Introduction to the security and privacy blog

This blog will cover some of the most important non-tech issues in Information Privacy and Security.   I've selected these topics because  they are all ones where I have some personal experience. 

Key topics will be: 

i) Public Cloud

The public cloud industry is growing fast, led by Amazon AWS, Microsoft Azure, and Google GCP. What are the privacy and security issues associated with providers like these?


ii) Protecting endpoints

Even if the cloud location is secure, legitimate users still have to have access. Access can be through using Application Program Interfaces (APIs), or through web pages. But there has to be some way to stop the wrong people using these entry points. If there isn't, all the other security measures are pointless. What are some options?

iii) GDPR

The EU's General Data Protection Regulation created and enormous splash when it came into force in 2018 after being adopted in 2016.  What do companies need to do?

iv) The role of corporate InfoSec

Companies of any size now have their own Information Security departments, whose word is law. It has to be. These InfoSec units are protecting their employers from potentially huge fines and embarrassing data breaches.  How do projects work with InfoSec, and what are typical outcomes?

v)  Logging

Logs have long existed in computerland. Writing to the log is a tried and trusted method used by coders to surface diagnostic material to enable them to quickly debug code.  Now logs have a new use in the security world - to provide a tangible record of who is accessing the system and why. Importantly, this record can be accessed by an InfoSec third party to provide an extra layer  or confidence. 

vi) When staff leave

Key staff have passwords and user IDs that let them access systems they need. However when those staff leave that access must be revoked quickly.  The problem is that the process of a member of staff leaving is typically a paper process that might be run by HR.  The challenge is to ensure that this followed up in the systems that hold the passwords.  These processes can easily exist in a disconnected state creating a security risk. 

viii) PCI-DSS

The Payment Card Industry (PCI) created a Data Security Standard (DSS) to protect the credit and debit card details of customers.   Implementing PCI-DSS is important for companies that handle cards, and the list of companies is long. It includes all retailers and any other company that takes, payments via card. Implementation of this standard is potentially a mammoth task, and companies in scope have to think carefully about how to do it so they reduce PCI related risk, but at the same time avoid implementation projects that cost millions but have no matching revenue.


Comments