The Art of managing privacy policies

Maybe you have noticed it. Privacy is an issue. A bit strange since there are only 3 days left until the new EU General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union.

So before end of May 2018 all organizations that process data of EU citizens must comply with this General Data Protection Regulation. Determining how to design and improve your systems to meet the GDPR is not straightforward. Due to the complexity of the GDPR document you will need to use privacy policies to control and manage privacy risks.

But what is a privacy policy? In general a privacy policy describes the information that a company collects from you and how it is stored and processed. Such a document is also named ‘Privacy Agreement’. However when you want to use a government IT service or a commercial internet service from e.g. Google, Microsoft or a Bank there is no real option to not agree. So the word  ‘agreement’ is often misleading.

A more technical definition for ‘privacy policies’ is: All IT settings, configurations on IT systems, software that must be compliant with legal and industry privacy rules. So if you are able to translate legal privacy requirements into technical IT configurations and IT settings and can control and manage these settings life can be easier. E.g. to prove that you are compliant with e.g. the GDPR.

For today’s complex IT environments  security and privacy of your customer’s data is key. So in order to control all risks, you should be able to apply needed technical security and privacy policies for all your systems, and monitor your systems to ensure they remain compliant with the approved settings. The best way to manage this complex challenge is to automate.

Using automation a necessary step for security and privacy. Good automation tooling has the capability to apply security and privacy settings for all your IT components in a simple, consistent, manner. And you far better control in a large complex IT environment. This since there is often a single point of truth where all settings are stored and managed.

The last a years a number of (OSS) tools have proven to be usable for automating security and privacy settings for all kinds of IT components:

  • Ansible: Ansible allows you to simply define your systems settings for security. Ansible works with a Playbook syntax that allows you to define security settings for any component in a IT landscape. E.g.  firewall rules, users and groups, or applying custom security policies for applications.
  • OpenSCAP (Open Source Security Compliance Solution). The SCAP is a specification for expressing and manipulating data in standardized ways. SCAP uses several individual specifications in concert to automate continuous monitoring, vulnerability management, and security policy compliance evaluation reporting. The Security Content Automation Protocol (SCAP) is U.S. standard maintained by National Institute of Standards and Technology (NIST). The OpenSCAP project is a collection of open source tools for implementing and enforcing this standard.
  • Open Policy Agent (OPA). The Open Policy Agent (OPA) is an open source, general-purpose policy engine for Cloud environments that enables unified, context-aware policy enforcement across the entire stack. OPA provides a high-level declarative language for authoring policies and simple APIs to answer policy queries. Using OPA, you can offload policy decisions from IT services.
  • SaltStack. SaltStack makes software for complex systems management at scale
  • InSpec. InSpec is a free and open-source framework for testing and auditing your applications and infrastructure. InSpec works of course nice together with Chef. Chef is an automation language and tool for deployment to define your infrastructure as code.

Since security and privacy is a complex field there is no silver bullet solution. There is also no single tool that fits on all use cases. So sometimes you end up with separate tools to make your life for managing technical privacy settings simpler. But creating a solid open IT architecture will always give you a good start and less security and privacy risks.

This blog post will be added (after rewrite) as an extension on the ‘Open Reference Architecture for Security and Privacy‘. We are working on an renewed version. Please join us!