Pursuing privacy-first security
Privacy and security compliance doesn’t have to be a tug of war
Security and privacy are commonly seen to be at odds. Implementing effective security requires the ability to identify potential threats. However, doing so can result in sensitive or personal data being inspected, which can threaten privacy.
In reality, the only way to achieve data privacy is through implementing effective data security. A well-designed, privacy-first security program offers significant benefits to any organization while minimizing potential privacy impacts.
The security vs. privacy misconception
The view that security and privacy are at odds comes from taking the two concepts to their extremes. In this mindset, any potential access to sensitive data is considered a failure of privacy and something to be avoided at all costs. As a result, security programs are severely hampered in their ability to identify and address potential threats.
For example, consider the case of network traffic analysis. Packet inspection is an invaluable tool for a corporate cyber security program. Firewalls are an extremely common form of packet inspection, and not having a firewall in place would be seen as a violation of reasonable security measures required by laws and regulations in a number of jurisdictions globally. By looking inside the payload of a network packet, it’s possible to identify attempted malware infections, data exfiltration, account takeover, and other threats.
However, from a privacy standpoint, packet inspection can create concerns where a packet contains PII or other sensitive data. From a privacy absolutist lens, end-to-end encryption with no packet inspection seems preferable.
On the surface, these two perspectives — providing necessary security and keeping personal data private — seem incompatible. But regulators have also made clear that providing reasonable security is critical to protecting data privacy. One only has to look at any number of privacy regulatory enforcement actions brought against companies that have suffered security breaches to see this. We think data privacy and security leaders can bridge the gap between security and privacy absolutism, but it requires a different perspective on data privacy and security altogether.
What are the risks?
Risk management is a core principle of both data security and data privacy programs. Unifying the goals of both of these programs requires taking a look at the potential risks to an organization’s data.
For any organization that processes people’s personal data, keeping that data secure and private is of paramount importance. One of the biggest concerns for organizations related to a data security program is the potential that security solutions can see PII and other sensitive data as part of their duties. These tools may scan emails, network packets, or files for signs of malicious content.
The other main risk to corporate and customer data is that it might be accessed by a cybercriminal. For example, modern ransomware steals and leaks sensitive data if a company doesn’t pay the ransom. Even if the ransom is paid, there’s no guarantee that the data will be deleted and won’t be leaked.
Avoiding both of these risks is impossible. An effective security program needs access to data, and ineffective security practically guarantees data breaches.
Finding a privacy-first way forward for security
When security solutions are designed with privacy in mind, we’ve found that organizations can implement robust security protections while protecting the personal data of their customers and employees. And we know that when organizations conduct a cost-benefit analysis, the potential benefits of a privacy-first security approach are significant.
For example, blocking malware before it reaches an organization’s systems can prevent a data breach. With an average price tag of $4.45 million in 2023 — not to mention the brand reputation and legal repercussions — preventing even a single data breach is critical for the company. So there’s no question that industry-leading security measures are critical. Any reputable security company should offer solutions that minimize its access to sensitive data and protect the personal data in its care.
As the Chief Privacy Officer at Cloudflare, figuring out how to design and implement privacy-first security solutions is a key part of my job and discussions with our CISO. Several years ago, we became an Area 1 customer because we knew it was critical to deploy a solution to preemptively inspect and secure our email traffic. As a CPO, my first reaction was to be concerned about allowing any technology to scan email traffic into our company. But as we learned more about how the solution works and the privacy protections it had in place, we saw that the way that Area 1 handled data vastly reduced security risks while maximizing potential benefits and it does so in a privacy-first way. In fact, we were so impressed by the product that we not only use it, but we acquired the company and now it is a key offering of Cloudflare’s Zero Trust product suite.
Designing a privacy-first security program
Privacy and security don’t necessarily have to be at odds. A privacy-first security program judges the risks of implementing security and failing to do so. If the benefits of implementing a security solution, such as email scanning, outweigh the risks — which it almost certainly will — then the organization should carefully deploy this capability.
When evaluating whether a security tool is good for data security and privacy, some key questions to ask include:
Does it provide clear benefits? The potential privacy risks of a security solution are only acceptable if it also reduces the risk of a data breach.
Does it minimize access to personal data? A security solution should minimize the amount of potentially sensitive data it accesses and processes.
Does the company prioritize security? Check how the company has handled past security incidents and prioritized security investment.
Does it meet regulatory requirements? Verify that the company has privacy-focused certifications such as ISO 27701 and ISO 27018, is certified to the EU-U.S. Data Privacy Framework, and/or is certified to the EU Cloud Code of Conduct. If a company has these certifications in addition to standard security certifications such as PCI DSS, ISO 27001, and SOC 2 Type II, it’s a great sign that a vendor goes above and beyond on privacy and security.
Evaluating all of these criteria for the 60+ security tools used by the average organization can be a significant lift. This is another great argument for security consolidation. Performing deep due diligence on a single vendor with a wide suite of capabilities is easier than performing a shallower assessment of several-point security products.
Privacy-led security with Cloudflare
Cloudflare has long been a champion of privacy-first security — the Trust Hub details the efforts that have been made to meet or exceed the privacy and security requirements of all major data protection regulations.
Cloudflare’s privacy focus also lies at the core of its solutions, which are designed to minimize access to personal data while ensuring strong security. One key enabler is the scope of the Cloudflare network. With 20% of all Internet sites protected by Cloudflare, a substantial portion of Internet traffic flows through its systems and informs Cloudflare’s threat intelligence in a way that does not compromise the privacy of customers’ end users.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Learn more about Cloudflare’s approach to privacy-led security in the Cloudflare One for Data Protection solution brief.
Author
Emily Hancock — @emilyhancock
Chief Privacy Officer, Cloudflare
Key takeaways
After reading this article you will be able to understand:
The relationship between data privacy and security
How to gauge the privacy risks of security investment
What to look for in a privacy-led security product
Related resources: