Security and privacy are not interchangeable, and we must have both in order to protect our data and to live up to our obligations as data stewards. So what’s the difference between the two? It’s an important one.
Anthem, Sony Pictures, Target… It seems like we can’t turn around today without bumping into another data breach. Security consumes IT mindshare. We endlessly debate things like firewalls, encryption, and malware detection, and we focus relentlessly on keeping the bad guys out.
So I found it interesting that, when Gartner surveyed nearly 3,000 CIOs for its 2015 CIO Agenda report, security was one of the initiatives that actually dropped as a priority. Yet, two areas that CIOs marked as increasing in priority are arguably two big drivers behind security concerns: cloud computing and mobile.
How is this possible? Is it really that CIOs aren’t concerned about the safety of their data?
The answer of course, No. CIOs are not less concerned about data security than they were a year ago. The difference is that, as a whole, the computer industry has solved the issues around security. Sure, we’ll always need to develop stronger defenses, and hackers will always look for routes into our legacy systems. However, the computer industry has developed technologies and, more importantly, business processes for that ongoing problem.
But when it comes to the cloud, it’s a different story entirely.
That’s not to say the industry is hopelessly behind. The cloud gave us a clean slate, security-wise, and we’ve learned what it takes to secure it. Obfuscating the storage of both data and metadata, using encryption wisely, and employing authentication controls are just a few of the things we do to ensure that even if someone somehow got into the organization’s cloud, the data would be scrambled or otherwise meaningless to the bad guys.
If we’ve figured out cloud security, then why are we all still talking about it?
The answer is that we’re not talking about cloud security; we’re actually talking about privacy. The NSA-related issues, the revelations by Edward Snowden, and even, it’s suggested, the Sony Pictures breach: These all highlight privacy issues, not security. The difference is critical, and it’s when we confuse them that we reveal more information than we intended.
Let’s take this out of the virtual world for a moment. Where do you keep most of your important possessions? Usually it is wherever we live, since we keep close to us what matters most: our pets, electronics, rare books, copies of old tax returns, medical documents, etc. We all have many things in our lives. Some would be inconvenient to replace but the loss of others would be devastating.
So how do we mitigate the risks so this isn’t an issue? One part of the process is identifying the distinction between protecting our privacy and ensuring our data is secure.
Security is the process by which we keep the bad guys out. My house is secured in multiple ways: The yard is fenced; the doors are locked; and if someone tries to go in through a window, three dogs are waiting inside (probably asleep, but let’s not delve too deeply). The whole point of security is to make sure that people I don’t want in my house are unable to get inside, and the steps I can take to make sure that doesn’t happen are almost unending.
On the other hand, there are people who have a right to get into my house, such as my family, my landlord, and the police. These are people to whom I’m obligated to provide home access in specific situations. This doesn’t mean that access is a free-for-all. Privacy allows me to give access based on the person’s role, and it helps me make sure that they only see what they should. For instance, my family has a key to the house, meaning they can come and go as required (perhaps to feed those slavering dogs). Nearly everything in the house is open to my family members, minus a trunk where gifts are often stashed.
On the other hand, the police do not have a key to my house. They may have a legal reason to come inside (e.g., a search warrant) but the police need to come to me to gain access, and they are only allowed information related to the confines of the legal request. Legally, I cannot prevent their access, but I do have the ability to authorize their presence.
In other words, I want to be the one to let the police in; I don’t want them breaking down the door or my landlord giving them a spare key. I want to control when and how the police gain entry to my house, supervise their access, and then escort them back out again. I also want to be the one to open the door again, if for some reason they need to come back.
It’s the same with our data. Data privacy means keeping our data safe from misuse by authorized users. This means that if the NSA requests my data, I want them to come to me. I don’t want my vendor just handing it over.
This has a lot of implications for us as consumers and as businesspeople. Dropbox recently released its 2014 transparency report, revealing that they were required to hand over data in response to government requests without notifying the data owner 23% of the time. Imagine if, 23% of the time, someone wanted to come into your house, your landlord or neighbor met them at the door with a spare key — and didn’t tell you about the visit. What isn’t reasonable to us in the physical world shouldn’t be acceptable in the virtual.
Ultimately, security and privacy must go hand-in-hand, in both the physical and virtual worlds. We should have the same expectation that our data is secure in both places. Talk to your cloud vendor and understand exactly what they are doing to protect your privacy — and make sure they aren’t waiting on the porch with the key if someone wants to get into your digital house.
Concerned about data privacy in your organization? Read our white paper, Preparing for The New World of Data Privacy: What Global Enterprises Need to Know.