In order to have a clearer understanding of the issue, it is necessary to understand the definition of the terms "data security" and "privacy" and the relationship between the two concepts. Data or Information Security, as most are probably aware, can be described as the protection of personal information. The security axiom "confidentiality, integrity, and availability" is likely familiar to most readers. It is ensuring that the data is protected from unauthorized use or access, that it has not been changed or altered, and that the data is available for use when it is needed.
Privacy, on the other hand, is a much more complex issue. The earliest legal definition of privacy is "the right to be let alone" and was coined by Samuel Warren and Louis Brandeis[i] in 1890. For all intents and purposes, this is the definition that drove United States privacy laws until the recent past. This vague definition is now inadequate to deal with the technological aspects of privacy today. For most, privacy can now be defined as "the appropriate use of information." In other words, appropriate privacy practices entail using the data in a manner that is consistent with the consumer's original intent when that information was provided.
It is not uncommon to hear the two terms used interchangeably, as though they are so interconnected as to be synonymous. This misunderstanding is not only unfortunate, but it can be extremely costly for organizations. It is possible to have adequate security without appropriate privacy practices. However, it is not possible to have good privacy practices without robust data security measures. How can this be?
Security is a component of privacy. It is one measure to ensure that consumer data is not subject to unauthorized access or misuse. There are a number of privacy frameworks available for reference. The Federal Trade Commission has published its Fair Information Practice Principles[ii], which outline five primary tenets of privacy. They are as follows:
The Organization for Economic Co-operation and Development (OECD) has a much more robust guideline designed for companies engaged in cross-border data flow[iii]. Its purpose was to help smooth out some of the disparities between national legislation on privacy practices. These guidelines can be seen in emerging international data privacy laws. These guidelines were first adopted by the organization in 1980, far pre-dating anything that the United States has done with respect to the protection of personal information. The OECD found that "automatic processing and transborder flows of personal data create new forms of relationships among countries and require the development of compatible rules and practices" and "that transborder flows of personal data contribute to economic and social development." For these reasons, and others enumerated within the guideline, the guidelines were developed in order to overcome any hindrances to the data flow that might preclude development.
The OECD Guidelines on the Protection of Privacy and Transborder Data Flows contains a number of Principles that organizations should follow in order to comply. Some principles are similar to those in the FTC Fair Information Practices, but are a bit more far reaching. They include:
In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more
Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more
For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more
With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more