The Privacy Landscape in 2016

Privacy has made headlines for years now, and the rise of social platforms like Facebook has brought the issue into focus. In 2016, I expect privacy to remain at the forefront of technology news, especially with increasing digitization and technology innovations like Smart Cities, digitized transport and the Internet of Things (IoT). These technologies are generating amounts of data previously unknown. IT analysts International Data Corporation (IDC) state that by 2020 the IoT will account for 10% of all the data generated on Earth.

One of the most impactful changes in recent years, which affects privacy gravely, is the massive increase in data theft. Since 2013 there have been a staggering 3.7 billion records stolen. This heady mix of technology innovation, data generation and sophisticated cyber threats is creating new challenges for the privacy agenda.

Here are the key privacy issues emerging or consolidating in 2016:

Blurred Lines:  Data and the Corporation
The lines between data ownership are blurring. Personal data under the corporation umbrella become a corporate asset, yet they are still owned by the individual, and there can be serious impacts on that individual if the data gets into the wrong hands. And data are valuable to all interested parties, from the original owner, to the corporation that can potentially use or sell those data, to the cybercriminal who can extort money from the data through the black market. The privacy implication of this triad of interests is clearly complex, creating blurred lines of responsibility and ownership.

The way privacy is addressing these complexities in 2016 and beyond involves technology, visibility, laws, regulations and guidelines.

Corporate Obligations and the Privacy Policy 
Obligations are most often set out in a privacy policy. However, the issue of privacy policy creation has been in flux for years, creating confusion amongst the general public. The evolution of the privacy policy has greater importance as data sharing has increased with social platforms. This evolution took off in 2008 when the Patient Privacy Rights (PPR) Trust Framework was developed. The PPR Framework gave a working set of guidelines, which could be applied to privacy policies to create a clear, user-accessible policy.

Since then, platforms such as Facebook and Google have pushed the limits of privacy policy politics to the nth degree, and much debate within the technology and legal communities has ensued. The Federal Trade Commission (FTC) has instigated a number of legal actions against technology platforms, including Google, for misuse of users’ data. These actions have been partly responsible for a more respectful view of user data by the likes of Facebook and Google, who are starting to take heed and create better privacy policies which, at least on paper, make the companies look like they take user privacy seriously.

While the US continues to have no overarching privacy law, relying instead on a mosaic of federal and state laws, the humble privacy policy remains a very important legal document for redressing privacy violations. In 2016, more than any time in history, the privacy policy needs to be a means of privacy respect and control, as it sets corporate obligations and practices. However, privacy policies issues go beyond words on the page. There should be a user-centric approach to privacy policy engagement that ensures the user understands what the policy covers and how their personal data may be used.

Privacy Laws and Regulations
As I said, the US lacks a holistic privacy legal framework. A number of industry specific guidelines and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA) and the Americans with Disabilities Act (ADA), can be used to develop privacy approaches within a given context, but no single law exists. It will be interesting to see how recent events, such as the Snowden episode and the Apple vs. FBI privacy battle, shape the privacy landscape. The time feels right for a single US privacy law, and the work done in California might be the template. The state of California is setting standards across the board in privacy, including the handling of personal data by online services and online protection of minors.

It looks like 2016 will be the year where at least EU-US communications and privacy will have some positive outcome. The infamous Safe Harbor collapse of last year left EU-US data communications in flux, affecting many companies on both sides of the Atlantic. However, the announcement on 29 February by the European Commission of the EU-US Privacy Shield, which will replace Safe Harbor, is good progress. This agreement sets out the obligations and mechanisms needed to guarantee safety and privacy respecting EU-US data transmissions.

Privacy Challenges Ahead
Visibility of data:  As data generation increases, we need to understand where these data are stored, between whom they are transmitted and the end points being used. Data visibility is one of the keys areas that we need to be aware of to plan for privacy. For example, according to a recent IDC report, around 60% of all data generated by the IoT were duplicate data. Without understanding the data life cycle and where data flow, you can’t begin to truly protect an individual’s personally identifiable information.

The jurisdiction challenge:  The differing approaches to privacy, by jurisdiction within the USA, are a challenge that needs to be met in 2016. Bringing together a common law to manage public expectations is long overdue. The alignment of the planets, such as social media, increased public awareness of privacy, mass data generation and increased cyber threats, is bringing this need to the fore. The US government is taking cyber security threats seriously, with the introduction of the Cyber Intelligence and Protection Sharing Act (CISPA). Perhaps it is time for a similar action to protect privacy across the board.

Desai will speak on Data Privacy at the 2016 North America CACS Conference in New Orleans, 2-4 May.

Avani M. Desai CISSP, CISA, CIA, CIPP, Executive Vice President, Schellman & Company, Inc.

[ISACA Now Blog]

Ignite 2016: Conquering the Cyber Range

The biggest and best Ignite Conference yet is in the books. Our heartiest thanks to everyone who made it so!

Watch this space over the next few days for more from Ignite 2016, from behind-the-scenes photos and video to lots more action from the breakout rooms, exhibit hall and the late night festivities.

For now, however, we’re pleased to highlight this week’s Cyber Range exercises, which took place on Tuesday and Wednesday at Ignite and were sponsored by The Wall Street Journaland The Economist. Each day featured teams of Palo Alto Networks customers going head to head as they were tested on a network generating live traffic and real world malware, honing their skills with the Palo Alto Networks Next-Generation Security Platform.

Congratulations to the Cyber Range Day 1 and Day 2 winners!

Save the Date

Believe it or not, we’re already looking ahead to our next get-together. Join us at Ignite 2017 in Vancouver, British Columbia, June 12-15, 2017

Stay Social

You can continue to follow Ignite activities on @Ignite_Conf and using hashtag #igniteconf16. Over the next few weeks we’ll be adding general session and breakout session videos as well as some of the great conversations captured with our customers onsite in Las Vegas. Don’t forget to check out our Facebook gallery for the latest snaps from the show. We’ve shared a few below as well as what our attendees are saying about their time at Ignite 2016:

[Palo Alto Networks Research Center]

ISACA Now Chats with NACACS Keynote Speaker Tim Sanders

ISACA Now recently talked to Tim Sanders, a keynote speaker at the North America CACS 2016 2-4 May in New Orleans. Sanders is the New York Times best-selling author of Love Is The Killer App: How to Win Business & Influence Friends and an Internet pioneer. He advises Fortune 500 executives on leadership, marketing and new media strategies to grow business.

ISACA Now:  Your new book Dealstorming: The Secret Weapon That Can Solve Your Toughest Sales Challenges suggests a team approach to sales. What are the keys to developing a best-in-class team, no matter its function?

Sanders:  Effective problem solving teams are diverse in thinking and united in shared vision. So ask yourself:  Who has a stake in the outcome? Who has expertise about our problem? These are your blockers, tacklers and skill position players for your team. Every team has an overarching goal or purpose, so make sure yours cuts across the lines. In sales, you can’t lead with just the revenue opportunity; you need to elevate the discussion to winning a rivalry, pursuing excellence or building your brand. Same goes for any other problem area at work. A bigger why creates a stronger team, especially when finding a solution takes a lot of meetings and time.

ISACA Now:  You recently tweeted that nurturing team building and team players is more important than hiring rock stars. Why is that?

Sanders:  From business to technology, complexity is rising fast. This puts pressure on organizations to quickly innovate, keeping up with the times. In my research, I’ve found that genius is a team sport…not the work of a lone creative type. There are bodies of research (such as The Myths of Creativity by David Burkus) that debunk the stories of lone-invention. It’s a romantic notion, really. We want to think that the rock star programmer, sales person or marketer will save the day. But really, the effective team builder and player will harness group genius to move things forward more quickly. Additionally, many “rock stars” on paper are the product of their previous working environment. That’s why so often as they move to new opportunities, they can’t replicate their success. And making matters worse, because they were a rock star at their previous job, they’ve likely developed the lone-wolf mentality.

ISACA Now:  Many IT professionals are introverted or work remotely. How can they become lovecats?

Sanders:  A lovecat is a person who is strong and intelligent but at the same time, generous and empathetic to their colleagues. One way we can be generous is knowledge sharing or mentoring. This can be done now online, in a series of very helpful emails. For networking, another way to be generous at work, email introductions or LinkedIn endorsements offer a way to connect others that “should meet.” Finally, introverts are naturally great listeners. Helping others be heard is a valuable offering in organizations where there is constant change.

ISACA Now:  You will be speaking at the NACACS conference 2-4 May 2016 in New Orleans. Give us a brief preview of what you’ll discuss and what attendees will take away.

Sanders:  I’ll be talking about the power of great relationships, team work, collaboration and leading from the heart. Main takeaways will include insights on how to be an effective mentor, a power networker and a great listener. Also, I’ll reveal the collaboration process I’ve developed over my career, and how when fueled by relationships, it can triple your chances at solving your toughest challenges.

[ISACA Now Blog]

How the New PAN-OS 7.1 Release Benefits Government Organizations

We’ve just announced the newest release of our operating system, PAN-OS 7.1. You can read all of the details about this new release but, for our government customers, I wanted to highlight a few particular things that you have been talking about and deploying.

1. Extending Our VM-Series Private Cloud Support to Hyper-V and Azure

Our government customers are using a breadth of hypervisors within their virtualized data centers, or private clouds. With the release of PAN-OS 7.1, we extend our cloud support to include all major virtualization environments, including VMware, KVM/OpenStack, Amazon Web Services (AWS) and Microsoft with our VM-Series. In fact, a large Western military organization recently chose one of these hypervisor environments for its network, taking full advantage of Palo Alto Networks support for Hyper-V. Other large Western civilian governments have chosen Palo Alto Networks to secure their Microsoft Azure environments.

2. Full Visibility for PFS/SSL Encrypted Communications

Are you thinking about the many encrypted communications that could bring threats into your environments? Hopefully by now you’ve got a plan to decrypt those communications with our onboard SSL decryption (you can read more about how we support SSL decryption for governments in our Uncover SSL-Encrypted Attacks in Government Networks white paper). With this new release, we’re providing PFS/SSL decryption for ECDSA for SSL Forward Proxy. For U.S. and U.K. government customers, this adds yet another capability to the many we support for Suite B crypto ciphers.

3. Five-Minute Signatures and Dynamic Blocking for Highly Targeted Government Networks

The rate at which our government networks are attacked is staggering. So government agencies appreciate that Palo Alto Networks already highly automates the prevention of threats across their networks. Civilian agencies and military services tell us every day how better-protected they are when they turn on their Palo Alto Networks Next-Generation Security Platform. With PAN-OS 7.1, we’ve further reduced the time WildFire takes to identify and prevent zero-day threats to five minutes. In addition, WildFire can analyze Mac OS binaries, so malware that targets Apple products can be prevented. And newly discovered phishing websites are now categorized within 30 minutes. WildFire analyzes email links for indicators of phishing, such as spoofed URLs and credential-seeking form fields, and updates PAN-DB within 30 minutes. For URLs and DNS, we’ve added more block lists. In addition to the block lists based on IP addresses, you can now have URL and DNS block lists.

Note that if you’re attending Ignite 2016, we hope you’ll be participating in Cyber Range. Cyber Range participants will get real, hands-on experience with WildFire as the teams compete to mitigate actual single-vector and multi-vector attacks. If you didn’t get a seat at Cyber Range this year, don’t worry. Ignite 2016 attendees can still observe the teams as they compete to see who can prevent threats the fastest.

4. Deploying on Ships, Tanks, and Elsewhere? Offline NSX Registration

There are numerous examples of how Palo Alto Networks platforms are supporting these tactical deployments. With this release, you can now complete NSX registration offline, which our customers told us is important for their tactical environments.

5. Consolidating Your Insights on IOCs: Consolidated Log Viewer

And speaking of all of those threats hitting government networks today, we’ve consolidated threat, traffic and WildFire logs for you into a single view. We hope you’re already using AutoFocus for your threat intelligence analysis. Now you can query from within AutoFocus across all of our threat insights to simplify the task of tracking an IOC or IP address. You also can query all of your appliances across the network for potential artifacts.

6. Certifications for Government: FIPS 140 and Common Criteria

With PAN-OS 7.1, our government customers are getting FIPS-140 certifications for Panorama, Log Collector and Offline PAN-DB. You’ll also appreciate our compliance with the VPN Gateway Extended Package and the IPsec VPN Gateway Security Characteristics. Finally, for those U.S. agencies having to comply with the DISA Security Technical Implementation Guides (STIGs) for information assurance, you’re getting last login time, last unsuccessful login, accept login banner verification, and classification banners.

Want to learn more? We hope to see you at Ignite 2016, where you’ll learn more about all of these new features in PAN-OS 7.1. But don’t worry if you can’t make it. If you’re a U.S. government agency, we’ll see you at our annual Federal Forum in Washington, D.C. This year’s Federal Forum will be held July 16 at the Newseum. See you there!

For more information, please visit our Technical Documentation page or any of the following resources:

[Palo Alto Networks Research Center]

Ignite 2016: A Next-Generation Security Platform Built for the Prevention Age

You all knew we were just getting warmed up, right?

Tuesday at Ignite 2016 kicked into high gear with dazzling performances of dance and rap – complete with high-energy choreography and glow-in-the-dark lights. In between came the all-star succession of general session headliners, including our own Mark McLaughlin and Lee Klarich.

Following their presentations came a fireside chat between CSI TV franchise creator Anthony Zuiker and actor and former White House official Kal Penn. There were plenty of laughs and a few lighter moments when it came to how cybersecurity gets the “Hollywood treatment,” but Zuiker and Penn also took a few minutes to highlight the importance of cybersecurity education for children – paramount for a generation that grew up with the Internet as a given. They were all followed by the inimitable Nir Zuk, keying in on the importance of prevention and the power of the Next-Generation Security Platform.

Check out the video recap of today’s Ignite action, including highlights from the general session, what resonated with members of our live audience of more than 3,000 security professionals and partners, and the winners of the first of our Cyber Range exercise. And read on for details of the general session and the day’s announcements.

What We Mean By Prevention 

As Mark, Lee and Nir noted, a cybersecurity mindset of detection and remediation is futile in the face of advanced attackers who get ever more creative in the ways they can successfully breach networks and steal critical information. As Mark noted, preventing breaches is in many ways a math problem: figuring out how to interdict the attack lifecycle at each of its stages.

What that means for the industry, as Lee explained, is a true platform that can provide complete visibility, reduce the attack surface area, prevent all known threats, and prevent new threats. And not only do those four things, but in such a way that capabilities are natively integrated to work together, are applied consistently to all users, applications and locations, and offer automated discovery and reprogramming of both the network and endpoint to prevent known and unknown threats.

Hence: the Palo Alto Networks Next-Generation Security Platform – updates to which we announced today in the form of PAN-OS 7.1 and which Lee described in detail. (Watch this space for a lot more on PAN-OS 7.1 in the coming days.)

Today’s Announcements:

Coming Up Tomorrow:

  • Our second Cyber Range exercise, sponsored by The Economist. Join us in the exhibit hall for all the action or follow along at #IgniteRanger!
  • A final day of training and breakout sessions, including our track intended for CISOs and C-level executives managing cyber risk
  • PCNSE6, PCNSE7 and PSE: Platform Professional exams in Brera 3, 4 and 5

Stay Social!

Follow @Ignite_Conf and use #igniteconf16 for the latest from today’s sessions and to get a look ahead to our final day. Keep an eye on our Facebook gallery for new photos. And have a look at what people here at Ignite 2016 are saying about their experiences:

[Palo Alto Networks Research Center]

English
Exit mobile version