Saturday 22 March 2014

EU Data Protection Regulation - Application Security


Update: June 28th 2015

Progress is being made.....slowly. Here is a link to the version proposed by the European Council
http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf



The new EU Data Protection regulation took another step on its long road towards becoming law.  What does this mean for application design and security?

Originally proposed by the EU Commission in January 2012, the EU Parliament has now supported it (with lots of amendments to the original proposal). The next step on the long road is the EU Council of Ministers.

Who knows when/if this becomes law, but it is worthwhile being aware of it. It is long and complicated and will change.

What could this mean for application design and security? Here are some of the proposed amendments which may impact your application design and security when processing personal information of EU citizens. These are just the barest details based on the amendments proposed by the  EU parliament. There is more information in the links below.


Article 15 - Amendment 78 - Right to Rectification and Completion

In this amendment, the data subject can request that any information be corrected. For the application developer, this means that there should be some way to correct personal information that the application stores.

Article 16 - Amendment 79 - Right to Erasure

The data subject can request that their personal data be deleted. There are various conditions around this. Basically it means that application should have the ability to delete a user's information at their request.

Article  19 - Amendment 81 - Data Protection by Design and by Default

This is a core article from a security perspective. It talks about "protection by design", "risk", "entire lifecycle management of personal data from collection to processing to deletion". 

Security of personal data cannot be an afterthought. It must be considered from the start of the application design. 

Article 24 - Amendment 86 - Keeping of Records

This article essentially means that the application must keep an audit trail. It even mentions such items as "date and time". 

Article 27 - Amendment 90 - Security of Processing

This is another one directly related to application security. The main clause states that the data controller or processor must:
"implement appropriate technical and organisational measures and procedures to ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, having regard to the state of the art and the cost of their implementation."
Again this clause mentions risk. The article itself lists a number of more detailed requirements covering such security measures such as access control etc.


Useful Links

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Monday 3 March 2014

NIST Cybersecurity Framework

The NIST has just released the Cybersecurity Framework Version 1.0. This is mainly intended for improving critical infrastructure type facilities in the USA. However, it can potentially be applied to a much broader range of organisations across the world.

It covers 5 main functions of a cyber security framework.
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Each of these functions is then broken down into categories and the categories are further sub divided into subcategories.

This is two more than Bruce Schneier who defines Protect, Detect and Respond.

The basic idea is that you take the categories and analyze it to define your current profile. You then define a target profile and work out action plans and prioritizations to achieve the target profile.

It is not a very long document and much of the useful information is stored in the appendixes. It widely references other public standards.

Application Security

The framework does not have much to say about secure application development.  However it is extensible so you can add in your own categories and sub categories. It does talk about access control, data-at-rest and data-in-transit controls etc.

PR.DS-7 says:
The development and testing environment(s) are separate from the production environment

Useful Links

  • NIST Press Release 
  • http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot