Agile Software Development &
Business IT Consulting

Six Ways to Show Users Their Personal Data is Safe

February, 2012

A115 Software Security Research Divison

Owners of a social networking platform or any large online community know very well what their most valuable asset is. It doesn't appear on any balance sheet, but without it their company would be bankrupt. It's not their users. It's not even the massive amounts of valuable user data that they collect.

It is their users' trust. Millions of people trust their website every day, sharing huge volumes of personal information, including streams of data about daily activities, likes and habits, as well as those of their friends or connections.

Whether you run a platform headed to become Facebook's future replacement, or a successful e-commerce site serving a geographically-confined niche community, your user's trust is critically important to your online business.

So how do you justify their trust? What can you do to demonstrate (and not just tell) to your users that their privacy is really being protected and their data is not lightly shared with questionable third parties, whether intentionally or by accident?

Based on our experience at A115, working with clients of different sizes and even more diverse business domains, we have identified six basic, practical steps that you can take towards ensuring your users' peace of mind. Nowadays it seems to be common wisdom among site owners that the most they can do in this direction is to publish a well-defined Privacy Policy, crafted or at least approved by the folks in legal. You, however, demand more from your team. So read on.

1. Security is the Foundation. Build it in from the get-go.

When it comes to online software, electronic payments and communication systems, security is never something that you want to add as an after-thought. Adding .security measures. to a platform that wasn't designed with security in mind to begin with simply doesn't work. You have to build security right in as the foundation of your software. Skip this step, and nothing else you do even matters. You can have an army of lawyers working day and night on assuring your customers that their data is safe and protected, right up to the point where a security breach is picked up by someone in the media. At that point, it doesn't matter what you do.

It happens to the best of the best. Do a search on Google News and you will be flooded with stories about leaked credit card information and sensitive customer data, usually in staggering volumes. And the victims are often some of the most well-established, trusted brands. You don't even get to hear about the countless smaller incidents (but we do).

Protecting user data begins by having a comprehensive information security management program in place, and a software development process that reinforces it. Issues such as access control, reliable audit trail, suitable data encryption, enforceable password security policy, proper input validation and network protection against common attack vectors must be considered at the design stage and throughout every development phase.

So what do you do if your platform is already serving many customers each day, but you know the fundamentals are not sound? Luckily, adopting an agile development methodology even at this stage can help make rapid, incremental changes to your software and business processes that would soon lead you to a point where you can really make well-grounded, confident statements about the security and privacy of your user data.

2. Security is a Process. Keep improving!

Even if you've built a Fort Knox at launch time, that doesn't guarantee smooth sailing. Security is a process (something you keep doing), not a product (something you buy once and be over with). To have good security doesn't mean to have an unbreakable system, because we just don't have any closed systems anymore that you can completely secure. The nature of cyberspace is such that in order to be of any use at all, a system (a site, a platform, a software solution) must be open and interact with many other systems. In this context, security is the process of continuously balancing between risk and budget. It is a matter of making frequent informed decisions about how to handle possible risks and threats. And your options for handling risk are just three: you can either:

  1. use your resources to protect against a particular risk;
  2. transfer the risk to a third party (e.g. any form of insurance); or
  3. understand and accept the risk.

Even with the smartest of risk management, incidents happen. If you have a security breach, analyze what went wrong, evaluate the impact and determine how to prevent the same thing from happening in the future or to at least minimize the impact.

3. Your Privacy Policy: Keep it Simple.

A good privacy policy tells people what data you are collecting about them, how you are going to use it, and for how long, in plain language. Taking the extra effort to create and publish a simple, readable privacy policy tells users you are serious about protecting their personal data and builds trust. Issues that need to be covered include but are not limited to:

  • data collection policies;
  • data transmission and storage;
  • intended use;
  • internal data access policies;
  • policies for sharing user data with third parties;
  • interactions between your Terms of Use and the Privacy Policy;

Your privacy policy should also cover what happens in the event of a security breach. Certain US states have specific laws governing when and how users must be notified if their data is stolen. Make sure your privacy policy covers these cases. A good lawyer will be your best resource here.

Remember that privacy-conscious users will also expect you to destroy their data rather than let it be sold, either now, or ever in the future, even if your company is sold or goes bankrupt.

4. The secret to a good relationship is communication.

Keep talking to your users. A corporate blog is a great tool for this, as well as regular (but infrequent) e-mail updates. Don't make the mistake of using your company's blog as just another marketing platform. Make sure your users know exactly what you are doing for them to safeguard their personal information. Give them a reasons to trust you. Be as open and transparent about what's going on inside your company as you can.

Blogging is a great way to make your users aware of just about anything related to your business. Ironically, the simplest way to instill confidence in users that you're serious about protecting their data is to be as transparent with them as possible about the issues you're facing and what you're doing about them.

Post regularly to your corporate blog and really go through how you and the developers/engineers on your team are keeping information secure. Make it authentic, detailed (as much as possible), and just be honest if something does go awry.

You can also use this channel to document work you are doing to improve the site, which may include security upgrades to help instill trust in your product. Regular updated it can go a great way to show how genuine you are.

In addition to talking about your security measures, current threats, mitigation you are using against them, etc., talk also about your relationships with other corporations and governments, inasmuch as you have any. Keep users up to date with partnerships you are pursuing and the terms of the deals. If you really want to get radical, open your books up. No one is going to accuse you of sharing their information with other companies if it can be demonstrated you aren't getting any money for doing so. Ensuring that your financial interests align with your users' privacy interests is a pretty significant demonstration of your concern.

5. Trust, but verify

By demonstrating a clear understanding of the security chain involved (what happens when a user gets registered, password requirements, certificates, where is his/her data stored, how is it accessible) and taking the necessary steps to ensure that each step is adequately covered you demonstrate the knowledge of security which in term demonstrates to the user that you have done all you can to secure data.

However, every security chain has weaknesses and a system is only as secure as its weakest link. Is your certificate provider secure? Are your employees beyond reproach? What about the hosting company, etc.

Periodically hire an independent security consulting company to audit your policies, networks and software, and to perform penetration tests. Share the redacted results with your users to show their data is being protected.

Keep an audit trail of all access to personal data inside your company. Upon request, a user should be able to see historical trace of what type of personal data was accessed and by what entity.

Having an independent third party company conduct an annual audit to a referenceable standard is one of the most reliable ways to demonstrate that you take users' privacy seriously. Many companies for instance do this for ISO 27001 and PCI-DS as standard practice. With more cloud services being offered companies are beginning to look into cloud security audits on cloud service providers to provide them with a certificate of compliance and a detailed security report which they can use to answer the security issues of prospective customers. In effect, they have an SLA to maintain a particular security posture which can be presented as a gap analysis to ISO 27001 standard and that is audited regularly. The goal of all such processes should be continuous improvement rather than achieving full compliance.

6. The most reliable components in any system are the ones that aren't there.

In the end, the only real way to ensure data protection is to not have the data on your systems to begin with.

Make sure when you do collect information about your users, you're doing it for a specific reason and you are not collecting more than is necessary for your business to provide value. Remember that although this data is a company asset, it is also a liability. You don't have to protect data you don't collect, so a minimalistic approach is always something to consider.

Conclusion

Data protection can be a challenging area, and one which deserves significant attention from any business owner who collects information from customers. The law in this area is universally complex, frequently unclear, and full of pitfalls for the unwary. By making sure security is a top priority from the beginning, revisiting security frequently, communicating with your users, knowing the law, and not collecting any unnecessary information, you give your users good reason to trust you. When it comes down to it, that trust is your greatest asset, so, make sure you guard it closely.

About A115

A115 provides information security consulting services for world-class companies and organizations. From software security training, through research and analysis, security audits, penetration testing, monitoring and comprehensive information security management programs, we work with our clients to ensure sound fundamentals and sensible life-cycle security management for even the most mission-critical projects. Our team of veteran security professionals and our extensive global partners network positions us to deliver consistently reliable results.

Contact us today for a free consultation.

London|Dubai|Sofia
A115 provides agile software development, IT services and consulting worldwide since 2007.