Data Privacy is one of the major driving forces behind application and information security. Organizations are constantly trying to ensure that the private data of their customers, employees, and partners are secure; but what exactly is private data? To be simplistic, private data is information that relates to a person or entity that should not be publicly known—examples of private data are a person’s date of birth or social security number. For an organization, private data would be things like trade secrets or executive stock holdings.
How is Private Data Protected?
There are many ways to protect private data from compromise. Some methods of private data protection are the encryption of private data, protection of data at rest, and protection of data in transit. These are all great approaches for securing the data itself, but what about the path data takes from one application service to another? With the increasingly complicated nature of modern applications and aggressive CI/CD pipelines, it is difficult to understand where private data comes from and where it is going. Application architectures in production could easily drift away from the approved design in development, allowing unanticipated and unauthorized private data access.
Compliance Mandates for Specific Types of Private Data
A list of standards and compliance mandates that describes what kinds of private data need to be protected.
Some Examples of Data Privacy Standards from TechTarget:
Children’s Online Privacy Protection Act (COPPA) – gives parents control over what information websites can collect from their kids.
Health Insurance Portability and Accountability Act (HIPPA) – ensures patient confidentiality for all healthcare-related data.
Electronic Communications Privacy Act (ECPA) – extends government restrictions on wiretaps to include electronic data transmissions.
Video Privacy Protection Act – prevents wrongful disclosure of an individual’s personally identifiable information stemming from their rental or purchase of audiovisual material.
Gramm-Leach-Bliley Act – mandates how financial institutions must deal with the private information of individuals.
Payment Card Industry Data Security Standard – (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information.
Data Flow Diagrams are Essential to Securing Private Data
Data Flow Diagrams or DFDs are a way to map how private data is flowing between services in your application. The problem is that creating a DFD for your application or system is typically a manual process of first defining the data flow components and then mapping how they interact with each other. The mapping is done through a set of shapes that each have a specific meaning.
Examples of DFD Shapes and meaning:
The Problem with DFDs
As you can imagine, creating a complete DFD for your complex modern application is time-consuming and does not keep up with current CI/CD pipelines. Add to that the subjective nature of the manual DFD creation. It relies on the tribal knowledge and expertise of the person or persons creating the DFD. If that person is missing some information, the final DFD may be flawed through no fault of their own. Don’t get me wrong; I am a big fan of the information that DFDs provide. Organizations need to ensure the data privacy of sensitive data in their applications stays secure. It is imperative to understand where the sensitive data is coming from and where it is going. One missed data flow in your application could lead to a potential loss or unauthorized use of private data. The problem is that DFDs are manually created and cannot scale with the speed of modern CI/CD pipelines
Application Security Posture Management is a Modern Approach to Data Flow Mapping
Application Security Posture Management or ASPM automates the identification of every data flow in an application architecture. ASPM accomplishes this data flow identification and mapping through an agentless collection of deployed application artifacts, reverse engineers them, and then maps all the identified application services and their associated data flows. The data flow mappings are code accurate, automated, and can keep up with modern CI/CD processes.
Why Should I Care?
To ensure the sensitive data your applications process daily stays secure, you must understand how it moves through your application architecture from one service to another. Just securing the sensitive data itself is not enough. ASPM is the modern and automated way to completely understand where data came from and where it is going in your applications. Without it, you have a significant issue with the security posture of your production applications