Secure Language Translations - Part 4 of Many - Retention

As Google prepares to respond to the Commission Nationale de l'Informatique et des Libertés (CNIL) on the 50 million Euros GDPR related penalty and Bloomberg reports thousands of financial adviser client confidential data exposed by the largest asset manager in the planet , business leaders should ask themselves the question: Is my organization globalization plans backed up by secure translation, localization, internationalization, transcreation procedures? The fact of the matter is that without strong security there is no strong privacy and as a consequence there is no strong compliance. Without strong compliance there is a big business economic risk.

This fine, the biggest related to GDPR so far, should push the Organization Management and The Board of Directors to account for the privacy related risk into their strategy. We should understand the moral of this story through some quotes from the text related to this penalty, namely what can happen when "information about the retention period is not provided for some data", when "The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions", when "Users are not able to fully understand the extent of the processing operations", when applications "deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life". The question for your current language service providers is how they are addressing privacy to deliver secure translations?

As I explained in my first post covering the need for secure translations, there are too many security fragile points when translating information. In my last post we saw the importance of dual factor authentication. Today we will examine why Privacy is so important using our, by now usual, simple quantitative risk management framework:

• Threat: Leaking of personal information. For example your Language Service Provider might use contact information in their marketing automation system, ERP, CRM, cloud storage, company website, and/or TMS which might result in a compromise of your expected secure translations.
• Asset: Any service that captures human related information is endangered by this threat.
• Vulnerability: Private information stored across multiple systems without centralized management. Retention policies applying only to part of the process. Your Language Service Provider can't guarantee secure translations if they are capturing personal information and backing it up without applying retention policies to the whole process. Similarly, not retaining data is as bad because ransomware might delay projects and in some cases make the information disappear. Add to the issues not providing a central location where information is kept like using different tools for TMS, ERP, CRM, company website, cloud storage and marketing automation. Finally not providing access to users so that they know how their information is used and not allowing them to easily be forgotten violates GDPR and therefore becomes a compliance vulnerability.
• Risk: Privacy of users of a system is compromised when related to them data is known beyond the context where it is useful for serving such users. Such information should never be shared beyond the scope the user is aware of and given explicit consent for. The disclosure of such information is a liability for service providers. Tools exist that can compromise internal systems, encrypt valuable information and ask for a ransom in order to decrypt it (ransomware). In addition, tools exist that can collect information and in an automated way come up with a strong profile for a user, provided that the raw information about such user is fed into the tool. This information can become available only if it is stored and later compromised. It can be used in several fraud related attacks. The more systems this information is present the higher the likelihood of a successful attack happening. The impact is severe. Overall this poses a big risk for Companies reputation and financial stability. If your Language Service Provider is delivering secure translations then their translation process should be transparent and audited by an external recognized/authorized CPA firm.
• Safeguard: Use centralized management for information and retention policies that apply to production data and backups. Both. If your current Language Service Provider (AKA LSP) cannot guarantee the applicability of a retention policy in backups and in production data they cannot provide secure translations. If your current LSP does not offer a consolidated file storage for confidential ad restricted information and instead uses their corporate website, out of the box cloud storage or a plethora os systems be aware, they cannot provide secure translations.

I will leave the always helpful STRIDE threat modeling framework to the user. You can look at any of my previous posts for some examples on STRIDE.

In my next post I will look at the threat behind not implementing a security program and/or not getting an external audit to obtain a USA compliance report and/or an international certification.

You can follow the "Secure Language Translations" series in this blog, on linkedIn, Twitter or Google+. My objective is to educate executives and managers but also to help engineers in reducing the organization risk through sound security measures.