Think in 3 P’s and criticality
People, processes and parts are the 3 Ps that are often subject to scrutiny and hardening. Things that are heavily relied upon to handle data such as people, methods, software, hardware, and equipment pose potential business risks to DSPs and their customers.
In some industries and in certain processes, such risks aren’t substantial enough to warrant backup systems and redundancies. A good way to gauge reliance is to actually run — and not just perform the mental exercise of one on paper — critical business processes in acquisition, provisioning, billing and payments, and support, by omitting some of those 3Ps. Although this is a very general test-by-breaking method, it is hugely important when it comes to testing security measures in 3P. It’s a structured method of building informed trust.
Breaking in and out
The battles against hackers, competing organizations and data leaks, are ones almost all data service providers fight. These are the basic ingredients that are used in combination by DSPs to maintain an edge:
- well-written and tested code
- audits by external teams
- whitehat infiltration and exfiltration attempts
- background checks on staff
- logging network and computer activity to trace document and network traffic
- secured physical infrastructure
- thorough documentation
- tested business continuity plans, especially ones that test the failure of 3Ps
- single point of failure analysis of 3Ps
- proper data handling policies
Data is gold. Credit card data, customer lists and related data are extremely valuable and there is a known market for this type of data ($ hundreds of billions). How? Consider email. Corporations rely on emails to share plans, designs and financial information. Not everyone uses secured wikis and printed documents in clean rooms with two-man rules. Single points of reliance in people, practice or part (technology) is a recipe for disaster in this area. Even 4k-bit quantum encryption is useless if a single person holds the keys or if someone can talk their way into a data center.
It often isn’t the encryption or code that’s broken by brute force, but rather exploited weaknesses in one of the basic ingredients above. Most technology firms genuinely make all commercially reasonable efforts to safeguard user data. But the intent can be lost in translation, especially in very complex companies with many products, and these weak links can compromise the entire proverbial fortress.
Part 1: Data privacy series This series discuss the challenges data service providers (DSPs) and their customers face.
Part 3: Data privacy series This series discuss information on the policies, politics and practices that govern data privacy.