chapter ten

10 Implementing privacy by closing security vulnerabilities

This chapter covers:

Privacy risks that are often hidden within security risks
How business efficiencies around testing and development can lead to and expanded risk surface
How companies can build an enterprise risk model to identify, track and address privacy risks
How major privacy and security risks are cumulative and impactful in nature
How companies can use authorization to reduce risk
The different kinds of privacy risks that are hidden in authorization implementation details

Privacy controls are complicated to implement for many companies with limited budgets and/or businesses that are small/medium sized. Such organizations often face a critical question: Where do we get started when it comes to building privacy into our technical infrastructure? While prioritization questions are perennial, the much harder question to answer is around what to do first.

In my experience, companies just starting out in the privacy space may find it daunting to start with making their data privacy-safe. Whether it is practices like data minimization or data governance, these require significant changes that in many cases will affect all levels of the company.

10.1 Protecting Privacy by Reducing the Attack Surface

10.1.1 Starting with Attack Surface Management

10.1.2 How Testing can cause Security and Privacy Risks

10.1.3 An Enterprise Risk Model for Security and Privacy

10.2 Protecting Privacy by Managing Perimeter Access

10.2.1 The Target Breach

10.2.2 MongoDB security weaknesses

10.2.3 Authorization best practices

10.2.4 Why Continuous Monitoring of Accounts and Credentials is important

10.2.5 Remote work and privacy risk

10.3 Protecting privacy by closing access-control gaps

10.3.1 How an IDOR vulnerability works

10.3.2 IDOR testing and mitigation

10.4 Summary