Data Privacy Is in 23andMe CSO’s DNA
David Baker, chief security officer (CSO) at 23andMe, can sum up his strategy in a few blunt, soldierly maxims.
“The best defense is a good offense,” he told Dark Reading, while getting in a workout on his treadmill. “Be paranoid. Trust no one.”
The multitasking Baker is in the second year of his tenure at the biotech and genetic testing company, which handles the most fundamental quantifiable data a person can give up: the map of their genetic heritage, as well as a long list of personally identifiable data. Customers send virtual money and a physical cheek swab to 23andMe’s labs in Sunnyvale, Calif., to learn more about their ancestry or whether they have markers for diabetes, cancer, celiac disease, or a number of other inherited medical conditions.
23andMe uses its customers’ aggregated genetic information, stripped of personally identifiable information (PII), for biomedical research. Baker said he isn’t too worried about the security of the genetic information on its own. It’s useless on the black market, he said.
“What would they steal from a genetic string – fingerprints, retina scans? It doesn’t work like that,” Baker said.
The problem, he said, is if the PII – a tremendously sensitive asset on its own – were to find its way into the wrong hands, along with the genetic information. Together they become referenceable, providing an easy way for criminals to triangulate their way to a comprehensive identity theft.
No wonder, then, that the California company employs a “sizable” team of IT and cybersecurity staff, including white-hat hackers and bug miners whose job is to attack the company’s defenses, day in and day out, looking for vulnerabilities. All the standard defenses are in place, including least-privilege access for all employees, tokenization, two-factor authorization, 256-bit encryption, public cloud infrastructure, and no access to VPNs.
“23andMe uses a strict zero-trust access and authorization model,” Baker said. “The privacy and security of our customers’ data is front and center to all business decisions.”
Tight Data Rein
Data might be the bloodstream of the digital economy, but Baker is adamant that no data ever leaves the four walls of 23andMe, except for what the research team publishes or what the company sends to customers. That means all work is done in-house, with no third parties in any capacity whatever.
How 23andMe pulls this off is something of a professional secret. Compare, for example, the privacy standards of Genomics England, the UK’s government genomics company: “Several companies and organisations have access to different parts of the secure datacentre, or data pipelines,” its website states. “It is feasible that someone working in the datacentre could see de-identified participant data.”
23andMe handles its own data at every step, mostly through virtualized machines. All data is encrypted in transit and again in databases, with PII and genetic data stored separately. If a customer wants to delete his or her account, no human eye will see it go, just as no human eye will have seen it in the system.
“We’re hiding data even from ourselves,” Baker explained.
HIPAA regulations, which govern portability rather than privacy, don’t come into play in these cases, but Baker works closely with 23andMe’s chief privacy officer, Jacquie Haggarty, to keep all operations GDPR- and CCPA-compliant.
This strict stance on privacy extends to law enforcement as well. To date, 23andMe has yet to give up any data to law enforcement, maintaining a similar standard to another giant in the personal genomics field, Ancestry.com.
Even the research data 23andMe publishes (generally as summarized, aggregated statistics) is subject to special privacy protocols. Customers have to opt in explicitly if they want their data used by the research team; the approval is separate from the company’s terms of service. An independent ethics committee oversees this process.
Defenses this strong require benchmarking IT’s maturity and budget. Regarding the former, 23andMe participates in the Health Information Sharing and Analysis Center (H-ISAC), a global consortium of critical infrastructure owners in the healthcare sector, to share statistics and best practices. One H-ISAC metric, in particular, the dollar-cost-per-discovered bug, is a good barometer of the engineering team’s continuous integration/deployment pipeline, said Baker, who is optimistic about 23andMe’s rating against its peers.
As for budget, 23andMe’s level of defense infrastructure and insourcing requires hefty funding. Luckily for Baker, 23andMe’s executive team doesn’t require the cajoling that CISOs in other fields have to provide. This is largely due to 23andMe’s company culture, which stresses the newest and best technology across functions. Data security is woven into every job at 23andMe and reinforced by constant training and regular phishing tests.
The end result? There’s no lag between IT’s implementing new policies and the rest of the company adopting it?
“We have that advantage,” Baker explained. “We move a lot faster.”
From a man who won’t stop moving even for a Zoom call, that’s quite an endorsement.