隐私保护与数据安全的区别
Written by: Shane Shown and Jake Young
撰写者: Shane Shown和Jake Young
Did you know that the first computer actually dates back to Adam and Eve? It was an Apple, with limited memory.
您是否知道第一台计算机实际上可以追溯到亚当和夏娃? 那是苹果,记忆力有限。
One single byte.
一个字节。
And then everything crashed.
然后一切都崩溃了。
I don’t know why I find that joke funny, but you have to admit — it’s amusing. What isn’t amusing, however, is what cyber security engineers do.
我不知道为什么我觉得那个笑话很有趣,但是您必须承认-这很有趣。 但是,没有什么有趣的是网络安全工程师的工作。
Want to read this story later? Save it in Journal.
想稍后再读这个故事吗? 将其保存在 Journal中 。
Security engineers deal with the momentous task of recognizing threats and flaws in software and systems. They apply their skill set to come up with solutions, and combat issues like malware, hacking, and pretty much, the full spectrum of cyber crimes. Additionally, they also help in drawing up security policies and procedures. Talk about multi-tasking.
安全工程师负责识别软件和系统中的威胁和缺陷的艰巨任务。 他们运用自己的技能提出解决方案,并应对诸如恶意软件,黑客攻击以及几乎所有网络犯罪等问题。 此外,它们还有助于草拟安全策略和过程。 谈论多任务。
But, for some reason, people tend to get confused about what security, trust, and privacy engineering entail.
但是,由于某些原因,人们往往对安全性,信任和隐私工程需要什么感到困惑。
True, there’s a certain amount of overlap between the jobs, and what’s required. However, security engineers mainly deal with applications that concern confidentiality, and the integrity of data or information.
的确,工作与要求之间存在一定程度的重叠。 但是,安全工程师主要处理涉及机密性以及数据或信息完整性的应用程序。
Whereas, privacy engineers work to produce algorithms or methods that assist in providing a satisfactory level of privacy for users of different applications.
鉴于,隐私工程师致力于产生有助于为不同应用程序的用户提供令人满意的隐私级别的算法或方法。
Lastly, trust engineers tackle techniques that help companies establish the trust of users about their services. Trust has to do with the assurance that data or processes will function in the expected ways.
最后,信任工程师采用的技术可以帮助公司建立用户对其服务的信任。 信任与确保数据或流程将以预期方式运行有关。
Most people think that a computer science background and proficiency in programming and scripting languages is a must to become a security engineer.
多数人认为,计算机科学背景以及精通编程和脚本语言是成为安全工程师的必备条件。
But you’ll be surprised to know that a lot of Chief Information Security Officers (CxO) and leaders in the Security field at the CxO level are lawyers. There’s a big debate on how that influences products and policies because a lot of lawyers try to do the “bare minimum” for what is and what is not legal.
但是,您会惊讶地发现,很多首席信息安全官(CxO)和CxO级别的安全领域负责人都是律师。 关于如何影响产品和政策的争议很大,因为许多律师试图对合法和不合法进行“最低限度的赔偿”。
Here are from pros and cons of this practice.
这是此做法的利弊。
The pros include:
优点包括:
● Having lawyers involved in the security force side of things means that companies tend to avoid lawsuits.
●让律师参与安全部队方面的事务意味着公司倾向于避免提起诉讼。
● It helps in testing the boundaries of how to make money — remember money keeps startups alive
●它有助于测试如何赚钱的界限-请记住,钱可以使初创企业保持活力
● Having a member who’s learned in the law keeps companies compliant
●拥有法律知识的成员可以使公司合规
● It can help in creating new functions or features by bending certain rules and exploring legal lacunas.
●它可以通过弯腰某些规则并探索法律空白来帮助创建新功能。
Some of the cons are:
一些缺点是:
● Ascertaining whether what company’s practices are best for their bottom line or the best interest of the end-user?
●确定哪种公司的做法最适合他们的底线或最终用户的最大利益?
● Sometimes, lawyers do not understand what they are asking from an engineering perspective and can feel like a mad scientist demanding the world. They don’t fully understand the requirements for a product feature to come into existence.
●有时,律师从工程的角度不了解他们的要求,会觉得自己像是一个疯狂的科学家,要求世界。 他们不完全了解产品功能的需求。
● Bending the rules to create features or functions may flirt with toeing the line, and raises questions about ethics. Just because you can build something doesn’t mean that you should build it.
●违反规则以创建功能部件或功能可能会轻描淡写,并引发有关道德的问题。 仅仅因为您可以构建某些东西并不意味着您应该构建它。
Even though a legal engineer acts as a kind of link between legal and technology specialists, this practice has sparked some debate in the domain.
即使法律工程师充当法律和技术专家之间的一种纽带,这种做法也引发了该领域的一些争论。
The push and pull relationship between companies wanting to make money, and the data-protection mentality, has given rise to conversations on data privacy, data governance, and data security.
想要赚钱的公司与数据保护心态之间的推拉关系引起了关于数据隐私,数据治理和数据安全性的讨论。
Which is why Russel Densmore, Global Privacy Compliance Senior Program Manager at Raytheon, and Chairman of IAPP for the CIPM Certification, stated that he’s hoping that the CyberSecurity Community will recognize a need for certifications in Trust, Privacy, and other up and coming consumer-focused domains within security that go beyond compliance regulations.
因此,雷神公司全球隐私法规遵从高级计划经理, CIPM认证IAPP主席Russel Densmore表示,他希望网络安全社区将认识到对信任,隐私和其他新兴消费者的认证需求,超越法规遵从性的安全领域中的重点领域。
To understand where data privacy and governance fit in the scheme of things, let’s take an in-depth look at what the security, trust, and privacy domains really entail.
要了解数据隐私和治理在事物方案中适合的位置,让我们深入研究安全性,信任域和隐私域的真正含义。
安全 (Security)
The goal of positions within the security domain center on the protection of data assets from hackers and criminals — with the help of firewalls, encryptions, decryption, etc.
在安全域中定位的目标是在防火墙,加密,解密等的帮助下,保护数据资产免受黑客和犯罪分子的侵害。
In the world of IT, data is money. And, it can include details like personal information, payment information, account access, private messages, and things like email IDs.
在IT世界中,数据就是金钱。 并且,它可以包括诸如个人信息,付款信息,帐户访问权限,私人消息之类的详细信息,以及诸如电子邮件ID之类的内容。
Speaking of hackers, ever heard of the term ‘ethical hacking’?
说到黑客,有没有听说过“道德黑客”一词?
If not, just think back to the plot of Catch me if you can. Remember, how Tom Hanks (an FBI agent) hires an expert con-man to work with them as a bank-expert? That’s kind of what ethical hackers (aka security professionals) do.
如果没有的话, 如果可以的话,请回想一下“ 抓住我”的情节。 还记得,汤姆·汉克斯(联邦调查局特工)是如何聘请专家陪同人员作为银行专家吗? 这就是道德黑客 (也称为安全专家)所做的事情。
No, they’re not actual malicious hackers. The role of a white-hat hacker is to use their skill-set to find weaknesses in systems and fix them.
不,他们不是真正的恶意黑客。 白帽黑客的作用是利用他们的技能来发现系统漏洞并加以修复。
Their abilities are similar (if not stronger) to black-hat hackers, and that’s what enables them to route out potential vulnerabilities in software. The difference, of course, is that an ethical hacker legitimately employs their expertise.
他们的能力类似于黑帽黑客(如果不是更强的话),这就是使他们能够找出软件中潜在漏洞的原因。 当然,区别在于道德的黑客合法地使用了他们的专业知识。
At this point, you’re probably wondering why I’m going on about any of this. That’s because ethical hackers are the ultimate security professionals. Pretty cool, yes?
在这一点上,您可能想知道为什么我要继续进行任何此类操作。 这是因为道德黑客是最终的安全专家。 很酷,是吗?
Going back to the overarching concept of security engineering, by now you probably have a good idea of the kind of details it can include.
回到安全工程的总体概念,到现在为止,您可能已经对它可以包含的细节有所了解。
As the world becomes more transparent with advances in technology, so do our lives. Most of our transactions take place online, and all the details of our lives are filed on servers, instead of paper.
随着技术的进步,世界变得更加透明,我们的生活也变得更加透明。 我们的大多数交易都是在线进行的,我们生活的所有细节都存储在服务器上,而不是纸上。
You wouldn’t want a stranger to have access to the details of your life, and that goes double for businesses that deal with sensitive information. So, security engineering focuses on keeping prying eyes away from your data, and provides limited access to authorized personnel.
您不希望陌生人能够访问您的生活细节,这对于处理敏感信息的企业来说是一倍。 因此,安全工程专注于使您的数据不被窥视,并向授权人员提供有限的访问权限。
This is why a big part of data security has to do with making authentication and encryption layers over data, which enhances the security of data concerning threats like malicious software.
这就是为什么数据安全的很大一部分与在数据上进行身份验证和加密层有关的原因,从而增强了与恶意软件等威胁有关的数据的安全性。
Network segmentation is another technique applied to improve security and boost performance. It’s the act of splitting a computer network into sub-networks.
网络分段是用于提高安全性和提高性能的另一种技术。 这是将计算机网络拆分为子网的行为。
With a security layer realization through network segmentation, a network can include more layers (such as firewalls, encryption, internet security protocols, etc.), which will better protect the data within the system.
通过通过网络分段实现安全层,网络可以包含更多层(例如防火墙,加密,Internet安全协议等),这将更好地保护系统内的数据。
Data security also allows for data auditing, which can make your network capable of detecting any errors in the usual data pattern and fix it before it gets too late. You can audit information by encryption of data with customized algorithms or designing network security protocols, with personalized parameters.
数据安全性还允许进行数据审核,这可以使您的网络能够检测到常规数据模式中的任何错误,并在为时已晚之前对其进行修复。 您可以通过使用自定义算法对数据加密或使用个性化参数设计网络安全协议来审核信息。
Hence, security engineering converges largely on the designs of systems and enables security personnel to deal forcefully with all types of disruptions.
因此,安全工程在很大程度上集中于系统设计,并使安全人员能够有效地处理所有类型的中断。
相信 (Trust)
Digital trust has to do with the social responsibility, and the answerability of organizations, in the way they utilize data.
数字信任与组织利用数据的方式的社会责任和组织的责任感有关。
The obligation to secure data is strong because customers are always anxious about how their information is processed by businesses, and how secure it is in the hands of the relevant corporation.
保护数据的义务很强,因为客户总是担心企业如何处理其信息以及相关公司手中数据的安全性。
As a venture, you have to be careful about how you cultivate your customers’ confidence. That’s where data governance comes in.
作为一家合资企业,您必须谨慎对待如何培养客户的信心。 这就是数据治理的用武之地。
Simply put, data governance is a combination of practices that help secure the management of data assets within any given organization.
简而言之,数据治理是各种实践的组合,可帮助确保任何给定组织内数据资产的管理安全。
Because of the growing number of threats faced by Cybersecurity on an annual basis, governments around the world are working on regulations that enhance consumer data protection.
由于网络安全每年面临的威胁越来越多,因此世界各国政府正在制定旨在加强消费者数据保护的法规。
Although, there exists a kind of friction between obligations and compliance when it comes to trust. Companies don’t want to fall foul of the law, nor do they want to lose their customers’ trust.
但是,在信任方面,义务与合规性之间存在某种摩擦。 公司不想违反法律,也不想失去客户的信任。
Yet, they also don’t want to lose their edge when it comes to market competition and seizing emerging market opportunities.
但是,在市场竞争和抓住新兴市场机会方面,他们也不想失去自己的优势。
This is why more and more enterprises are paying attention to data governance by engaging professionals involved in the trust domain.
这就是为什么越来越多的企业通过聘请参与信任域的专业人员来关注数据治理的原因。
Corporations are beginning to concentrate on the debate between what’s legal and ethical — so that they can strike a balance between data compliance and maximizing growth potential.
公司开始将注意力集中在法律与道德之间的争论上,以便他们可以在数据合规性与最大增长潜力之间取得平衡。
隐私 (Privacy)
Privacy has to do with giving users the ability to control how their data is being used and collected. As data becomes the new gold rush, there are those to intend to use and abuse the power that they have with the open web.
隐私与赋予用户控制其数据使用和收集方式的能力有关。 随着数据成为新的淘金热,有些人打算使用和滥用开放网络所具有的功能。
The realm of privacy prioritizes issues such as what kind of data should be collected, and what the permissible uses of data are, etc.
隐私领域会优先考虑各种问题,例如应收集哪种数据以及数据的允许用途等。
If you’re confused, think about how banks work. If your bank is a national financial institution, then it’s likely that most tellers in the country have secure access to your account details.
如果您感到困惑,请考虑银行的运作方式。 如果您的银行是一家国家金融机构,那么该国大多数出纳员很可能可以安全访问您的帐户详细信息。
However, before you get too worked up, privacy works to add an extra layer of protection, to your information, by allowing access only when a need arises — like when you visit a branch of the bank in another city.
但是,在您精疲力尽之前,隐私只能通过在需要时才允许访问(例如,当您访问另一个城市的银行分支机构时)来为信息增加一层保护。
Data privacy is a legal right, and this is why privacy advocates and regulators work to come up with viable strategies that promote privacy protection.
数据隐私是一项法律权利,这就是为什么隐私权倡导者和监管者努力制定可行的策略来促进隐私保护的原因。
Consider The General Data Protection Regulation (GDPR), for instance. In essence, the GDPR is a collection of rules that gives EU citizens more control over their personal data.
例如,考虑通用数据保护条例(GDPR)。 本质上,GDPR是一组规则的集合,这些规则使欧盟公民可以更好地控制其个人数据。
Under the GDPR, organizations are obligated to ensure that personal data is collected legally and under strict conditions.
根据GDPR,组织有义务确保在严格的条件下合法收集个人数据。
Not to mention, those who collect data can be held legally liable for any resulting misuse or exploitation in the event of any negligence. The Data Protection Act, 2019 works similarly, in the USA.
更不用说,如果有任何疏忽,收集数据的人可能对由此引起的滥用或利用承担法律责任。 美国的《 2019年数据保护法》也有类似的规定。
Privacy professionals strive to ensure that users are not only given the maximum authority over their data but that they are also notified of data usage before their details are appropriated.
隐私专业人士努力确保不仅为用户提供对其数据的最大权限,而且还确保在盗用其详细信息之前通知用户数据使用情况。
To cite a few examples, businesses can employ spam regulation techniques such as user verification, community standards, and opt-in features. Such features can be used to gain consent from customers before accessing their information, for any subscriptions, or marketing.
仅举几个例子,企业可以采用垃圾邮件监管技术,例如用户验证,社区标准和选择加入功能。 此类功能可用于获得客户的同意,然后再访问其信息,进行任何订阅或进行营销。
面试中的常见错误 (Common Mistakes In Interviews)
I don’t need to emphasize the importance of interviews, because I’m sure most of you realize how important they are when it comes to landing a job. Which is why I’m going to get right to the point.
我不需要强调面试的重要性,因为我敢肯定你们中的大多数人都意识到他们在找到工作时的重要性。 这就是为什么我要正确地说。
Haribalan Raghupathy, from Integris, confirmed that one of the most typical mistakes he comes across from potential candidates in interviews had to do with — GDPR.
来自Integris的 Haribalan Raghupathy证实,他在面试中从潜在候选人中遇到的最典型的错误之一与GDPR有关。
Candidates will often pretend they have an in-depth knowledge of the EU Regulation but fail to produce comprehensive answers when questioned about it. What you need to understand is that not all managers are looking for GDPR experts.
候选人通常会假装他们对欧盟法规有深入的了解,但是在被质疑时却无法给出全面的答案。 您需要了解的是,并非所有经理都在寻找GDPR专家。
What matters is that you’re honest about your knowledge and experience, because managers are looking for candidates who display a passion to learn. Inflating your knowledge and presenting it as extraordinary is something you should avoid.
重要的是您对自己的知识和经验诚实,因为管理人员正在寻找表现出学习热情的候选人。 您应该避免夸大您的知识并将其呈现为非凡的东西。
Another interview blunder is not displaying strong communication skills. I mean, at this point it should be clear to all that security, privacy, and trust are complex fields.
另一个面试失误是没有表现出很强的沟通能力。 我的意思是,在这一点上,所有人,安全性,隐私和信任都是很复杂的领域,应该很清楚。
And, interviewers are always on the lookout for individuals that can communicate with internal and external stakeholders, in legal and engineering.
而且,面试官总是在寻找可以与法律和工程领域的内部和外部利益相关者进行沟通的个人。
Moving on, candidates that do not ask clarifying questions in the interview, shoot themselves in the proverbial foot. If you don’t bother to ask about job-specific details, you’re in danger of displaying a casual attitude. Avoid this potential landmine by being engaging and raising relevant questions.
继续前进,那些没有在面试中问清楚问题的求职者,将自己打入众所周知的脚。 如果您不愿问有关特定工作的细节,则有表现出随便的态度的危险。 通过参与并提出相关问题来避免这种潜在的地雷。
Bruce Lobree, Security Architect with Symetra, told us that it’s always best for a candidate to know what they’re interviewing for. For example, a security analyst interview is different from a security engineer interview. This is why it’s best to know the company and research the interviewer before you walk into that interview room.
Symetra的安全架构师Bruce Lobree告诉我们,让候选人知道他们要面试的内容总是最好的。 例如,安全分析师采访不同于安全工程师采访。 这就是为什么在走进那个面试室之前最好了解一下公司并研究面试官的原因。
Sean Murphy of BECU points out another factor that most candidates seem to avoid — failures. It’s ok to talk about past failures and how you led your team out of that situation. You can portray your past missteps as your strongpoints by showing that you can learn from your mistakes.
BECU的 肖恩·墨菲 ( Sean Murphy )指出了大多数候选人似乎可以避免的另一个因素-失败。 可以谈论过去的失败以及您如何带领团队摆脱这种情况。 通过证明可以从错误中学习,可以将过去的失误描绘成优点。
Which brings me to my last point. There’s a difference between book smarts and street smarts.
这把我带到了最后一点。 书本聪明人和街头聪明人之间有区别。
Having a solid educational background is certainly a plus, but nothing trumps experience when it comes to developing a robust range of skills. Knowledge may be power, but it’s experience that teaches you how to harness that power.
具有扎实的教育背景无疑是一个加分,但是在开发强大的技能方面,没有什么比任何经验都重要。 知识可能是力量,但是经验可以教会您如何利用这种力量。
如何为未来的道路做好准备 (How To Prepare Yourself For The Road Ahead)
You know how some professions are famous for their analytical methodology?
您知道某些专业因其分析方法而闻名吗?
Well, security engineering is one of those professions. There’s a reason why people always lump research and analysis together. Having the ability to investigate an issue and reaching a sound resolution is something all employers look for in a potential candidate.
嗯,安全工程就是这些专业之一。 人们总是总是将研究和分析混在一起是有原因的。 所有雇主都希望有能力调查问题并达成合理的解决方案。
Andres Arrieta, Director of Consumer Privacy Engineering from Electronic Frontier Foundation, talked to us about how to prepare for analytical thinking in the interview process. He recommended researching past events that happened at a large scale and reviewing how big companies responded.
电子前沿基金会消费者隐私工程总监Andres Arrieta向我们介绍了如何为面试过程中的分析思维做准备。 他建议研究过去发生的大规模事件,并回顾大公司的React。
You can refer to these case studies and build your analytical skills by comparing their reactions to yours. For instance, would you have responded similarly, or would you have come up with an answer that took into account the best interests of the end-user?
您可以参考这些案例研究,并通过将其与您的React进行比较来建立分析技能。 例如,您是否会做出类似的响应,或者您会得出一个考虑到最终用户最大利益的答案?
As a matter of fact, Christopher Howell of Wickr stated that he looks for people who take a user-centric approach. Privacy and trust are all about designing with the user in mind. Show that you care about the user
事实上, Wickr的Christopher Howell表示,他正在寻找采用以用户为中心的方法的人。 隐私和信任都与用户的设计有关。 表明您在乎用户
This may seem like an inconsequential exercise, but no one wakes up one morning with brain-power of Alan Turing or Bertrand Russell (if only). Most of us have to work at honing our natural abilities, and that’s exactly what you should do — starting today!
这看似无关紧要,但没人能在Alan Turing或Bertrand Russell(如果有)的脑力中醒来。 从今天开始,我们大多数人都必须努力提高我们的天赋,这正是您应该做的!
Check out our other Articles:
查看我们的其他文章:
How to get a Machine Learning Engineer job in 2020?
What does it take to be a VR Engineer?
📝 Save this story in Journal.
story将这个故事保存在Journal中 。
👩💻 Wake up every Sunday morning to the week’s most noteworthy stories in Tech waiting in your inbox. Read the Noteworthy in Tech newsletter.
every💻每个星期天的早晨,您都可以在收件箱中等待本周最受关注的Tech故事。 阅读Tech Newsletter中的“值得注意” 。
隐私保护与数据安全的区别
100
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
