Disagree with "I Agree"

•

0 likes•48 views

This is a talk on enforcing better GDPR compliance, user data privacy, and “security by design” principles through the language and visual components of API documentation. Practical and immediately applicable tips and insights from a Technical Writer working in data security.

Disagree with “I Agree”
Karen Sawrey
Technical Writer @ Cossack Labs
cossacklabs.com
Enforcing Better GDPR Compliance
Through API Documentation

Cossack Labs — British-Ukrainian company

Cossack Labs. Convenient cryptographic tools

Don’t steal.
Governments hate competition.
— Anonymous

Timeline of data privacy regulations in the EU
24 October
1995
25 May
2018
Directive [...] on the protection of individuals with regard to the
processing of personal data and on the free movement of such
data
GDPR

The vicious circle of ignored documentation
Docs
too hard to
read
People don’t
read
the docs
Why bother?
Nobody reads
docs anyway.

Tailoring documentation
and API docs/tutorials for
better GDPR compliance

The secret life of docs:
beyond the surface

It’s never “just” an email or a
“disposable” password.

Types of data according to GDPR
Personal
data

Types of data according to GDPR
Personal
sensitive
data
Personal
data

Secure
Password
management
Rainbow tables
and dictionary
attacks
vs.

The great hard answer to life, the universe, and
everything, according to GDPR:
Treat any information of
your users as sensitive

Keep your sandbox user data clean.
Or else.

With a right “why”,
You’ll find your “how”

Welcome!
You're part of the security
team now.

Welcome!
You're part of the security
team now.
We all are.

Further reading
GDPR FOR ENGINEERS: IMPLEMENTING RIGHTS
AND SECURITY DEMANDS

WHAT DO WE REALLY NEED TO ENCRYPT.
CHEATSHEET
Further reading

Karen Sawrey
karen@cossacklabs,com
@krnswry
www.cossacklabs.com
@CossackLabs
Professor Felix
Is here! Ask me for
a sticker! ;)

Bring out the hacker in you by trying out Security Innovation’s Hacking CyberRange – specially designed web applications with real world vulnerabilities. A parallel class session will also teach novices about how to uncover simple vulnerabilities and evolve into uncovering more complex vulnerabilities. You can simply sit and learn or get straight to hacking our application or follow along and do both. Live scores of participants will be displayed.

New security solutions for next generation of IT

DATA SECURITY SOLUTIONS

Cert Overview

mattnik

Cloud computing tp nyprekubatortto

Your data is showing

Madison Kerndt

Is your application private by design and by default? Once an afterthought, privacy is now a critical software requirement. In this talk, you will learn about: * Emerging privacy regulations (GDPR & CCPA) * Privacy rights and how they impact your software (transparency & revocation) * How to architect data privacy into your applications After this talk, you will know how to build your app with data privacy and security in mind.

Forecast 2012 Panel: Cloud Regulation Deborah Salons

Open Data Center Alliance

Deborah Salons Attorney and CIPP Panelists: Brett Smith, Deutsche Bank José E. González, Chief Business Development Officer Trapezoid Digital Security Services, LLC Gordon Haff, Cloud Evangelist, Red Hat Marvin Wheeler, Chairman and Secretary, Open Data Center Alliance Cloud Regulation Concerns The regulatory umbrella consists of: Government regulations, industry regulations and internal corporate policies No official body of "cloud law;" regulations environment includes a list of laws and agencies International Regulations: Regulations are not harmonized worldwide, and enterprises must be aware of regulations in their own country as well as other countries their business may touch. Consumer Privacy Laws: Different regulations will apply depending on what type of information you are collecting (“big data”), how you are collecting and storing the information and how you dispose of it. Data Breach and Cybersecurity considerations: Data breach regulations, which apply to enterprises in and out of the cloud, present a challenge as the regulations vary from state to state, including nuances such as what defines a breach and what kind of mitigation and notification needs to take place.

As security practitioners, we often get caught up worrying about protecting against the latest threat or patching the latest zero-day, however we should spend at least an equal amount of time understanding the data risks of our users and how to offer both better visibility into endpoint data usage, as well as guidance into good data protection practices. There are a number of different products and vendors that touch on these aspects, but there is no one-stop shop for data protection, and likely never will be. DLP, or Data Loss Prevention, can look at known content types for matches and take protective actions. However, most DLP deployments never moved beyond monitoring due to over-blocking or false positive concerns. Endpoint employee monitoring can take good forensic information, even screenshots to recreate evidence of either inappropriate data usage, or other significant events, though these types of technology are often cumbersome, hard to realize the value and present some serious privacy and ethical concerns. EDR or Endpoint Detection and Response is very threat-focused, with a severe limit on data visibility, and often does little more than capture a checksum of a file, with no content inspection or awareness. UEBA, or User and Entity Behavior Analytics, can often be deployed in conjunction with SIEM or log management capabilities to get a better contextual view of your organization, however, you must first have some semblance of “normal” or a baseline before you can uncover abnormal. Organizations should begin building the case for stronger endpoint data visibility. This improved data visibility must be easy to use, fast to provide actionable answers, not impede other endpoint security capabilities, and most importantly provide the financial impact of endpoint data and the decisions that users make with that data.

Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins

North Texas Chapter of the ISSA

Intelligent Cybersecurity for the Real World

NetCraftsmen

Tony Hodgson (Brainwaive): Your Enterprise is Under Attack: Cyber Security Es...

AugmentedWorldExpo

A talk from the Work Track at AWE USA 2017 - the largest conference for AR+VR in Santa Clara, California May 31- June 2, 2017. Tony Hodgson (Brainwaive): Your Enterprise is Under Attack: Cyber Security Essentials for Wearable AR How secure are wearable AR devices? What new invisible routes will malicious actors take to dodge defenses and infect your network? How should your IT team address emerging AR systems? This presentation reviews findings from the seminal study on cyber security for mobile, wearable enterprise AR solutions. The study team helps companies understand what's under the hood of these unique and powerful devices, categorizes potential risks, and identifies effective mitigation postures. A security framework & device testing protocol is presented, and a "Rosetta Stone" common language is introduced for rapidly - and securely - injecting this valuable technology into your enterprise environment. http://AugmentedWorldExpo.com

Segurity Empower Business

Nextel S.A.

Gdpr encryption and tokenization

Ulf Mattsson

Flutter SV Meetup Oct 2022 - End to end encrypted IoT with Dart and Flutter

Chris Swan

Nimbox presentation

Jason Newell

6DCP Presentation 2016Eddie Cohen

Trustleap - Mathematically-Proven Unbreakable Security

TWD Industries AG

TechInAsia PDC 2019 - Unlocking The Potential of IoT with AI

Andri Yadi

Nice, France Talk. Working in the Cloud, 2011

John Mayfield

Infragard atlanta ulf mattsson - cloud security - regulations and data prot...

Ulf Mattsson

Privacy is a UX problem (David Dahl)

Future Insights

Session slides from Future Insights Live, Vegas 2015: https://futureinsightslive.com/las-vegas-2015/ So many network intrusions, so many email spools made public. Remember HBGary, Stratfor, 'The Fappening', Sony Pictures hacks? How about the Snowden Files? The potential liabilities of communicating in plain text has become too expensive to continue to do so. Zero-Knowledge systems can be made useful, elegant even. The problem with putting privacy first in our communications tools is that most of the existing privacy applications were created by crypto-nerds, most of whom have never overlapped with the world of UX. In this talk, Privacy will be put at the core of application design by way of new metaphors for arcane cryptography jargon (that few endusers understand). Using frameworks and services created for this new 'privacy first' era, your application can be built in a way that removes liability, is regulatory-compliant and elegant.

OpenValue Meetup 24-11-2020 - Stream Machine

Robin Trietsch

Your Smart Scale Is Leaking More than Your Weight

Checkmarx

Intergen Convergence 2017 - Keeping safe, staying safe

Intergen

Security & Compliance

Amazon Web Services

Webinar Security: Apps of Steel transcriptionService2Media

Working in the Cloud for the CRB

John Mayfield

What's hot

Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08Michael Boman

Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq

North Texas Chapter of the ISSA

Making the Case for Stronger Endpoint Data Visibility

dianadvo

Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins

North Texas Chapter of the ISSA

Intelligent Cybersecurity for the Real World

NetCraftsmen

Tony Hodgson (Brainwaive): Your Enterprise is Under Attack: Cyber Security Es...

AugmentedWorldExpo

Segurity Empower Business

Nextel S.A.

What's hot (7)

Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08

Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq

Making the Case for Stronger Endpoint Data Visibility

Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins

Intelligent Cybersecurity for the Real World

Tony Hodgson (Brainwaive): Your Enterprise is Under Attack: Cyber Security Es...

Segurity Empower Business

Similar to Disagree with "I Agree"

Gdpr encryption and tokenization

Ulf Mattsson

Flutter SV Meetup Oct 2022 - End to end encrypted IoT with Dart and Flutter

Chris Swan

Nimbox presentation

Jason Newell

6DCP Presentation 2016Eddie Cohen

Trustleap - Mathematically-Proven Unbreakable Security

TWD Industries AG

TechInAsia PDC 2019 - Unlocking The Potential of IoT with AI

Andri Yadi

Nice, France Talk. Working in the Cloud, 2011

John Mayfield

Infragard atlanta ulf mattsson - cloud security - regulations and data prot...

Ulf Mattsson

Privacy is a UX problem (David Dahl)

Future Insights

OpenValue Meetup 24-11-2020 - Stream Machine

Robin Trietsch

Your Smart Scale Is Leaking More than Your Weight

Checkmarx

Intergen Convergence 2017 - Keeping safe, staying safe

Intergen

Security & Compliance

Amazon Web Services

Webinar Security: Apps of Steel transcriptionService2Media

Working in the Cloud for the CRB

John Mayfield

Pre-Quiz Symantec Endpoint Encryption

Matt Dawdy

AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...

Amazon Web Services

Jet Propulsion Laboratory is a well-known innovator in outer space, particularly in its search for "life out there". JPL is now innovating in the physical space to improve “life here". AWS IoT is critical to their innovations. See a re:Invent preview about how JPL, as an early adopter of AWS IoT, has prototyped voice control to ask questions of the room, the budget, or the system. They’ve also used it for controlling lights and sound to detect cyber security threats, rapid prototyping of robots, low-cost virtual windows to the outside, and much more. The results have been excellent. JPL will demonstrate and talk about these prototypes, including what worked and what didn’t. They will also share the promise integrated serverless computing holds.

Secure Cloud For Legal Professionals

ZitaAdlTrk

Digital spectacle by using cloud computing

Mandar Pathrikar

Accelerate your Cloud journey with security and compliance by design - Margo ...

Net4All

Similar to Disagree with "I Agree" (20)

Gdpr encryption and tokenization

Flutter SV Meetup Oct 2022 - End to end encrypted IoT with Dart and Flutter

Nimbox presentation

6DCP Presentation 2016

Trustleap - Mathematically-Proven Unbreakable Security

TechInAsia PDC 2019 - Unlocking The Potential of IoT with AI

Nice, France Talk. Working in the Cloud, 2011

Infragard atlanta ulf mattsson - cloud security - regulations and data prot...

Privacy is a UX problem (David Dahl)

OpenValue Meetup 24-11-2020 - Stream Machine

Your Smart Scale Is Leaking More than Your Weight

Intergen Convergence 2017 - Keeping safe, staying safe

Security & Compliance

Webinar Security: Apps of Steel transcription

Working in the Cloud for the CRB

Pre-Quiz Symantec Endpoint Encryption

AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...

Secure Cloud For Legal Professionals

Digital spectacle by using cloud computing

Accelerate your Cloud journey with security and compliance by design - Margo ...

More from Pronovix

By the time they're reading the docs, it's already too late

Disagree with "I Agree"

Recommended

Recommended

More Related Content

What's hot

What's hot (7)

Similar to Disagree with "I Agree"

Similar to Disagree with "I Agree" (20)

More from Pronovix

More from Pronovix (20)

Recently uploaded

Recently uploaded (20)

Disagree with "I Agree"