Project: Personal Data Stores

Posts under this project (1)

---

---

Whilst working within R&D in 2020 and 2021 I was brought onto the CornMarket team to work on their new initiative into personal data stores. Prior to this project, I’d been focusing my efforts in R&D on security awareness and learning so management moved me to this project to both recognise the skills I’d shown in security but also to leverage them.

I was responsible for ensuring that the risks of this new way of storing data was minimised. My focus was to reduce the unacceptable risk rating given by InfoSec at the start of project to a rating that was acceptable enough to run the trails. This required me to look at the overall architecture, perform threat modelling and design and implement several security controls.

Understanding the architecture and performing thread modelling proved to be challenging as the main data storage part of the system was using a 3rd party kubernetes cluster that we were deploying and for commercial reasons they didn’t want to give too many details of the inner workings. As a result, I had to reverse engineer the cluster to understand how each component worked and how it fitted together. Once the architecture was fully understood, I began to work on securing the system such as adding in audit logging, implementing zero trust networking via network policies and adding secondary authentication.

The project finished after I left but I’d successfully brought the InfoSec risk rating down to let the trial go ahead. You can read more about the work on the R&D blog at: https://www.bbc.co.uk/rd/blog/2021-09-personal-data-store-research.