5 Security Practices Tech Businesses Need to Comply with CCPA
Affected Businesses
CCPA applies to businesses that serve California residents, and that meet at least one of these conditions:
- Collect the personal information of at least 50,000 users
- Annual revenues above $25M
- Receive at least 50% of their revenue from selling data
What’s in the Law?
When focusing only on data security requirements of CCPA, the practices outlined are unfortunately vague. Businesses must,
“maintain reasonable security procedures and practices”
But what does that mean? What follows are five simple, practical, and low-cost mechanisms that can help ensure that your business is CCPA compliant.
#1 Encrypt Your Sensitive Data
Encrypting sensitive data demonstrates reasonable security practice. However, it’s tough to get right.
In short, when you build a data security system, you find yourself juggling a chain of secret management problems. The problems go something like this: “If you want to encrypt, you need keys that segregate risk. Now that you have the right keys, you need key lifecycle management and dynamic controls. Now your customer noticed you’re encrypting data, and they want to own their keys on-prem.”
Instead of reinventing this wheel in-house, you may consider a turnkey data security solution, such as https://peacemakr.io, which solves all the hard problems.
#2 Externalize your Authentication
Instead of juggling usernames and passwords yourself, let the experts help you out for free.
OpenID Connect protocol externalizes authentication. Of course, it also requires a trusted Identity Provider, such as Google Identity Platform. This way, you’re almost entirely off the hook for any authentication-related breaches that occur with the 3rd party Identity Provider. However, if you decide to build a home-baked login scheme, all authentication breaches are you (and heavy fines will follow).
Besides, I have never met a user that wants to juggle yet another username and password.
#3 Run Up-To-Date Software In Your Cloud
When the software you run is known to be vulnerable, your business may be held liable for negligence.
Spinnaker is an excellent CICD solution that continuously deploys the latest software to any cloud environment. Strong policies to continually build and deploy production environments regularly also help mitigate risk. For example, even if the service itself does not change, a daily build against the latest stable docker images reduces the risk of running services with known CVE. Taking it one step further, a static analyzer such as Clair or Snyk.io verifies that your software does not contain known CVE’s.
#4 Prevent Data From Leaking
Use a firewall to prohibit network traffic that shouldn’t be there. Use a Data Loss Prevention solution to detect the loss of sensitive data. Or even better, use next-gen Data Tracing Solutions, such is being developed by Akita Software, to map the complex and dynamic flows within your system.
Investment in basic network design will pay off in this domain. For example, a database should only be accessible from the service that depends on it. An exposed service’s API should only be publicly available behind an API Gateway such as NGINX or HAProxy, and finally, a load balancer should protect the API Gateway. These simple networking rules are an effective mechanism to prevent intrusions.
#5 Audit and log, everything.
When bad things happen, you need visibility into precisely how they unfolded.
Perhaps more importantly, we need to be able to detect anomalies, in real-time, to be able to identify malicious actors in our system. This way, no matter what security events transpire, there’s not only a forensic trail but also a detection mechanism in place. There are plenty of logging and alert solutions out there, including Splunk, Logstash, Graylog, or amixr.
