Data Privacy vs. Data Security in the New World

"New normal" practices for protecting sensitive data from work and home

Christian Melendez

The current COVID-19 pandemic has ushered in a new world where companies are seeing an increase in cyberattacks targeted at finding vulnerabilities in their systems. Regardless of size, every company is a potential candidate for attackers. And when systems are collecting users’ personal data, data privacy becomes crucial. If personal data is exposed or lands in the wrong hands, the consequences could potentially damage that person’s reputation and negatively impact his/her financial standing, as well as that of the company collecting the data. Therefore, it’s never too late to take a proactive approach to protecting your users’ data.

What does data privacy look like in the new world? And what can you do to ensure the security of sensitive data? Before I give you a few recommendations, let’s dive into what data privacy is and how it differs from data security.

Distributed Security – Digital Edge Playbook

Get the playbook that outlines how industry leaders are distributing security to solve scale and integration challenges. See how using interconnection and colocation enables industry leaders to deliver new command and control capabilities as part of their digital edge strategy.

Read More
Distributed Security

Data privacy vs. data security

Data privacy systems oversee the proper handling of data collected from users and how to share it with third parties, if applicable or allowed by regulations. Whereas data security protects all data from unauthorized access and data corruption throughout its lifecycle. Data privacy leverages the same protections as data security, however, it requires a different mindset since it focuses on protecting the subject’s data, not all data in general. You need to be more specific about which data to protect and who is the data subject. For instance, you can start by asking, “Who does the data belong to?” These aspects are important because, as a company, you’re probably collecting more data than you need, and it is vital that you are aware of all the types of data your systems are collecting and what is personal data and what is not.

Moreover, the attacker’s perspective is different in data privacy. Perhaps an attacker is targeting your system as just one piece of a more significant attack. In Europe, GDPR enforces the implementation of embedding privacy in systems from its design phase and consider privacy as a default attribute. A systematic approach to identifying risks and mitigating data privacy attacks is to use a thread modeling framework like LINDUUN[i] [ii].

From the Equinix perspective, here are a few recommendations you can start proactively implementing to improve data privacy.

Encrypting data-in-transit and at-rest

A good approach is to first think that the data your systems collect could land in the wrong hands, even if you have a proper security level. You never know when a user’s data can be exposed, so you must make it difficult for attackers to read your data. You can achieve that by having remediation for threats like identifiability or disclosure of information, which can limit the consequences of an attacker accessing your data.[iii]

What does data privacy look like in the new world? And what can you do to ensure the security of sensitive data?

Encryption of data is crucial. You must protect data-in-transit and at-rest. For instance, enforcing mutual transport layer security (TLS) authentication or using an HTTPS protocol for all communication between systems is essential because data might be traveling in the wild world of the public internet – especially now that most of us are working from home and are using an internet connection to transfer data. Additionally, you could encrypt data before saving it into a database or a disk. There might be times when you need to replicate data between environments, which could create vulnerabilities. For example, make sure to not have sensitive personal data, such as credit card information, within a development environment.

Equinix SmartKey™ is a secure key management and cryptographic service for data on-premises or in the cloud. You can use this cloud-agnostic service to store SSL/TLS certificates, secrets, and encrypt/decrypt sensitive information using our API, command-line, or through the SmartKey portal.

Private communication between assets

Another recommendation is to keep your private communications away from the public internet to limit the attack surface and reduce risks. Private interconnection among your systems is not difficult and can be achieved even in the public cloud. However, with a hybrid topology, such as an on-premises infrastructure that needs to interact with a third-party cloud-based service like Salesforce, how do you maintain data privacy during those transactions?

A quick solution is to use a virtual private network (VPN), however, if you’re using the public internet between the two environments, at some point networking performance degrades. Working from home has increased VPN consumption, which can cause disruptions and delays due to low bandwidth and high latency from traffic congestion. Using private interconnection between all of your systems can increase your available bandwidth and lower your latency. With Equinix Cloud Exchange Fabric™ (ECX Fabric™), you can establish direct and secure, dedicated connections using software-defined interconnection to public cloud providers, such as AWS, Microsoft Azure, Google or Oracle, within Equinix Business Exchange™ (IBX®) data centers. And when you combine virtual devices using Network Edge services on Platform Equinix®, you can access multiple cloud providers by going beyond the local data center. Network Edge enables you to leverage remote virtual networking devices to connect to leading cloud providers in minutes, without deploying additional hardware. Private communication for data privacy reduces the risk of users’ data landing in the wrong hands.

Virtual desktops for remote working

The unexpected and recent increase in remote working has forced many companies to increase their security risks by highly depending on the public internet to communicate, exchange data and access applications. Companies are relying on how well security policies are implemented on personal computers and home networks. A virtual desktop infrastructure (VDI) is one recommended approach to reduce security risks at home. Instead of using personal computers for all of your users’ work, they are used only to connect to a virtual computer dedicated for work purposes. This gives companies the same control over their communications and data exchange as they have at their corporate offices.

Some examples of cloud-based VDI solutions include: AWS and Amazon Workspaces[i], Microsoft Azure and Windows Virtual Desktops[ii], and for a cloud-agnostic deployment, there is Citrix[iii]. Once you have a VDI solution in place, you can configure private and secure connections to third-party resources in the public cloud or an on-premises infrastructure through ECX Fabric and/or Network Edge.

Take a proactive security approach

There’s no doubt that the new normal will include working from home or places outside of a company office. Companies might not be able to cover all vulnerabilities and risks, but it’s important to include security in every aspect of what you do. Frameworks for thread modeling specifically to data privacy like LINDUUN have good guidance and ideas on what companies should consider doing to protect user’s data. Ultimately, you should look into investing in encryption of data and private interconnection among  your systems as much as possible.

For more information on how to tighten up your company’s data privacy, read the  Distributed Security Digital Edge Playbook.

What does data privacy look like in the new world? And what can you do to ensure the security of sensitive data?