SlideShare a Scribd company logo

20171106 - Privacy Design Lab - LINDDUN

Brussels Legal Hackers
Brussels Legal Hackers

Aram H., researcher at DistriNet - KULeuven, presented the LINDDUN methodology (°2010) in already a bit simplified form (3 instead of 6 steps) while the team is working to further operationalise it AND align it with GDPR. With LINDDUN you systematically approach the technical elements of appropriate measures to protect the data in 3 steps: 1 describe the data (flow) elements 2 elicit threats relating to linkability, identifiability, non-repudiation, detectability, disclosure of information, unawareness, non-compliance (and focus by making reasonable assumptions) 3 manage the threats, especially by mitigating them based on the threat taxonomy You can find more on the methodology on linddun.org This presentation was part of a series of presenters that filled the Privacy Design Lab that was organised by / together with the US Chamber of Commerce on 6 November 2017.

Education
1 of 23
Download to read offline
Towards GDPR Compliance with LINDDUN Aram Hovsepyan Kim Wuyts https://www.facebook.com/LINDDUN.privacy/ https://twitter.com/linddun https://linddun.org
2 2 Large team of professionals § 12 faculty members § 8 research managers § 15 postdocs § 50 PhD Students § Business office Project-centric research § fundamental research at the core § strategic basic research § applied research with industry § contract research Distributed Software Software engineering Secure Software
GDPR Compliance 3 COMPLIANCE LEGALLEGALTECHNICAL
COMPLIANCE GDPR Compliance 4 LEGALLEGALTECHNICAL LIN DDUN › Functional › “Appropriate technical measures…” Right to be forgotten ✔ Right to information ✔ Right to access ✔ Right to rectification ✔ Right to object ✔ Right to data portability ✔
LINDDUN background › Developed before the GDPR hysteria › Scientifically renown › Industrially accepted (ISO27550) 5
LINDDUN › Technical data protection impact assessment methodology › Threat modeling framework › System description › Threat elicitation › Threat management / mitigation 6
LINDDUN* Framework › Step 1: describe the system › create a data flow diagram (DFD) › describe all data › Step 2: elicit threats/risks › map threats to DFD elements › identify threats using attack trees › Step 3: manage threats/risks › prioritize in dialog with the DPO › mitigate using a taxonomy of PETs 7* We present a modified version of LINDDUN
Step 1: Create the Data Flow Diagram 8
Step 1: Create the Data Flow Diagram 9 Cloud Server 1. User 2. Administrator Back-endFront-end 9. Authentication 4. Overall database 6. Authentication 5. Portal facade 8. Portal facade 11. Mail server 7. Chat 10. Chat 13. HTTPS12. HTTPS 3. Ops 14. SSH 15 16 17 18 19 20 21 22 23 24 25 26. Logging 27. Imitate
Step 1: Describe all data › Databases › Files › Logs › apache logs 10
› Linkability › Identifiability › Non-repudiation › Detectability › Disclosure of Information › Unawareness › Non-compliance Step 2: Elicit threats 11
Step 2: Elicit threats 12 Security/Privacy mavens Experts in other areas LINDDUN AttackTrees Checklists CAPEC STRIDE
Step 2: Map threats to DFD elements 13 Linkability Identifiability Non-repudiation Detectability Information Disclosure Content Unawareness Policy&Consent Non-compliance Data store X X X X X X Data flow X X X X X X Process X X X X X X Entity X X X MAPPINGTEMPLATE
Assumptions › Pre-conditions / invariants that invalidate threats, e.g.: › non-repudiation threats often not applicable › secure communication (https A+ grade) › identifiability and linkability threats not be applicable to closed systems 14
Step 2: Identify threat scenarios using attack trees 16
Step 2: example 17 Threat 1 Using the forgot password feature we can identify a system user. DFD 4 (Detectability). Description Forgot password feature asks the email address of the user and after resetting the password says that a reset password email is successfully sent to the user. This could lead to identifiability problems where an attacker can easily check whether the user has a registration within the platform. Countermeasure None Likelihood Limited Impact Negligible Action point Modify the forgot password feature to always produce the same message making it impossible to figure out whether the user with the specified email address exists or not. Reference D_p (12)
Step 2: example 18 Threat 3 Storing a complete log of user actions. DFD 4 (Identifiability, Linkability, Unawareness, Non-compliance) Description All user actions are logged in the system for statistical purposes. This poses a significant privacy threat for a number of categories, such as, unawareness and non-compliance. Note that even if this data is anonymized, the threats for identifiability and linkability remain as we could match the user last login time and figure out the user log actions. Countermeasure None Likelihood Maximum (administrators can always have a look at the complete log). Impact Limited (to be discussed with DPOs). Action point • Make sure the privacy policy reflects that a detailed log is collected. • Keep the log, but drop the link to the users (impossible to track teams). • Reduce the time accuracy for the logs (e.g., keep only the action hour, and not the minute and second). Reference L_ds6, I_ds5, I_ds6, U_2, NC_3 (4)
Step 3: Manage threats › Accept › Mitigate › Avoid › Transfer 19
Step 3: Manage threats 20
Step 3: Manage threats
Step 3: Manage threats
LINDDUN › Systematic technical data privacy impact assessment framework › Solid scientific foundation › 30 years security research › 10 years privacy research › Collaborative effort with COSIC and CiTiP › Validated through empirical studies and pilot projects 23 https://linddun.org

Recommended

Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecurityTara Arnold
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsNarudom Roongsiriwong, CISSP
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.marketingunitrends
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)DNIF
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsPriyanka Aash
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessStorage Switzerland
 

Recommended

Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecurityTara Arnold
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsNarudom Roongsiriwong, CISSP
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.marketingunitrends
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)DNIF
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsPriyanka Aash
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessStorage Switzerland
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar SlidesThreatConnect
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard ProjectNarudom Roongsiriwong, CISSP
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
 
Safeguard your enterprise against ransomware
Safeguard your enterprise against ransomwareSafeguard your enterprise against ransomware
Safeguard your enterprise against ransomwareQuick Heal Technologies Ltd.
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive PresentationNormShield, Inc.
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityEryk Budi Pratama
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...EC-Council
 
Cyber intelligence for corporate security
Cyber intelligence for corporate securityCyber intelligence for corporate security
Cyber intelligence for corporate securityG3 intelligence Ltd
 
How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19Narudom Roongsiriwong, CISSP
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guideanpapathanasiou
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident ResponseEC-Council
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitecturePriyanka Aash
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalSatria Ady Pradana
 
#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti
#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti
#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo ButtiEuroPrivacy
 
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...Amazon Web Services
 

More Related Content

What's hot

Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar SlidesThreatConnect
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard ProjectNarudom Roongsiriwong, CISSP
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive PresentationNormShield, Inc.
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityEryk Budi Pratama
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...EC-Council
 
Cyber intelligence for corporate security
Cyber intelligence for corporate securityCyber intelligence for corporate security
Cyber intelligence for corporate securityG3 intelligence Ltd
 
How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19Narudom Roongsiriwong, CISSP
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident ResponseEC-Council
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitecturePriyanka Aash
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalSatria Ady Pradana
 

What's hot (20)

Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security Architecture
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enough
 
Safeguard your enterprise against ransomware
Safeguard your enterprise against ransomwareSafeguard your enterprise against ransomware
Safeguard your enterprise against ransomware
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five Controls
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
 
Cyber intelligence for corporate security
Cyber intelligence for corporate securityCyber intelligence for corporate security
Cyber intelligence for corporate security
 
How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security Professional
 

Viewers also liked

#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti
#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti
#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo ButtiEuroPrivacy
 
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...Amazon Web Services
 
Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015Dr. Ann Cavoukian
 
Managing Cloud Security Design and Implementation in a Ransomware World
Managing Cloud Security Design and Implementation in a Ransomware World Managing Cloud Security Design and Implementation in a Ransomware World
Managing Cloud Security Design and Implementation in a Ransomware World MongoDB
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White PapaerKristyn Greenwood
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoEMarc Vael
 
Top career課件
Top career課件Top career課件
Top career課件Qilian
 
Privacy By Designer (PHP.ghent)
Privacy By Designer (PHP.ghent)Privacy By Designer (PHP.ghent)
Privacy By Designer (PHP.ghent)Ann Wuyts
 
Don't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By DesignDon't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By DesignEleanor McHugh
 
Privacy by design
Privacy by designPrivacy by design
Privacy by designblogzilla
 
Safeguarding privacy in research design
Safeguarding privacy in research designSafeguarding privacy in research design
Safeguarding privacy in research designMarlon Domingus
 
Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色
Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色
Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色Wayne Chung
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsMarius FAILLOT DEVARRE
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artJames Mulhern
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecurityMediacurrent
 
Ame Elliott – No, Thank You: User Experience Design for Privacy
Ame Elliott – No, Thank You: User Experience Design for PrivacyAme Elliott – No, Thank You: User Experience Design for Privacy
Ame Elliott – No, Thank You: User Experience Design for PrivacyNEXT Conference
 

Viewers also liked (18)

#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti
#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti
#Ready4EUdataP Privacy by Design: effetti pratici sui sistemi IT Giancarlo Butti
 
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
Security, Risk, Compliance & Controls - Cybersecurity Legal Framework in Hong...
 
Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015
 
Managing Cloud Security Design and Implementation in a Ransomware World
Managing Cloud Security Design and Implementation in a Ransomware World Managing Cloud Security Design and Implementation in a Ransomware World
Managing Cloud Security Design and Implementation in a Ransomware World
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoE
 
Top career課件
Top career課件Top career課件
Top career課件
 
Privacy By Designer (PHP.ghent)
Privacy By Designer (PHP.ghent)Privacy By Designer (PHP.ghent)
Privacy By Designer (PHP.ghent)
 
Don't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By DesignDon't Ask, Don't Tell - The Virtues of Privacy By Design
Don't Ask, Don't Tell - The Virtues of Privacy By Design
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
 
Safeguarding privacy in research design
Safeguarding privacy in research designSafeguarding privacy in research design
Safeguarding privacy in research design
 
Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色
Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色
Google在被遺忘權 (Right to Be Forgotten)中所扮演的角色
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the art
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal Security
 
Ame Elliott – No, Thank You: User Experience Design for Privacy
Ame Elliott – No, Thank You: User Experience Design for PrivacyAme Elliott – No, Thank You: User Experience Design for Privacy
Ame Elliott – No, Thank You: User Experience Design for Privacy
 
Data Pipeline Matters
Data Pipeline MattersData Pipeline Matters
Data Pipeline Matters
 
The AI Rush
The AI RushThe AI Rush
The AI Rush
 

Similar to 20171106 - Privacy Design Lab - LINDDUN

apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays
 
DG_Architecture_Training.pptx
DG_Architecture_Training.pptxDG_Architecture_Training.pptx
DG_Architecture_Training.pptxTranVu383073
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016Tomppa Järvinen
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLockBe A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLockCloudLock
 
InsiderThreat-2016NDITS
InsiderThreat-2016NDITSInsiderThreat-2016NDITS
InsiderThreat-2016NDITSMike Saunders
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR ComplianceGabor Farkas
 
Information Security Management. Security solutions copy
Information Security Management. Security solutions copyInformation Security Management. Security solutions copy
Information Security Management. Security solutions copyyuliana_mar
 
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Bruno Caseiro
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers Gary Dodson
 
CIO WaterCooler Focus: GDPR Jasmit Sagoo
CIO WaterCooler Focus: GDPR Jasmit SagooCIO WaterCooler Focus: GDPR Jasmit Sagoo
CIO WaterCooler Focus: GDPR Jasmit SagooAndrew Pryor
 
dlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptxdlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptxalex hincapie
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeemu Tiainen
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gapxband
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud IBM Security
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET Journal
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general attSHIVA101531
 
Protect your sensitive data against data leaks with Safetica DLP
Protect your sensitive data against data leaks with Safetica DLPProtect your sensitive data against data leaks with Safetica DLP
Protect your sensitive data against data leaks with Safetica DLPAdi Saputra
 

Similar to 20171106 - Privacy Design Lab - LINDDUN (20)

Challenges2013
Challenges2013Challenges2013
Challenges2013
 
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...
 
DG_Architecture_Training.pptx
DG_Architecture_Training.pptxDG_Architecture_Training.pptx
DG_Architecture_Training.pptx
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
Information security
Information securityInformation security
Information security
 
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLockBe A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
 
InsiderThreat-2016NDITS
InsiderThreat-2016NDITSInsiderThreat-2016NDITS
InsiderThreat-2016NDITS
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
 
Information Security Management. Security solutions copy
Information Security Management. Security solutions copyInformation Security Management. Security solutions copy
Information Security Management. Security solutions copy
 
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
CIO WaterCooler Focus: GDPR Jasmit Sagoo
CIO WaterCooler Focus: GDPR Jasmit SagooCIO WaterCooler Focus: GDPR Jasmit Sagoo
CIO WaterCooler Focus: GDPR Jasmit Sagoo
 
dlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptxdlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptx
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimukset
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gap
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
 
Protect your sensitive data against data leaks with Safetica DLP
Protect your sensitive data against data leaks with Safetica DLPProtect your sensitive data against data leaks with Safetica DLP
Protect your sensitive data against data leaks with Safetica DLP
 

More from Brussels Legal Hackers

20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AIBrussels Legal Hackers
 
20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...Brussels Legal Hackers
 
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de WieleBrussels Legal Hackers
 
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie SmitsBrussels Legal Hackers
 
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen VingerhoetsBrussels Legal Hackers
 
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel BeelenBrussels Legal Hackers
 
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik PutmanBrussels Legal Hackers
 
20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practice20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practiceBrussels Legal Hackers
 
20190221 Data subject rights in practice
20190221 Data subject rights in practice20190221 Data subject rights in practice
20190221 Data subject rights in practiceBrussels Legal Hackers
 
20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreementsBrussels Legal Hackers
 
20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentation20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentationBrussels Legal Hackers
 
20170601 - Digital festival presentation
20170601 - Digital festival presentation20170601 - Digital festival presentation
20170601 - Digital festival presentationBrussels Legal Hackers
 
20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)Brussels Legal Hackers
 
20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptions20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptionsBrussels Legal Hackers
 
20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)Brussels Legal Hackers
 
20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehicles20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehiclesBrussels Legal Hackers
 

More from Brussels Legal Hackers (20)

20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI20190528 - Guidelines for Trustworthy AI
20190528 - Guidelines for Trustworthy AI
 
20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...
 
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
20190316 - CLBFest - Blockchain & the law - Willem Van de Wiele
 
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
20190316 - CLBFest - Blockchain is WTF - Gerrie Smits
 
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
20190316 - CLBFest - 1337 to legal - Koen Vingerhoets
 
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
20190316 - CLBFest - GDPR & Blockchain - Axel Beelen
 
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
20190316 - CLBFest - Cryptocurrencies and tax - Hendrik Putman
 
20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practice20190221 Algorithmic transparency and accountability in practice
20190221 Algorithmic transparency and accountability in practice
 
20190221 Data subject rights in practice
20190221 Data subject rights in practice20190221 Data subject rights in practice
20190221 Data subject rights in practice
 
20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements20180619 Controller-to-Processor agreements
20180619 Controller-to-Processor agreements
 
20180607 - Tech Summit presentation
20180607 - Tech Summit presentation20180607 - Tech Summit presentation
20180607 - Tech Summit presentation
 
20180317 CLBfest 2018 - Trase
20180317 CLBfest 2018 - Trase20180317 CLBfest 2018 - Trase
20180317 CLBfest 2018 - Trase
 
20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentation20171108 IAPP Congress - Privacy by Design presentation
20171108 IAPP Congress - Privacy by Design presentation
 
20170601 - Digital festival presentation
20170601 - Digital festival presentation20170601 - Digital festival presentation
20170601 - Digital festival presentation
 
20170801 GDPR Q&A intro
20170801 GDPR Q&A intro20170801 GDPR Q&A intro
20170801 GDPR Q&A intro
 
20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)20170620 MEETUP intro to blockchain and smart contracts (2)
20170620 MEETUP intro to blockchain and smart contracts (2)
 
20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptions20170620 MEETUP smart contracts proof of concept for prescriptions
20170620 MEETUP smart contracts proof of concept for prescriptions
 
20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)20170620 MEETUP intro to blockchain and smart contracts (1)
20170620 MEETUP intro to blockchain and smart contracts (1)
 
20170418 MEETUP on Creative Commons
20170418 MEETUP on Creative Commons20170418 MEETUP on Creative Commons
20170418 MEETUP on Creative Commons
 
20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehicles20170122 MEETUP on autonomous vehicles
20170122 MEETUP on autonomous vehicles
 

Recently uploaded

Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfakmcokerachita
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfUmakantAnnand
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...M56BOOKSTORE PRODUCT/SERVICE
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 

Recently uploaded (20)

Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdf
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.Compdf
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 

20171106 - Privacy Design Lab - LINDDUN

  • 1. Towards GDPR Compliance with LINDDUN Aram Hovsepyan Kim Wuyts https://www.facebook.com/LINDDUN.privacy/ https://twitter.com/linddun https://linddun.org
  • 2. 2 2 Large team of professionals § 12 faculty members § 8 research managers § 15 postdocs § 50 PhD Students § Business office Project-centric research § fundamental research at the core § strategic basic research § applied research with industry § contract research Distributed Software Software engineering Secure Software
  • 4. COMPLIANCE GDPR Compliance 4 LEGALLEGALTECHNICAL LIN DDUN › Functional › “Appropriate technical measures…” Right to be forgotten ✔ Right to information ✔ Right to access ✔ Right to rectification ✔ Right to object ✔ Right to data portability ✔
  • 5. LINDDUN background › Developed before the GDPR hysteria › Scientifically renown › Industrially accepted (ISO27550) 5
  • 6. LINDDUN › Technical data protection impact assessment methodology › Threat modeling framework › System description › Threat elicitation › Threat management / mitigation 6
  • 7. LINDDUN* Framework › Step 1: describe the system › create a data flow diagram (DFD) › describe all data › Step 2: elicit threats/risks › map threats to DFD elements › identify threats using attack trees › Step 3: manage threats/risks › prioritize in dialog with the DPO › mitigate using a taxonomy of PETs 7* We present a modified version of LINDDUN
  • 8. Step 1: Create the Data Flow Diagram 8
  • 9. Step 1: Create the Data Flow Diagram 9 Cloud Server 1. User 2. Administrator Back-endFront-end 9. Authentication 4. Overall database 6. Authentication 5. Portal facade 8. Portal facade 11. Mail server 7. Chat 10. Chat 13. HTTPS12. HTTPS 3. Ops 14. SSH 15 16 17 18 19 20 21 22 23 24 25 26. Logging 27. Imitate
  • 10. Step 1: Describe all data › Databases › Files › Logs › apache logs 10
  • 11. › Linkability › Identifiability › Non-repudiation › Detectability › Disclosure of Information › Unawareness › Non-compliance Step 2: Elicit threats 11
  • 12. Step 2: Elicit threats 12 Security/Privacy mavens Experts in other areas LINDDUN AttackTrees Checklists CAPEC STRIDE
  • 13. Step 2: Map threats to DFD elements 13 Linkability Identifiability Non-repudiation Detectability Information Disclosure Content Unawareness Policy&Consent Non-compliance Data store X X X X X X Data flow X X X X X X Process X X X X X X Entity X X X MAPPINGTEMPLATE
  • 14. Assumptions › Pre-conditions / invariants that invalidate threats, e.g.: › non-repudiation threats often not applicable › secure communication (https A+ grade) › identifiability and linkability threats not be applicable to closed systems 14
  • 15.
  • 16. Step 2: Identify threat scenarios using attack trees 16
  • 17. Step 2: example 17 Threat 1 Using the forgot password feature we can identify a system user. DFD 4 (Detectability). Description Forgot password feature asks the email address of the user and after resetting the password says that a reset password email is successfully sent to the user. This could lead to identifiability problems where an attacker can easily check whether the user has a registration within the platform. Countermeasure None Likelihood Limited Impact Negligible Action point Modify the forgot password feature to always produce the same message making it impossible to figure out whether the user with the specified email address exists or not. Reference D_p (12)
  • 18. Step 2: example 18 Threat 3 Storing a complete log of user actions. DFD 4 (Identifiability, Linkability, Unawareness, Non-compliance) Description All user actions are logged in the system for statistical purposes. This poses a significant privacy threat for a number of categories, such as, unawareness and non-compliance. Note that even if this data is anonymized, the threats for identifiability and linkability remain as we could match the user last login time and figure out the user log actions. Countermeasure None Likelihood Maximum (administrators can always have a look at the complete log). Impact Limited (to be discussed with DPOs). Action point • Make sure the privacy policy reflects that a detailed log is collected. • Keep the log, but drop the link to the users (impossible to track teams). • Reduce the time accuracy for the logs (e.g., keep only the action hour, and not the minute and second). Reference L_ds6, I_ds5, I_ds6, U_2, NC_3 (4)
  • 19. Step 3: Manage threats › Accept › Mitigate › Avoid › Transfer 19
  • 20. Step 3: Manage threats 20
  • 21. Step 3: Manage threats
  • 22. Step 3: Manage threats
  • 23. LINDDUN › Systematic technical data privacy impact assessment framework › Solid scientific foundation › 30 years security research › 10 years privacy research › Collaborative effort with COSIC and CiTiP › Validated through empirical studies and pilot projects 23 https://linddun.org