Security Experts:

Security and Privacy: A Conversation Starter

What differentiates security and privacy? What unites them? Are they mutually exclusive or highly compatible? Does your organization’s policy on privacy trump its security policy? Are there policies in place for one or the other or both? Have you revisited them lately? If not -- as the saying goes -- there is no time like the present.

Online PrivacyA short while back, Google announced changes to its privacy policy. If you missed the announcement, you may have also missed the firestorm of outrage that followed. By acknowledging that it analyzes -- and then uses -- what’s of interest to those who use its services, Google was portrayed as smashing to bits the very foundation of privacy.

While Google is sometimes viewed through a lens of suspicion, the company deserves kudos for starting a conversation that’s long overdue for anyone concerned with the confluence of technology, privacy and security.

If you use Google’s services like Google Docs, Gmail or Google+, it’s obvious that the company knows a lot about you. And if you use Google as a search engine, the company knows what interests you. Earlier this year, Google combined more than 70 previously separate privacy policies for products and services into one comprehensive policy that clearly states that the company collects information from all its services “ … to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users.” Furthermore, according to the streamlined policy, Google “uses this information to offer you tailored content -- like … more relevant search results and ads.”

In 2005, Google publicly stated that it was combining data submitted via user accounts with information from other Google services or third parties. The company was doing this to provide a better experience for users and to improve the quality of their services. After reading it, I do not believe that the company’s streamlined policy issued earlier this year represents an alarming change, or even a dramatic one.

What is dramatic, though, is how rapidly the face of the IT function has changed in a relatively short span of time. Thanks in large part to companies like Google, it’s increasingly common for organizations to outsource all or part of their IT infrastructure, often directly into the cloud, where information that was once locked into filing cabinets now sits on servers protected by passwords instead of keys. This rapid shift towards a new paradigm for managing data is an excellent starting point for a long overdue conversation about security and privacy.

It’s Time to Strategize

When you engage with a third party for data storage and management, you lose privacy. While you still have a substantial amount of control over how much privacy you lose, at least some of it is sacrificed.

So if you’re concerned about who has access to the information you’re responsible for, the Google uproar may serve as the conversation starter you need to encourage you to examine and perhaps adjust how your security policies work with (or against) corporate privacy.

If your organization is one of the many that that takes advantage of third-party service providers, it’s in your best interest to invest the time needed to articulate a strategy for privacy and security. While it’s important if the data handled by a third party pertains strictly to your organization, if the data involved also includes customer information, the importance increases dramatically.

I recommend you begin the process of defining your organization’s security and privacy policies and strategies by asking three simple questions:

• Of the data being handled by a third party, how much of it belongs strictly to your organization?

• What level of access to your organization’s data does the third party have?

• What is the third party legally allowed to do with the data from your organization?

It’s important that those involved in privacy and security strategies acknowledge the complexity of their undertaking and then allocate resources accordingly. Your job is to forge forward into largely uncharted territory since we haven’t yet fully replaced physical barriers with digital ones in a way that’s comprehensive and consistent. Ushering security and privacy protocols into the same generation as the technology upon which you and your business rely is a paramount responsibility for IT professionals in the years ahead.

Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.