The conflict arises when accessing sensitive data is seen as a privacy violation, impeding effective threat response, particularly in network traffic analysis. Though packet scrutiny is vital for cybersecurity, concerns arise with personally identifiable information (PII). Privacy advocates favor end-to-end encryption without packet inspection. Despite the conflict, regulators stress the importance of reasonable security, evident in actions against companies with security breaches. Resolving this requires a shift in viewpoint on data privacy and security.
By Emily Hancock, Data Privacy Officer, Cloudflare
The conventional perception often pits security against privacy. Establishing robust security measures involves identifying potential threats, yet this process may involve scrutinizing sensitive or personal data, posing a risk to privacy. In truth, the key to ensuring data privacy lies in the implementation of effective data security. A meticulously crafted, privacy-centric security program not only provides substantial advantages to any organization but also mitigates potential privacy concerns.
Security vs. privacy misconception
The notion that security and privacy are in conflict arises when these two concepts are taken to their extremes. Within this perspective, any potential access to sensitive data is perceived as a breach of privacy, something to be avoided at any cost. Embracing this viewpoint significantly hinders the effectiveness of security programs in identifying and addressing potential threats.
Take, for instance, the realm of network traffic analysis. Packet inspection, a crucial tool in corporate cybersecurity, is commonly implemented through firewalls, seen as a fundamental security measure in various jurisdictions globally. By scrutinizing the content of network packets, it becomes possible to detect potential malware infections, data exfiltration, account takeover, and other threats. However, from a privacy standpoint, concerns arise when packet inspection involves personally identifiable information (PII) or other sensitive data. From a privacy absolutist perspective, a preference is often given to end-to-end encryption with no packet inspection. On the surface, these two viewpoints—ensuring necessary security and safeguarding personal data—may appear incompatible. Nevertheless, regulators emphasize that providing reasonable security is crucial for protecting data privacy, as evident in numerous privacy regulatory enforcement actions against companies experiencing security breaches. We believe that data privacy and security leaders can reconcile the apparent conflict between security and privacy absolutism, but it necessitates adopting a different perspective on data privacy and security altogether.
What are the potential threats?
Both data security and data privacy programs are founded on the core principle of risk management. Aligning the objectives of these programs entails examining the conceivable threats to an organization’s data. For any entity handling personal data, ensuring the security and privacy of such information is paramount. A primary concern within a data security program is the possibility that security solutions might inadvertently access personally identifiable information (PII) and other sensitive data while carrying out their functions. These tools, which could include email scanners, network packet analyzers, or file inspection systems, may inadvertently come across such confidential content.
Another significant risk to both corporate and customer data is the potential exposure to cybercriminals. For instance, contemporary ransomware tactics involve stealing and disclosing sensitive data if the targeted company refuses to pay the ransom. Even compliance with the ransom demand offers no assurance that the data will be erased and won’t be disclosed. Avoiding these risks entirely is impractical. An effective security program
necessitates access to data, and inadequate security measures virtually guarantee the occurrence of data breaches.
Discovering a Path Toward Privacy-First Security
When security solutions are crafted with privacy as a central consideration, organizations can deploy robust security measures while safeguarding the personal data of their customers and employees. A comprehensive cost-benefit analysis reveals significant advantages in adopting a privacy-first approach to security.
For instance, proactively blocking malware before it infiltrates an organization’s systems can avert a potential data breach. Given the average cost of $4.45 million in 2023, coupled with the consequential impact on brand reputation and legal ramifications, preventing even a single data breach becomes paramount for any company. Hence, the importance of industry-leading security measures is indisputable. Any reputable security company should provide solutions that limit its access to sensitive data and ensure the protection of the personal data entrusted to its care.
Creating a Security Program with Privacy at the Forefront
Privacy and security can coexist harmoniously. A privacy-first security program assesses the risks associated with both implementing and not implementing security measures. If the advantages of deploying a security solution, such as email scanning, outweigh the drawbacks — which is highly probable — the organization should proceed with the careful implementation of this capability. When determining the suitability of a security tool for enhancing both data security and privacy, consider asking the following key questions:
· Does it provide clear benefits? The potential privacy risks of a security solution are only acceptable if it also reduces the risk of a data breach.
· Does it minimize access to personal data? A security solution should minimize the amount of potentially sensitive data it accesses and processes.
· Does the company prioritize security? Check how the company has handled past security incidents and prioritized security investment.
· Does it meet regulatory requirements? Verify that the company has privacy-focused certifications such as ISO 27701 and ISO 27018, is certified to the prevailing local and international data privacy frameworks. If a company has these certifications in addition to standard security certifications such as PCI DSS, ISO 27001 and SOC 2 Type II, it’s a great sign that a vendor goes above and beyond on privacy and security.
Assessing all these criteria for the 60+ security tools typically employed by an average organization can be a substantial undertaking. This underscores the compelling case for security consolidation. Conducting thorough due diligence on a single vendor offering a comprehensive suite of capabilities is more manageable than conducting a superficial assessment of multiple individual point security products.
Privacy-led security
An essential factor supporting security driven by privacy is the extent of the Cloudflare network. Covering 20% of all Internet sites, Cloudflare shields a significant portion of Internet traffic, contributing to Cloudflare’s threat intelligence without jeopardizing the privacy of end users for its customers.