Six Pillars Of Security, #5: Controlling External Risk

Once data leaves your system, your ability to control it rapidly diminishes. However there are steps you can take to mitigate risks:

  • Only giving clients the data they require
    • For example, with a centralized service application this would involve analyzing what each client needs, and applying logic so that they only receive that information.
  • Actively engaging with client teams, asking them about security, guiding them. Even though the data has left your system, it is still your data and you need to ensure others are being careful with it.

  • You can’t allow other teams to rely on you for validation, especially clients providing data; this would effectively cripple any attempts by them to validate new changes on their front end, which can lead to them not validating at all.
  • Sometimes, getting a client to understand what data is ‘toxic’ and what data isn’t, is more effective than trying to validate everything.
  • Basic Action Points For A Team:
    • Identify which parts of your data are actually sensitive. This might be more than you initially thought.
    • Identify what parts of your data are ‘toxic’ (eg, can’t be considered trustworthy), make sure that clients understand that.
    • Investigate what data your clients actually need, especially with regards to sensitive data.
    • Talk to other teams, see how they are validating etc.
    • Apply filtering if appropriate.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s