Building or designing Privacy in IT systems is no different than building Privacy in traditional building & utilities designs. Privacy architecture is the embodiment of the Privacy by Design (PbD) principle, which has been adopted as a privacy standard by privacy regulators worldwide. Which involves the incorporation of privacy principles and features into the basic design of information management processes and system(s).
Privacy architecture is often confused with security architecture, which is quite different. Privacy and security architectures must be coordinated and can be combined, but privacy architecture features are distinct from security architecture features.While a lot is happening in IT world , one thing is common across both sides of equator – ambiguity on role of Solution and Enterprise Architects in privacy related projects (GDPR is just a hot topic, I am saying privacy risk in any compliance or ethics format). Traditional IT architects were bred on security and ease of doing business (service integrity). Privacy emerging as a critical (N/FR – Non/Functional requirements) within IT ecosystem has resulted on questions on what and how architects will approach this situation.
For instance, Enterprise Data Privacy Architecture (EDPA) provides you with the ability to protect in isolation sensitive data fields residing in IT systems such as Web, Application and Database Servers. This architecture ensures all sensitive data in storage is encrypted, and only decrypted when required. The architecture encrypts data as early as possible – for example at Web servers, and provides many benefits including however not limited to:
- Centralization of encryption keys
- Separation of duties
- Granular protection of sensitive data from such users as DBA’s and Root Users
- Auditing and logging and consistent cryptographic interface to any type of application such as those commonly used in Web, Application and Database servers
- The protection of any identified sensitive data from internal rogue employees as well as external hackers
One of the finest pair of articles on this, laying out the subtle intricacies on this matter was published by Marc Lankhorst , few months ago, in bizz design forum, without going in details , I would say that its a must read for all you fellow privacy professionals & architects – who either have similar or vested interests on this matter . The topic was – 7 Things Every Enterprise Architect Needs to Know About the GDPR
Some other honorable mentions : (Read the following articles)
- Deperimeterisation- nine years on– SC Magazine- January 2013
- Security Think Tank: Do not trust the network to ensure secure collaboration– ComputerWeekly.com- May 2014
- It’s All About the Data, Dummy– Raconteur.net- March 2014
- Jericho Forum