Privacy by Design

If you heard a collective groan emanating from the American west last week, it wasn’t just from the heatwave. No, the hand-wringing and panic attacks are taking place inside Chief Compliance Officer (CCO) and CSO offices. California has just passed the California Consumer Privacy Act of 2018. This new law offers residents of California privacy rights comparable to those of the EU’s GDPR.

Starting January, 2020, consumers in California will have the right to request that a business to disclose the personal information it is collecting about them. They can request deletion of personal data. California businesses will have to disclose what information they collect. This adds to existing California law mandating breach notifications to consumers.

More Privacy Rules Are Coming

We are on the verge of more rigorous, sweeping regulations regarding cyber security. Data privacy is already a hot issue, as this new law attests. The California law is just one small step in this direction, but a lot more is coming. The recent news that Utah’s state government is now deflecting a billion hacking attempts per day suggests that some heavy-handed access control rules are coming. CCOs and CSOs will have to make compliance part of their departments’ workloads. To make this work, without adding excessively to budgets or simply expanding deficient controls, security managers would do well to rethink their basic approaches to securing data privacy.

Alignment of Public Policy and Cyber Policy

In this legislative and compliance environment, it is a best practice to align an organization’s cyber policy with public policy. Compliance can’t be an afterthought. It is not economical or efficient (or secure, for that matter) to design a system and then figure out how it will ensure privacy. The public policies regarding privacy or other security measures, must be taken into account at the policy setting stage and implemented from there.

Designing Privacy Policy into The Network and Application/Data Ecosystem

Eldad Livni, Co-Founder of Luminate

One approach to achieving the privacy required by new laws is to design privacy policy right into the network, applications and data. Luminate, for example, applies a zero-trust security model to networks and data assets. “This is a new way to establish network and application access,” said Eldad Livni, Luminate’s Co-Founder and Chief Product Officer. “Access controls can get extremely complex and hard to manage very quickly,” Livni noted. “Instead, how about we start with nothing. No access for any user, period. We cloak all data assets. Only trusted users are connected to applications. Then, if you’re trusted, you get a single use access for a specific purpose, like accessing your own private data. After that, you’re off the network again. There is no plain user access to applications—a policy that exposes you to risk of data breaches by malicious actors.”

Solutions like Luminate use software-defined perimeter principles to enforce privacy policies. They protect applications through a brokered trust model. By leverage this type of solution to build a reliable zero trust architecture, an organization is essentially designing privacy policy into its enterprise architecture from the start.

Luminate just passed the rigorous SOC2 Type II certification to become the first secured access cloud service provider to become GDPR ready. With this foundation, the company is poised to tackle American privacy laws as well as those in the EU.  The certification process confirms that the Luminate platform complies with the privacy principles in the delivery of service to its customers. In the GDPR context, the Luminate Secure Access Cloud™ platform provides GDPR-mandated measures of data access visibility and governance.

Photo Credit: klumprob Flickr via Compfight cc