The security and privacy paradox: Getting it right

Privacy is considered a human right in Europe and to this extent organizations have focused on protecting the privacy of their customers’ data. However, there’s a blurring of lines between monitoring employee’s activities to make sure that the organization is secure, with the employees perception of a ‘right to privacy.’

To ensure the security of personal data, organizations have grasped the need to manage the people within the organization by restricting the data they have access to, specifically, providing access only to the information needed to complete their specific business related activities. While this “controlled’ access is in line with the fundamental security tenet of “Least Privilege’, in order to ensure the integrity of its information, an organization also needs to be able to identify if someone has done anything that they shouldn’t have done with this information, or the underlying systems,. For this reason companies need to know 1) who is logging in to the system, 2) what they’re doing and 3) if they had the rights and approval to do so. This is managed in order to deliver another fundamental security tenet “Trust, but Verify’, so that the organisation can justify the activity based on the final piece of the puzzle – the captured and recorded activity log.

As raised above, the actual identity of the users requiring access to key information is a vital element of robust, secure process. To that end, it is important to note that with many “privileged’ accounts within an organization, there is no named, specific user. Instead, with these powerful, built-in accounts found in all applications, systems, operating systems, databases et al, the risk of a generic “system administrator’ account – designed to be used by many people without specifically recording the actual identity of any of them, is evident. In this case, a secure company must have a way of knowing who is behind a generic identity and collect subsequent activities in the same way.

An integral part of an effective corporate governance regime includes provisions for civil or criminal prosecution of individuals who conduct unethical or illegal acts in the name of the enterprise. It is therefore elementary that organizations must monitor and record employees conduct, compiling an audit trail which proves compliance with policies and takes preventative measures for data breaches. As the value in collecting the data is for the purpose of identification, only knowing that someone is accessing, changing or removing valuable information isn’t enough. Organizations need to be able to pinpoint the individual, the associated activity, and whether this activity is in line with policy.

Do employees have a right to privacy?
Historically organizations in the UK have fallen foul of the Data Protection Act (DPA) for failing to adequately protect customers’ information – and this is replicated across the globe. However, even taking the security requirements and practices discussed previously, employees also have a right to the same protection for any identifiable data that is collected as part of audit trails and governance compliance.

The Wikipedia definition of “information privacy’, or data privacy, is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them. Privacy concerns exist wherever personally identifiable information is collected and stored – in digital form or otherwise.

Globally there are a number of different legislations that affect the way data is stored and used. The US has deployed a variety of different laws and regulations at both the national and state level that seek to provide consumer protection in a number of sectors where privacy issues have emerged. Examples include HIPAA, which addresses the requirement for healthcare providers and payers to keep Personal Health Information (PHI) secure and private, as well as other legislation requiring the credit card and financial services industry to also protect customers’ non-public personal data and financial information such as the Payment Card Industry (PCI) standards and Gramm-Leach-Bliley Act (GLBA).

However, many uses of data fall outside the scope of this existing regulatory structure, and as such, are less strictly regulated. In Europe, The European Union Data Protection Directive (EU DPD) defines fundamental principles for privacy protection and includes mechanisms for cross-border transfers of personal data. Essentially, all principles are similar to the DPA in the UK that states anyone who processes personal information must comply with eight principles, which make sure that personal information is:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection.

How can we watch them and respect their right to privacy?
It’s important that concerns over privacy do not deflect from the strong case for monitoring employees’ behaviour. Carsten Casper, Research Director with Gartner and responsible for the security role in Gartner for IT Leaders in Germany, believes, “Security and privacy are not, and should not be seen as, mutually exclusive or opposing concepts. Modern legal and technical tools allow a balanced consideration of both.”

Below are guidelines to avoid breaching privacy rights whilst gaining employee support:
1. Put policies in place explaining what is acceptable versus improper activity and/or behaviour – if you don’t tell them how can they be expected to know? – “An ounce of prevention is worth a pound of cure’
2. Educate employees about what’s expected from them, and why it’s important, to gain their appreciation and support for these important security measures and processes. Many employees may not even realise that their activities can cause a security breach
3. Inform them that you can, and will monitor them and explain why
a. It is important that employees understand this works in their interests too as, if there is unacceptable or illegal activity. Through monitoring it will be easy to identify the offender, thus eliminating the finger of suspicion and the ill-feeling it can cause for those not involved and doing the roles in line with company policies. If they’re not doing anything wrong they have nothing to fear!
b. Employees should be aware that personal activities during company time and/or using company products will also be monitored and recorded so there are no surprises
4. Capture relevant information
a. When choosing a solution make sure that what it will capture is accurate, relevant and is kept secure from prying eyes
5. Recognize that an employee has a right to know what information you have, and be able and willing to access and share it with them.

Carsten concludes, “Enterprises and individuals should not be forced to achieve security at the expense of privacy, or vice versa.” Introducing a full lifecycle solution to secure, manage, log and monitor all privileged activity benefits all, whether it be with privileged information, privileged users or privileged processes.

With this type of full security solution in place, as an employee you are comforted by the knowledge that your employer knows you’re doing your job line with corporate governance and security policies. As an employer you are reassured by the evidence that proves your employees are doing, and seeing, only what they are supposed to. As a customer you can trust the organization to protect your personal information, as they are going to great lengths to ensure any access is secured and proper. Rather than allowing security and privacy to be at odds, following these steps will allow organizations to reduce the security risk whilst mitigating any privacy issues.