<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - Compliance</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/compliance.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2026-06-25T08:13:00+10:00</updated><entry><title>Edge Security is now a Privacy Compliance Issue</title><link href="https://www.peakhour.io/blog/edge-security-and-privacy-compliance/" rel="alternate"></link><published>2026-06-25T08:13:00+10:00</published><updated>2026-06-25T08:13:00+10:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2026-06-25:/blog/edge-security-and-privacy-compliance/</id><summary type="html">&lt;p&gt;Recent guidelines from the Australian government have specified practical measures businesses need to take to protect personal information. Learn more.&lt;/p&gt;</summary><content type="html">&lt;p&gt;For Australian businesses, website security is no longer just an IT problem. If a website collects, processes or exposes personal information, edge security is now part of privacy compliance.&lt;/p&gt;
&lt;p&gt;That shift matters because many organisations still treat cyber compliance as an Essential Eight exercise. They focus on patching, MFA, backups, restricted administrative privileges and endpoint hardening. Those controls are important, but they do not fully protect the public-facing web applications, APIs, customer portals and login flows where personal information is often exposed.&lt;/p&gt;
&lt;p&gt;Under &lt;a href="https://www.legislation.gov.au/C2004A03712/2025-02-01/2025-02-01/text/1/epub/OEBPS/document_1/document_1.html#_Toc191455268"&gt;Australian Privacy Principle 11 — security of personal information&lt;/a&gt;, an APP entity that holds personal information must take reasonable steps to protect it from misuse, interference, loss, unauthorised access, unauthorised modification and unauthorised disclosure. The Act also makes clear that those steps include technical and organisational measures.&lt;/p&gt;
&lt;p&gt;That wording is important. It means privacy compliance is not limited to policies, contracts and internal IT controls. If customer data is reachable through a website or API, then the controls protecting that website or API become part of the privacy compliance story.&lt;/p&gt;
&lt;h2&gt;Essential Eight is the floor, not the whole building&lt;/h2&gt;
&lt;p&gt;The &lt;a href="https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight"&gt;Essential Eight&lt;/a&gt; is a valuable baseline. The ACSC says it makes it much harder for adversaries to compromise systems, while also noting that no set of mitigation strategies can protect against all cyber threats.&lt;/p&gt;
&lt;p&gt;That distinction is important for web applications.&lt;/p&gt;
&lt;p&gt;A business can be mature against Essential Eight and still leave its public-facing website exposed. It may have MFA for staff, but no effective protection against credential stuffing on customer accounts. It may patch internal systems, but still allow bots to abuse login, checkout, account, booking or password reset endpoints. It may have backups, but no useful web-layer logs to understand whether personal information was accessed.&lt;/p&gt;
&lt;p&gt;Essential Eight helps reduce compromise risk across the corporate environment. Edge security helps protect the application layer where customers, bots, attackers and APIs interact in real time.&lt;/p&gt;
&lt;p&gt;For any business that handles personal information online, both are needed.&lt;/p&gt;
&lt;h2&gt;The edge is where privacy risk often appears first&lt;/h2&gt;
&lt;p&gt;Most attacks against websites do not start with malware on an employee laptop. They start with HTTP requests.&lt;/p&gt;
&lt;p&gt;Attackers test login forms with leaked credentials. They scrape customer portals. They abuse APIs. They enumerate accounts. They probe CMS plugins. They bypass exposed origins. They overload search, checkout or booking endpoints. They automate password reset flows. They use residential proxies and headless browsers to make malicious traffic look like normal customer activity.&lt;/p&gt;
&lt;p&gt;From a privacy perspective, this matters because these attacks can lead directly to unauthorised access, disclosure, misuse or loss of personal information.&lt;/p&gt;
&lt;p&gt;That is exactly the risk APP 11 is concerned with.&lt;/p&gt;
&lt;p&gt;If a website exposes customer names, addresses, order history, invoices, loyalty balances, support tickets, identity documents, health information, student records or account data, the edge is part of the control environment. It is the place where malicious traffic can be blocked, challenged, rate limited, logged or allowed through to the origin.&lt;/p&gt;
&lt;h2&gt;Government guidance points beyond basic IT hygiene&lt;/h2&gt;
&lt;p&gt;The ACSC’s guidance on &lt;a href="https://www.cyber.gov.au/business-government/small-business-cyber-security/securing-customer-personal-data"&gt;securing customer personal data&lt;/a&gt; recommends practical controls such as creating a register of personal data, limiting what is collected, deleting unused data, controlling access, encrypting data, backing it up, and logging and monitoring access.&lt;/p&gt;
&lt;p&gt;For a website, those recommendations have direct edge and application-layer implications.&lt;/p&gt;
&lt;p&gt;A register of personal data should include not only databases, but also web forms, APIs, CDN logs, application logs, analytics tools, third-party scripts, support systems and staging environments. Limiting collection should mean removing unnecessary fields from forms, avoiding personal information in URLs, and not sending sensitive data into analytics or debugging tools without a clear reason. Logging and monitoring should include requests to sensitive endpoints, not just server health metrics.&lt;/p&gt;
&lt;p&gt;In other words, practical privacy protection has to reach the web stack.&lt;/p&gt;
&lt;h2&gt;WAF, rate limiting and bot management are privacy controls&lt;/h2&gt;
&lt;p&gt;A web application firewall is often seen as a security control. Rate limiting is often seen as an availability control. Bot management is often seen as a cost or performance control.&lt;/p&gt;
&lt;p&gt;For websites handling personal information, all three are also privacy controls.&lt;/p&gt;
&lt;p&gt;A WAF helps block common exploit attempts before they reach the application. Rate limiting helps reduce brute force attacks, account enumeration, password reset abuse, checkout abuse and application-layer denial of service. Bot management helps identify credential stuffing tools, scrapers, automation frameworks, fake browsers and proxy-based abuse.&lt;/p&gt;
&lt;p&gt;These controls do not replace secure application development, access control or data minimisation. But they reduce the chance that personal information can be accessed or harvested through normal-looking web requests.&lt;/p&gt;
&lt;p&gt;That matters because many privacy incidents are not sophisticated intrusions. They are automated abuse at scale.&lt;/p&gt;
&lt;p&gt;A login form without bot protection can become a credential stuffing endpoint. A search API without rate limits can become a scraping interface. A customer portal without behavioural monitoring can become a data extraction tool. An exposed origin can bypass the very controls the business thought were protecting the site.&lt;/p&gt;
&lt;h2&gt;Edge logging supports breach assessment&lt;/h2&gt;
&lt;p&gt;Privacy compliance is not only about preventing incidents. It is also about understanding them.&lt;/p&gt;
&lt;p&gt;When something goes wrong, a business needs to answer practical questions. Which accounts, IPs, sessions or API keys accessed the affected records? Which endpoints were used? Was the traffic automated? Did it come through the CDN or bypass it? Was the data viewed, modified or exported? What personal information may have been exposed?&lt;/p&gt;
&lt;p&gt;Without edge and application-layer logs, those questions are hard to answer.&lt;/p&gt;
&lt;p&gt;That creates a second-order privacy problem. If a business cannot determine what happened, it may struggle to assess the seriousness of an incident, notify accurately, or explain what remedial action was taken.&lt;/p&gt;
&lt;p&gt;Good logging does not mean storing personal information in logs forever. It means capturing enough security metadata to reconstruct access patterns while avoiding unnecessary personal information in the logs themselves.&lt;/p&gt;
&lt;h2&gt;Data minimisation also applies at the edge&lt;/h2&gt;
&lt;p&gt;Privacy risk increases when personal information spreads through systems that were never designed to store it.&lt;/p&gt;
&lt;p&gt;Websites often leak personal information into places businesses forget to review: query strings, CDN logs, analytics events, error traces, session replay tools, marketing pixels, staging databases, CSV exports and support tickets.&lt;/p&gt;
&lt;p&gt;That is why data minimisation should apply to the whole request path, not only the production database.&lt;/p&gt;
&lt;p&gt;Do not put personal information in URLs if it will be logged by browsers, proxies, CDNs and analytics tools. Do not send unnecessary personal information to third-party scripts. Do not retain verbose request logs longer than needed. Do not copy production customer data into staging unless there is a controlled and documented reason. Do not collect fields “just in case”.&lt;/p&gt;
&lt;p&gt;The less personal information that passes through the edge, the less there is to expose, protect, delete and explain.&lt;/p&gt;
&lt;h2&gt;What this means in practice&lt;/h2&gt;
&lt;p&gt;For Australian websites handling personal information, edge security should now be treated as part of the privacy control set. That usually means:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;placing the site behind a CDN or edge security layer&lt;/li&gt;
&lt;li&gt;enabling WAF protection for common application attacks&lt;/li&gt;
&lt;li&gt;applying rate limits to login, registration, password reset, checkout, search and API endpoints&lt;/li&gt;
&lt;li&gt;using bot management to detect scraping, credential stuffing and automated abuse&lt;/li&gt;
&lt;li&gt;locking down the origin so attackers cannot bypass edge controls&lt;/li&gt;
&lt;li&gt;logging enough request metadata to support investigation and breach assessment&lt;/li&gt;
&lt;li&gt;reviewing what personal information appears in URLs, headers, cookies, logs and analytics&lt;/li&gt;
&lt;li&gt;applying retention and deletion rules to CDN logs, application logs and third-party tools&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The important point is not that every website needs the same controls. A simple contact form does not create the same risk as an ecommerce account portal or health booking system. The point is that the controls should match the risk created by the personal information being handled.&lt;/p&gt;
&lt;p&gt;That is the practical meaning of “reasonable steps”.&lt;/p&gt;
&lt;h2&gt;The takeaway&lt;/h2&gt;
&lt;p&gt;Edge security has moved from being a performance and availability issue to being a privacy compliance issue.&lt;/p&gt;
&lt;p&gt;For Australian businesses, Essential Eight remains a sensible baseline. But it does not prove that a public-facing website, API or customer portal is protected against the most common ways personal information is abused online.&lt;/p&gt;
&lt;p&gt;If personal information is collected, accessed or processed through the web application, then WAF, bot management, rate limiting, origin protection, API controls, logging and data minimisation all become part of the privacy compliance conversation.&lt;/p&gt;
&lt;p&gt;The question is no longer just whether the business has implemented Essential Eight.&lt;/p&gt;
&lt;p&gt;The better question is: if an attacker came through the front door of the website, could the business show it had taken reasonable technical steps to protect the personal information behind it?&lt;/p&gt;</content><category term="Security"></category><category term="Security"></category><category term="Compliance"></category></entry><entry><title>APRA Cybersecurity Guidelines</title><link href="https://www.peakhour.io/blog/apra-cybersecurity-application-security-financial-services/" rel="alternate"></link><published>2023-10-12T12:31:00+11:00</published><updated>2024-12-01T13:00:00+11:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2023-10-12:/blog/apra-cybersecurity-application-security-financial-services/</id><summary type="html">&lt;p&gt;Comprehensive guide to APRA cybersecurity requirements for Australian financial institutions. Learn how application security platforms help meet CPS 234 compliance and Information Security Manual guidelines for protecting financial services infrastructure.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Website cybersecurity is a practical requirement, and Australian organisations have a substantial body of guidance to work from.
While the Australian Government's "Essential 8" focuses broadly on workplace security, the Australian Prudential Regulation Authority (APRA) offers a more specific
&lt;a href="https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism"&gt;Information Security Manual (ISM)&lt;/a&gt;
with recommendations that apply to business websites.&lt;/p&gt;
&lt;h2&gt;Why Website Security Matters&lt;/h2&gt;
&lt;p&gt;When your business operates a website or web application, you are not just managing content; you are responsible for protecting data.
Inadequate security controls expose you to risks such as data breaches, malware, &lt;a href="/products/ddos-protection/"&gt;DDoS attacks&lt;/a&gt;, and reputational damage. Company executives and operational staff need to implement relevant recommendations to minimise risk and liability
if a security breach occurs.&lt;/p&gt;
&lt;h2&gt;APRA’s ISM: Tailored for Websites&lt;/h2&gt;
&lt;p&gt;APRA's ISM guidelines are practical for website owners. These are the key recommendations for websites and why they matter:&lt;/p&gt;
&lt;h3&gt;Network Traffic and Anonymity (ISM-1627, ISM-1628)&lt;/h3&gt;
&lt;p&gt;Blocking anonymity network traffic reduces the ability of malicious actors to hide their identity. This improves
accountability when investigating suspicious requests and reduces security threats.&lt;/p&gt;
&lt;h3&gt;Cloud Service Providers (ISM-1437)&lt;/h3&gt;
&lt;p&gt;APRA advises the use of cloud service providers for hosting online services. A well-managed cloud platform can
provide security controls and operational maturity that are difficult to match on premises.&lt;/p&gt;
&lt;h3&gt;Content Delivery Network (ISM-1438)&lt;/h3&gt;
&lt;p&gt;A CDN is not only a performance tool. It can filter malicious traffic before it reaches the origin and provide an additional
layer of security.&lt;/p&gt;
&lt;h3&gt;Origin Exposure and DDoS Mitigation (ISM-1439)&lt;/h3&gt;
&lt;p&gt;Hiding the origin IP and using cloud providers for DDoS mitigation helps protect your primary server by dispersing traffic
across a distributed network.&lt;/p&gt;
&lt;h3&gt;Data Encryption (ISM-1781, ISM-1139)&lt;/h3&gt;
&lt;p&gt;Encrypt all data over the network and use only the latest version of TLS to protect data in transit.&lt;/p&gt;
&lt;h3&gt;Logging and Auditing (ISM-261, ISM-580, ISM-0585, ISM-1661)&lt;/h3&gt;
&lt;p&gt;Comprehensive audit logging is vital for tracking activity and identifying irregular patterns. Logs should be
detailed and reviewed periodically.&lt;/p&gt;
&lt;h3&gt;Web Application Firewall (WAF) (ISM-1240, ISM-1490, ISM-1509, ISM-1657)&lt;/h3&gt;
&lt;p&gt;A WAF provides a control point for monitoring and filtering incoming traffic, enabling you to block harmful requests.&lt;/p&gt;
&lt;h3&gt;Backup and Configuration (ISM-1511)&lt;/h3&gt;
&lt;p&gt;Back up your data, website, and configurations, and store them securely, preferably in a version-controlled environment such as Git.&lt;/p&gt;
&lt;h3&gt;HTTPS and SSL (ISM-1277, ISM-1552)&lt;/h3&gt;
&lt;p&gt;SSL certificates and HTTPS should be standard for all web content. This helps safeguard data integrity and user
confidentiality.&lt;/p&gt;
&lt;h3&gt;Scaling and Monitoring (ISM-1579, ISM-1581)&lt;/h3&gt;
&lt;p&gt;Ensure &lt;a href="/learning/performance/how-to-pass-core-web-vitals/"&gt;your website&lt;/a&gt; can scale during demand spikes and that you have real-time monitoring for capacity and availability.&lt;/p&gt;
&lt;h3&gt;Virtual Patching and Antivirus Scanning (ISM-1690, ISM-1288, ISM-1694)&lt;/h3&gt;
&lt;p&gt;Virtual patching and antivirus scanning help protect your website against new vulnerabilities and malware.&lt;/p&gt;
&lt;h3&gt;Content Types (ISM-0649)&lt;/h3&gt;
&lt;p&gt;Only allow the specific content types your website needs to run. Restricting this reduces the risk of malicious content affecting your website.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Incorporating APRA’s ISM recommendations into your cybersecurity strategy makes your website more resilient against
cyberattacks. Treat them as essential operating practices for
website security, not as guidance to skim once and set aside.&lt;/p&gt;</content><category term="Financial Services Security"></category><category term="Compliance"></category><category term="Account Protection"></category><category term="Application Security"></category><category term="Threat Detection"></category><category term="GDPR"></category><category term="PCI DSS"></category></entry></feed>