In light of a never-ending tsunami of data breaches and leaks, consumers, businesses, and developers are taking a second look at how data is collected, used, stored, and secured.
They're not the only ones.
Governments are acting to take matters into their own hands by placing the tech community under tighter scrutiny and passing regulations meant to protect the citizens' right to privacy and control over their information.
Since its passage, there's been a lot of talk about the EU's new data retention requirements, including controversy about the huge fines for non-compliance with the General Data Protection Regulation (GDPR).
Although the GDPR was constructed and deployed to protect European citizens, its reach extends globally due to the borderless nature of the Internet. That means developers from America to Australia should be (and are, according to this survey) concerned about incorporating security into the design process in a way that ultimately supports privacy protection after an app or web platform is deployed:
It's difficult to guard privacy without also strengthening security, which is leading developers and website administrators to redefine how they approach both. One of the tenets of the GDPR is the concept of privacy by design, which is spelled out in Article 25 of the regulation:
“... data protection by design; data controllers must put technical and organizational measures such as pseudonymization in place — to minimize personal data processing.”
Building compliant systems means that new functionality needs to be added to deliver data pseudonymization, encryption and other privacy enhancing measures.
With more websites being deployed and managed on a cloud platform, attack vectors are proliferating. Many of the data breaches that have made the news in recent years can be directly tied to flaws or weaknesses in design rather than end-user apathy or neglect. This places additional pressure on developers and security experts to get it right before a platform is launched rather than patch up the problem later.
Security is essential at every stage of web development, and standard security protocols should be baked into the core framework of app design and testing. This can be managed by following the foundational principles of security through design and implementation:
Zero trust is a security model in which access to a network from inside or outside is never automatically granted but rather forces anything and everything to be verified and authenticated each time it uses the system. It’s essentially a “trust no one” approach that is the polar opposite of traditional security measures like a firewall or virtual private network (VPN), both of which categorize you as “okay” for eternity once you pass the initial verification process.
This isn’t to say that those just jumping on the VPN bandwagon for the first time are advised to jump back off because, for either individuals or business networks, the encryption and IP-cloaking features of most leading VPN service providers boost online privacy and security by essentially creating a private tunnel through which data flows between your device and the Internet. It’s a great way to hide from hackers, especially if you have remote workers who need to securely access the company network.
But businesses with an online presence should be working towards zero trust as a foundational strategy. This is a security protocol that makes no assumptions; in other words, it assumes zero trust. It operates on a threat model that any users, services, or systems interacting within the security perimeter are inherently untrustworthy and need to constantly verify their authenticity before being granted access to any part of the system:
The GDPR doesn't necessarily have the same compliance guidelines and remedies as other recent regulations like California's Consumer Privacy Act, AB-375. But, they do share several common denominators that developers can use to create a comprehensive approach to data privacy and security. This common ground includes information regarding compliance that companies must know and convey to users, employees, partners, and anyone else whose data is collected, such as:
Implementing a zero trust architecture makes up for any lack of visibility by allowing for discovery of the data flow at every access point within and across networks and platforms by requiring that all communications be verified across every channel. The point of zero trust is to eliminate the concept of trust by making it irrelevant.
By adopting a zero trust posture, companies are able to automatically discover and inventory all assets, including applications and databases, and incorporate asset management into their security plan. They're also able to lock down these assets through standards like least privilege access.
This has the effect of reducing the attack surface, provides accountability and transparency, and shows that developers and their clients are taking data privacy and security seriously. Providing this type of proof is one of the requirements for GDPR compliance.
In addition, zero trust:
Robust design is about more than functionality and UX. A main feature of both is how secure a website or app is constructed, and how far it goes toward protecting website owners from liability and users from malicious activity. You can't separate privacy and security, and these regulations aren't going away anytime soon. In fact, they're likely to strengthen and proliferate as more governments get into the act.
Implementing a zero trust security architecture at the initial design stage, hardening it through discovery during testing, and continuous monitoring after deployment will help ensure that security that protects privacy is built-in to the process.