Privacy is an important feature in today’s software, and DevOps teams should be focused on it.
Privacy by Design, Privacy Enhancing Technology and Privacy by Default are all terms associated with privacy and software. What do they mean, and how do they affect DevOps?
I’ll explain them all in a three-part blog series. This is the first part, which focuses on Privacy By Design.
Privacy by Design, what is it?
Simply said, Privacy by Design (PbD) is an approach to systems engineering which takes privacy into account throughout the whole engineering process. This concept first emerged in a joint report on “Privacy-enhancing technologies,” produced by a working group from the Information and Privacy Commission of Ontario, Canada, the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research back in 1995.
So it is not a new term. Although the concept has been circulating in the EU for more than 20 years, it will be in legislation no sooner than next year. Alas, European legislation takes its time. The EU General Data Protection Regulation (GDPR) will be in force May 2018.
‘Privacy by Design is an approach to systems engineering which takes privacy into account throughout the whole engineering process’
With the GDPR, in today’s software development, PbD is very important. How can DevOps address this?
Privacy by Design Principles and DevOps
Every approach has its principles.
For PbD, these are:
1 Proactive not reactive; also, preventative not remedial
2 Privacy as the default setting
3 Privacy embedded into design
4 Full functionality: positive-sum, not zero-sum
5 End-to-end security: full lifecycle protection
6 Visibility and transparency: keep it open
7 Respect for user privacy: keep it user-centric
These principles are, as you can see, very related to information security, but are still ambiguous. This could give DevOps teams a tough time creating user stories. That’s why parties like OWASP try to provide PbD guidelines to put into practice.
The top 10 privacy risks OWASP recognizes are:
P1 Web application vulnerabilities
P2 Operator-sided data leakage
P3 Insufficient data breach response
P4 Insufficient deletion of personal data
P5 Non-transparent policies, terms and conditions
P6 Collection of data not required for the primary purpose
P7 Sharing of data with third party
P8 Outdated personal data
P9 Missing or insufficient session expiration
P10 Insecure data transfer
This sounds less ambiguous than the seven PbD-principles, and can be incorporated as user stories in every DevOps backlog.
Privacy by Design and Tooling
I can simply give you a list of DevOps tools addressing PbD, but that’s not the goal of this article.
It is crucial as a DevOps team member that you know both what PbD is, and how you can implement it in your daily work. Guidelines like those from OWASP can help. If you follow their principles and guidelines, you can then choose a suitable tool.
Privacy by Design is a systems engineering approach which takes privacy into account throughout the whole engineering process.
Due to new privacy regulation like the GDPR, it is very important for DevOps teams to incorporate its principles into their daily work.
OWASP guidelines can be used for this, including the selection of a suitable tool.