If you’re like many organizations with data security concerns, you probably believe your automated tests are sufficient to catch any potential security or privacy vulnerabilities. The scenario is familiar: You’re streaming data from multiple sources into your SEIM systems, and you’ve configured triggers for the reporting process. You keep a close eye on results from automated tests on software running in production. All of your monitoring tools indicate your code is running flawlessly and there are zero errors.

You’re running automated tests, just as the DevOps playbook of best practices suggests — but the reality is they won’t catch security or privacy compliance vulnerabilities. Why not? Because DevOps is falling behind.

The hard truth about DevOps
DevOps is falling behind because privacy is a different matter altogether. It is a matter of complying with laws. There are three main tenets to privacy compliance: Is the privacy policy in alignment with the current laws and has it been fully documented, have people seen the demented privacy policy, and have people consented to their data being used according to the declaration of the privacy policy?

Three tenets to privacy compliance

  • Alignment: Align your privacy policy with current laws and fully document it
  • Visibility: Make sure people read your privacy policy
  • Consent: Gain consent for use of user data in accordance with the privacy policy

It’s a lot to contend with. To address privacy by security appropriately, you have to embed privacy by design from the beginning. It can’t simply be added on at the end.

In fact, properly patched code is 80 percent of security. The firewalls, antivirus software, and other additional elements are backup measures in case the fundamentals don’t work. Think of proper code as the moat and the drawbridge, while the guards are the firewall. If a product or service is at the highest quality possible, privacy and security will be embedded and seamless.

Organizations have gravitated toward DevOps because of its emphasis on process, collaboration, and automation. Unfortunately, automation has come at the expense of other things like privacy and security.

Are privacy and security real?
Your privacy and security are as meaningful as their alignment between your security implementation and your need for privacy and security. If those things are not aligned, privacy and security are just academic concepts.

When we run tests, we’re testing the code to see whether it works. Security may not be in the testing scope. For many companies, security is tough to test for because it’s in the firewall and antivirus software. Let’s look at another industry:

When Ford introduced the Model T in 1908, he revolutionized production with the assembly line. The Model T gave people what they wanted: fast, reliable transportation at an affordable price.

Security features? None. Later, of course, Ford introduced an electric starter, a foot accelerator, a foot brake, dashboard gauges, seat belts, air bags, crumple zones, firewall, and more. Security and safety is integrated… built in. Having those features built in from the start helps to ensure quality, and in the modern era these points are regulated by law makers.

Today’s cars have hundreds of sophisticated safety features. Rear-view cameras, fluid level sensors, tire pressure sensors, nearby car detectors, auto correction technology for staying in your lane, and more features are built in from the start.

This same progression is happening to Information Technologies and Information Systems. Security is an artifact of the youth of the industry. Innovations come out of immature industries, and security is fully integrated when the industries become mature.

Security requires three things: Safety from things that don’t work right, safety from malicious activity, and privacy protection. Security regarding things not working and defense against malicious activity have advanced since the software industry has started to mature. Privacy compliance is still growing and evolving.

Privacy compliance is an evolutionary arms race. Social and business factors increase risks. Laws change to enforce behaviors that will mitigate those risks. And the security features built into your code comply with the laws and offset the behavior of both well-meaning and nefarious people who interact with your company’s code and infrastructure.

Testing and monitoring recommendations

  • Monitoring: Employ different techniques to detect and prevent issues
  • Testing: Testing your service in conjunction with the monitors you have in place
  • Automation: Automate repeatable processes
  • Delivery: Account for environment variables for notification delivery
  • Service Health: Exercise your services in different ways to gain a holistic view
  • Transparency: Be transparent and honest with your customers

Next steps in security and compliance
There are three things you must do to ensure security and compliance given the current state of business.

First, validate code as part of development. There are a few ways to do this. You can have it validated by other human beings, but of course human beings make mistakes. You can also use automated scanners against known vulnerabilities. A third option is a function map or workflow vetted by someone who knows privacy. That person could be a lawyer with technology cross discipline, or it could be a privacy expert on staff.

Second, make sure you’re not breaking any laws when you’re coding and writing processes for automation. There is no magic way of knowing whether you are in legal compliance. In adherence with DevOps best practices, you must map function and workflows from a legal perspective.

Third, document the function and workflow. Function and workflow should not be in people’s heads! When workflow is documented and shared, it helps to support the collaboration that is the heart of DevOps. When you integrate privacy and security into your product by design, you put your organization on the road to providing effective, safe, and secure software to your customers.

Always be improving
There is a misconception that privacy and security require technical solutions. And to an extent, that’s true. But really, it’s a people issue and needs to be solved through training, awareness, and the flow of information.

These fundamentals will help you protect your organization. By understanding the unique compliance requirements of your business, you can better understand how your data is really being used and keep it safe from untrustworthy hands.

We are in a time of great change, and some situations have no precedence to guide us. Changes to Safe Harbor are a good example. And now, regulators are building teeth into laws by applying enormous penalties for running afoul. You must be proactive on compliance and safety to serve your business and your customers well.

About Bob Hawk

Bob Hawk is a security analyst at xMatters. Hawk has extensive experience in Information Systems Security, Computer Security, Cyber Security, Information Assurance, as well as Governance, Risk, and Compliance (GRC) Management. He specializes in frameworks and standards from: ISO/IEC, NIST, IEEE, IETF, ITU-T, Common Criteria, AMI-SEC, NERC, CIS, DoD, ANSI, PCI, and ISECOM. Robert is a lifelong researcher, innovator and instructor.