At #8 on our list of “Top 20” SOC Capability Areas is Privacy/Confidentiality Management. This is the last of 4 separate “Access Control” capability areas that are often addressed together – Identity, Authentication, Authorization, and Privacy/Confidentiality Management. (We discuss the complexities of Auditing separately.)
Finance, Retail, Healthcare, Employment, Credit Bureaus, even social networking and dating sites are all prime targets today for adversaries looking to compromise and exploit private or personal data for their own financial gain. Seemingly weekly reports of huge data breaches demand organizations invest in more robust and more complex Privacy/Confidentiality capabilities such as data labeling, deliberate data segmentation, and/or encryption of data, both at rest and in transit. Each of these types of controls helps to provide privacy and maintain confidentiality, but will also present its own implications on system performance and on scale of management.
Concepts such as data partitioning and data segmentation are less commonly used in the commercial sector. So this article focuses on the more familiar concepts of data encryption to highlight the role that the Security Operations team plays with respect to Privacy/Confidentiality Management.
The simplest approach to maintaining privacy is to encrypt sensitive data, both at rest and in transit; utilizing some form of robust, symmetric encryption using a secret key known only to those authorized to access the data. Most solutions for encrypting data-at-rest (files, filesystems, and full disk encryption technologies) use some form of secret key encryption. Ignoring the strengths and weaknesses of the range of encryption algorithms available, the primary management challenge which Security Operations is tasked with is Key Management. The generation, distribution, and destruction of “shared secret” cryptographic keys does not scale well, even in a moderately large environment. Leading edge advancements such as Quantum Key Distribution (QKD) show some promise for significantly simplifying the scalability issues here. But today, especially for encrypting data-in-transit, most organizations opt to use some form of asymmetric public key encryption.
This is not intended to be an introduction to, or evaluation of, encryption techniques and technologies. Rather, we use encryption as an example here to illustrate the non-trivialadministrative role which Security Operations teams play with respect to managing the full range of Privacy/Confidentiality capabilities.
As your organization adopts more complex techniques and technologies to insure privacy and confidentiality, your Security Operations team will need to adopt a relevant set of capabilities to manage these new controls at scale.
This article barely scratches the surface of the need for Privacy/Confidentiality Management capabilities in contemporary Security Operations. But taken together with the other capability areas in this “Top 20” list, we hope to shine a light on the breadth, depth, and complexity of what is involved in building effective Security Operations today.
Contact us if you'd like help identifying and selecting Privacy/Confidentiality Management capabilities to support your own Security Operations efforts.