Lytics’ 3 principles of information security (+ best practices)

Principles of information security come up where you least expect them.

Consider this. I recently took my car for an oil change. I drove to a quick-lube place near a supermarket in a shopping area near my house. Still sipping my morning coffee and trying to wake up, I pulled up and gave the oil change technician my keys. The technician told me my car would be ready in 30 minutes or so. I said that was all fine, because I was going to walk to the supermarket while they worked. I shuffled across the parking lot, thinking about my grocery list and not even realizing: I had just violated three major principles of information security in one single interaction.

You never know when you might unintentionally let your guard down. Life is busy, and many times humans put trust where trust maybe doesn’t belong, and where trust is not even required.

And although nothing happened to me or my car that morning, it’s an interesting practical example of how best practices can be violated in an instant.

According to VentureBeat:

“It’s essential that organizations adopt security strategies based on identities rather than old-school perimeter protections. Implementing least-privilege policies, a zero-trust architecture and zero-touch provisioning is critical for an organization’s services and network components.”

Here are some principles we follow at Lytics.

1. Least Privilege: You don’t need access to what you don’t need access to

The Principle of Least Privilege says a user should only have access to the specific data, resources, and applications they need to complete a required task. 

Least Privilege is an important design consideration for protecting data and systems from faults and malicious behavior. More access means more problems —related to the fact that adding more and more complexity to a system increases the number of potential issues and makes solutions to problems grow impractical at an exponential rate.

I violated the Principle of Least Privilege when I gave the oil change technician my keys, because I gave them all of my keys, including my house key and the key to the cargo bin on top of my car. The technician really only needed the one key to drive my car into the oil change bay, but rather than go to the trouble of taking the car key off the keychain, I handed over all of my keys. I never do that, but I did it that morning.

2. The principle of Zero Trust

Under a Zero Trust security design, whether a user sits inside or outside a network doesn’t matter, because all users are treated as potential threats. “Zero Trust” means all access requests are evaluated on a case-by-case basis to protect against unauthorized access to resources and to minimize cybersecurity risk.

Where Least Privilege keeps access to as minimal as possible, Zero Trust authenticates access as much as possible. Zero Trust verifies who is trying to access a network based on all available data points, including user identity, location, device health, service or workload, data classification, and any anomalies that crop up. 

I violated the Principle of Zero Trust when I gave all of my keys to the technician, because I assumed there was no threat, because I assumed I knew the people I was leaving my car with. I had been there before, it was a mellow morning, I was familiar with the business and the brand, I was only going to be across the parking lot at the supermarket for a few minutes, and the technician who took my keys seemed like a cool dude. 

There really was no reason to fear. But there was no real reason to trust, either.

3. Data minimization (or, why do you need my phone number?)

The Principle of Data Minimization requires a data controller to limit the collection of personal information to information directly relevant and necessary to accomplish a specified purpose. The principle also says controllers should retain the data only for as long as is necessary to fulfill that purpose.

The Data Minimization principle is violated whenever someone wants information that doesn’t relate to the task at hand. We’ve all had that creepy feeling giving our phone number to someone in a transaction where our phone number isn’t relevant, and more importantly, it could lead to us getting phone calls from people that don’t have our permission or consent to call us.

The Principle of Data Minimization is one of the underpinning principles of European data protection law (the GDPR), California and other U.S. state laws, and data processing laws in general. “Why do we need phone numbers?” is a question we should all be asking on a high level.

I violated the Principle of Data Minimization, but it wasn’t because anyone asked me for more information. Instead, I offered more information than was relevant when I said I was going to the supermarket. I thought I was telling the technician that I would be back soon, even if I wasn’t there immediately when they finished my car. But who knows what that extra information could have been used for. We never know what unnecessary data can do to add risk where it doesn’t need to be. 

The Principle of Data Minimization says, when in doubt, leave it out.

Lytics: Privacy by design and by default

Whether our customers are thinking about exciting things like how to use first-party data in unified profiles, how to create rich segments without moving data, or how to deliver personalized experiences to their own customers, chances are they are also thinking about the practical concerns of data security and how Lytics can help with that, too.

Lytics is designed for privacy and data security. Security best practices are a mandated aspect of all our development activities, and risk management lives at the core of our software development process. Lytics respects the privacy of the individuals whose personal information we process and their rights regarding that data. And Lytics is committed to regular, independent audits of our platform as a means of enhancing data protection and reducing the risk of a security incident.

Keeping data secure is a shared responsibility. That’s how the laws of data protection are structured, and Lytics partners with our customers in helping meet those compliance standards for encryption, data minimization, and much more. The data-protection best practices require the kind of dedicated effort that comes from Lytics and our customers working together—and in everyone knowing who is responsible for what in the complex data protection security measures required.

We are all human. Without some help and someone to back us up, we might inadvertently overlook our normal best practices and violate the principles of security without even meaning to, just like I did at the oil change place.

Best practices from the Lytics Trust Center

Lytics is obsessed with offering customers world-class SaaS products and giving them data superpowers, but we are also obsessed with data security. Just as Lytics publishes online resources like Learn.Lytics.com to guide customers how to get the most out of their Lytics service, we also offer a similar guide for data protection to customers on the Lytics Trust Center.

The Lytics Trust Center is where you can find information about our compliance framework—including security, privacy, GDPR compliance, SOC 2 certification, and more.