an archive system that does not have an option to delete old data. • The app authentication process temporarily stores username/password information in a log file during authentication process. • The application does not perform proper input validation leading to a cross-site scripting attack and leak of personal information.

11 #RSAC Security and Privacy are Different But Intersecting

Context Confidentiality

Protection Security of personal Privacy information Integrity Accountability

Availability Transparency

12 #RSAC One Definition for Privacy Engineering

“A methodology to design, build, and manage “things” that process PII in a manner that provides appropriate levels of privacy throughout the lifecycle of the data that is processed.”

13 #RSAC • Scope the data Privacy Engineering lifecycle • Review corporate privacy policy • Identify privacy requirements Plan • Write user stories

• Privacy policy • Identify risk, threat and • Privacy requirements vulnerabilities • Privacy controls Monitor Develop • Determine and embed PEP and PETs • Review & update with • Begin PIA and update as needed required remediation

• Monitor for changes in • Validate controls through testing privacy regulation • Update PIA if needed Operationalize privacy Operate Validate • Develop Privacy Data Sheet controls

• Publish Privacy Data Sheet Launch • Update Privacy Policy if needed

14 #RSAC Privacy Engineering Focus Areas

The technical architecture and controls should address the following areas:

Data Context Security Legal Basis Transparency Accountability and Operational Use Limitations Requirements Collection Limitations Data Minimization Onward Transfer Retention and Deletion Proportionality Individual Rights

We will define the specific controls as we address them in the exercises.

15 #RSAC

Use Case Overview and Class Exercises #RSAC HealthyFoodForU App

Health food ordering mobile application. Subscribe to multiple health food markets and fast (but healthy) food restaurants. Requires registration and profile creation. Customize your profile based on dietary goals, favorite foods and dietary or allergy restrictions.

17 #RSAC Basic Application Requirements Authenticated login (username/password). Profile must contain: – Full name, email address and mobile contact number Profile may contain: – DOB, food favorites, food allergy information, dietary restrictions, billing address, credit card information, preferred food providers, preferred delivery vendor, repeat order information Each order must specify: – Mobile phone, delivery address, credit card information, name of person to receive order. User must choose email or txt for receipt.

18 #RSAC HealthyFoodForU App – Functional Diagram

Development + Requirements Health Food Health Food Delivery Team Markets Vendors Vendors

Customer Data Center Service Agent

HeathlyAndFreshForU Web Server

Admin Interface healthyAndFreshForU Host Application DB Admin Mobile App DB Reg Registered New York, NY User User Data * Data Center

HeathlyAndFreshForU Web Server Admin Interface App Admin

Host Application Internet (any geographical location) DB Seatlle, WA #RSAC HealthyFoodForU - Use Case Diagram: User Registration

Development + Requirements Team

Data Center Success

Mobile App

Success

HealthyFoodForU Web Server Name Name Database Registered Email id Email id Mobile Mobile Name Credit Card Credit Card Email id Dietary Dietary Mobile Preference Preference Credit Card Dietary Preference

User

Internet (any geographical location) #RSAC Workshop Exercises – Limited focus on first two phases

Plan Phase: – Exercise 1: Scope the data and write the data inventory – Exercise 2: Review use case diagram & develop requirements – Exercise 3: Create user stories Develop Phase: – Exercise 4: Identify risk, threat and vulnerabilities – Exercise 5: Map privacy user stories to PEPs and PETs – Exercise 6: Begin privacy impact assessment

21 #RSAC

Exercise 1: Scope the data and understand the context #RSAC It’s All About the Context

What data is being collected? Why (for what purpose) is the data being collected? Who is collecting the data? Where is the data being stored? Whom is the data shared with? When does it get shared, deleted, modified or combined?

23 #RSAC Different Flavors of Personal Information (PII) Direct PII ( Linked Information) – any piece of personal information that can be directly used to identify an individual – Examples : Full name, date of birth, home address Indirect PII ( Linkable Information ) – information that on its own may not be able to identify a person, but when combined with another piece of information could identify, trace, or locate a person. – Examples: Gender, ethnicity, non-specific age Sensitive PII – is defined as information that if lost, compromised, or disclosed could result in “substantial harm”, embarrassment, inconvenience, or unfairness to an individual. – Example: Social Security Number, credit score, sexual orientation

24 #RSAC Data Inventory

• Performing a full data inventory is one of the first steps in a privacy workshop. • We have completed it here for you today to expedite the workshop. • You need to consider how the app is “using” information.

First Name Preferred Food Providers Profile login name Last Name Preferred Delivery Vendors Profile Password Email Address Delivery Address Daily Calorie Goal Mobile Contact Number Name of person receiving order Date of Birth Repeat order information Favorite Foods Billing Address

Food Allergies Credit Card Information Dietary restrictions Drivers License Number #RSAC Exercise 1: Classify data element by type of PII

In this exercise, use only the data inventory in RED in previous slide – First Name, Last Name, Email Id, Mobile Number, Credit Card Number, Dietary Restrictions Put these data element to the column it pertains. #RSAC

Exercise 2: Identify privacy requirements from corporate policy & review use case diagram #RSAC Privacy Requirements Evolve from the Privacy Policy

Typical Elements A privacy policy is a statement or a Collection of personal information legal document (in ) that Use of personal information discloses some or all of the ways a Access to and accuracy of your personal party gathers, uses, discloses, and information manages a customer or client's data. It fulfills a legal requirement to protect a Your “choices” and selecting your customer or client's privacy. communication preferences Sharing your personal protections for your personal information … and more #RSAC Understand your Organization’s Privacy Policy What does HealthyFoodForU’s Enterprise Privacy Policy say about these controls : Purpose – We will use your Personal Information for the purposes of operating our business, delivering, improving, and customizing our websites and Solutions, sending marketing and other communications related to our business, and for other legitimate purposes permitted by applicable law – We will use your personal information for the purpose it was collected and will not use it for a different purpose without first asking for your permission Collection – we may collect data, including personal information, about you as you use our websites and Solutions and interact with us. – we also collect personal information from trusted third-party sources and engage third parties to collect personal information to assist us” Third Party – There are multiple statements about third parties: • Third parties may combine the data collected over time with other services • They engage with third parties to collect personal information for them • The third parties they engage with may automatically collect information through cookies, web logs, or beacons • They provide a method for opting out of sharing personal information with third parties • They may transfer information to third parties – They will provide notice if they share personal information to third parties which is outside of the purpose for which it was collected

29 #RSAC Exercise 2 Example 1 : Identify Privacy requirements

HealthyFoodForU’s Notice Privacy Control – we will ask your permission before we share your personal information with third parties for any purpose other than the reason you provided it or as otherwise stated in our Online Privacy Statement” “Notices will be provided in one or more of the following formats: posting a notice on our websites, by sending an email, or otherwise contacting you Data Element (s) Where will Will it be Will it be Privacy Requirement notice be presented when a presented on any presented or user registers webpage to collect made available or display First Name, Last The user will be Yes, as part of the The user will be The application must have Name, redirected to a web user registration redirected to a web the ability to provide a Email id, Mobile page which process by sending page which displays notice as part of the user Number, Credit displays the notice the user to a site to the notice registration process by Card, Dietary “read and approve” sending the user to a site to Restrictions before fully “read and approve” before registering their fully registering their profile profile 30 #RSAC Exercise 2 Example 2: Identify Privacy requirements

HealthyFoodForU’s Minimization Control – The Personal Information we may collect, or process will be proportional to the purposes for which it is required in terms of sensitivity, identifiability, and quantity. Where possible, the organization will use de-identification, , and anonymization techniques in the processing of the personal information provided to them

Data Element (s) Can you mask, Can you ask for your Privacy Requirement pseudonymize, data in a way that you anonymize, truncate get ranges instead of elements not needed PII Credit Card The Credit Card should be Does not apply to this The application must have the masked with the last 4 digits data element ability to mask the Sensitive PII - visible Credit card with the last 4 digits visible, when displaying it back to the User on the web page

31 #RSAC Exercise 2: Review Use Case Diagram

Using the “Discussion Guide” handout, review and answer the questions for each of the focus framework areas. Let’s focus on the following data elements: – First Name, Last Name, Email Address, Mobile Number, Credit Card, Dietary Restrictions For this exercise, focus on these framework areas: – Purpose, Collection, and Third-party Processors Discuss answers at your table.

32 #RSAC

Exercise 3: Define user stories #RSAC Privacy User Story

For the privacy engineer a Privacy User Story is one that is targeted at negating privacy harms or implementing privacy controls. Example: – “As a Registered User, I need the ability to edit my profile information to correct any errors.“ – “As a Developer, I need to know the single source of truth where the data This Photo by Unknown Author is licensed under CC BY-SA will be stored so I can code the logic.”

34 #RSAC Exercise 3: Examples of Privacy User Stories

Persona Privacy User Story

Developer As a Developer, I need to make sure end to end operation of user’s data is minimized. For example full credit card number is not displayed on “view profile”.

Data Protection Officer As the Data Protection Officer, I need to be certain that users’ personal information such as credit card numbers are properly secured so we can be compliant with GDPR and CCPA regulations. User As a User, I should be able to view and check “Terms and Agreement” and accept it before finishing the registration process.

User As a User, I should be able to easily understand where my data is being my shared. #RSAC Exercise 3: Create a User Story

In this exercise, discuss the example user stories and then create one new user story for a selected persona below: – User, Developer or Data Protection Officer #RSAC

Exercise 4: Identify risks, threats and vulnerabilities The importance of understanding privacy risk and threats #RSAC The privacy control frameworks are designed to help prevent threats, vulnerabilities and risks from happening. Gaps in controls or incorrect implementation of controls introduces risk and creates vulnerabilities that threats can take advantage of and cause harm. In exercise 4, we will consider if the risks are addressed by design/controls. Term Definition Example Asset The object of focus for the threat actor (either directly or User medical records. indirectly) to use as a stepping stone to get to desired object. Threat Anything that can exploit a vulnerability, intentionally or An internal bad actor looking to accidentally, and obtain, damage or destroy an asset. steal PII. Vulnerability A weakness or gap in our protection and data management No visibility to anomalous user efforts that can be exploited by a threat actor to gain behavior (e.g. No user or entity unauthorized access to an asset. behavior analytics). Risk The potential for loss, damage or destruction of an asset as a A data breach involving result of a threat exploiting a vulnerability. The common exfiltration of 20,000 medical equation use is “Asset + Threat + Vulnerability = Risk” records from a hospital database.

38 Exercise 4: Identify Privacy Risks, Threats and #RSAC Vulnerabilities For each of your user stories, think about the data captured, who the threat actor(s) might be, avenues to gain access and elements of risk for our use case. Let’s do one example together: – Asset of interest: credit card information – Threat Actor: hacker interested in selling credit card information – Vulnerability: on certain platforms, the username and password are stored in the log during authentication. Log information can be viewed by threat actors. – Risk: credit card information can be gathered and sold illegally.

39 #RSAC

Exercise 5: Map privacy user stories to PEPs and PETs #RSAC Privacy Enhancing Technologies (PETs)

Privacy-enhancing technologies (PETs) are the standardized term for technologies that can provide the controls necessary in the privacy policy. PETs provide systemic, technical controls to help protect personal information in products, offerings, solutions, and applications. Example technologies:

This Photo by Unknown Author is licensed under CC BY-SA-NC – Access Control to Personal Data – Identity Management – Hypertext Transfer Protocol Secure (HTTPS) for data transfer

41 #RSAC Privacy Enhancing Processes (PEPs)

PEPs are controls implemented through process (and not technology). PEPs require privacy awareness and documented steps in our processes to support the privacy control categories. PEPs support PETs Example processes: – Process to grant access to personal data This Photo by Unknown Author is licensed under CC BY-NC-ND – Data protection policy

42 #RSAC Exercise 5: Map user stories to PEPs and PETS In this exercise, use the privacy user stories we shared in Exercise 3. Consider the threats, vulnerabilities and risk you outlined in Exercise 4. Identify the control area and a PET/PET to address the risk. User worksheet 3 again, focus on last two columns. Let’s do one example together:

Persona Privacy User Story Control Area PET/PEP “As a developer, I need to Developer make sure end to end Data Minimization Data Masking operation of user’s data is minimized. For example, full credit card is not displayed on view profile. “

43 #RSAC

Class Discussion: Privacy Impact Assessment #RSAC The Privacy Impact Assessment (PIA )

The PIA is a process for managing risks to data privacy caused by the processing of personal data. The PIA provides a systematic means of answering questions like: – How is the data it being collected, processed and stored? – What are the existing controls for data protection? – What aspects of processing can potentially cause harm to concerned individuals, the organization, or the public? Article 35 of GDPR “the obligation of the controller to conduct an impact assessment and to document it before starting the intended data processing.” There is no one specification for a PIA. All the information you have documented thus far will help complete the PIA. The process of completing the PIA will help identify additional gaps in architecture to address privacy issues. #RSAC Class Discussion

Let’s look the PIA template in your workbook. We need to consider all the information from the previous exercises. Let’s focus on the following sections: – Data inventory – Collection – Sharing

46 #RSAC

Additional Class Discussion (if time permits) #RSAC Apply what you have learned today

Immediate Within 90 days Within 180 days • Complete the class • Socialize importance of • Incorporate privacy exercises. privacy engineering with engineering as part of • Review answers with your organization. the development out completed answer • Give an overview to process. sheet. others in your group • Read The Privacy • Share your experience based on this workshop. Engineer’s Manifesto with a co-worker. • Expand your privacy and Companion • Review privacy knowledges at IAPP web Guide. processes in place at portal. • Take training to your organization. obtain a privacy certification.

Download our version of the answer sheet on google drive SESSION ID: LAB4-R08 Thank You! Please fill out the class survey.

Michele D. Guel Deepika Gupta Khadija Amin Distinguished Engineer Security Architect/ Technical Leader Cloud Security Architect, Security Business Group Security & Trust Organization Collaboration Security Cisco Cisco Cisco @MicheleDGuel @deepika00gupta @khadijamin

#RSAC