<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - GDPR</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/gdpr.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2024-12-01T13:00:00+11:00</updated><entry><title>Google Chrome's "IP Protection" vs Apple Private Relay</title><link href="https://www.peakhour.io/blog/apple-private-relay-vs-google-ip-protection/" rel="alternate"></link><published>2023-10-25T13:00:00+11:00</published><updated>2023-10-25T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-10-25:/blog/apple-private-relay-vs-google-ip-protection/</id><summary type="html">&lt;p&gt;An exploration of Google Chrome's new "IP Protection" feature and a comparison with Apple's iCloud Private Relay.&lt;/p&gt;</summary><content type="html">&lt;h2&gt;Google Chrome's "IP Protection" vs. Apple's iCloud Private Relay&lt;/h2&gt;
&lt;p&gt;Google and Apple are both pushing browser-level privacy features that reduce how much a website can infer from a user's
IP address. Google's recent announcement of its "IP Protection" feature for Chrome follows Apple's iCloud Private Relay,
but the two approaches are not the same.&lt;/p&gt;
&lt;h2&gt;Apple's iCloud Private Relay: A Closer Look&lt;/h2&gt;
&lt;p&gt;In 2021, Apple introduced iCloud Private Relay for paid iCloud+ subscribers. The feature encrypts traffic from the user's
device and routes internet requests through two separate relays. The intention is to stop any single party, including
Apple, from building a comprehensive user profile from IP address, location, and browsing activity.&lt;/p&gt;
&lt;p&gt;However, this feature is specific to Apple's Safari browser. It is not a full VPN; it is a browser-centric service that
protects Safari traffic on iOS, iPadOS, and macOS. The user's internet requests are routed first through an Apple server,
then through a partner network like Akamai, Cloudflare, or Fastly, before reaching the intended destination. This dual-hop
design means neither party has a complete view of both the user's IP address and the browsing destination.&lt;/p&gt;
&lt;h2&gt;Google's "IP Protection": Playing Catch-up?&lt;/h2&gt;
&lt;p&gt;Google's "IP Protection" for Chrome appears to be an answer to Apple's initiative. By masking users' IP addresses using
proxy servers, Google aims to preserve user privacy while keeping essential web functions working. Unlike Apple's
solution, which is limited to Safari, Google's feature potentially has wider application within the Chrome ecosystem.&lt;/p&gt;
&lt;p&gt;However, Google's solution is still early, with phased implementation and limited domain application. Apple has already
integrated and offered iCloud Private Relay to its users; Google is still testing its feature.&lt;/p&gt;
&lt;h2&gt;Can Apple Allow Google's Feature on Chrome?&lt;/h2&gt;
&lt;p&gt;Given the competitive nature of the technology industry, it remains uncertain whether Apple will allow Google's IP
Protection feature on Chrome for Apple devices. With iCloud Private Relay already in place, Apple may see Google's
feature as redundant or conflicting with its privacy objectives.&lt;/p&gt;
&lt;h2&gt;The Bigger Picture: Ad Tracking and Platform Control&lt;/h2&gt;
&lt;p&gt;Both companies present these changes as privacy improvements, but the platform context matters. Hiding IP addresses does
not remove ad tracking, and privacy features can also reinforce platform control. By making privacy protections part of
their own browsers and ecosystems, Google and Apple can reduce some third-party visibility while keeping users inside
platforms they operate and measure.&lt;/p&gt;
&lt;p&gt;Apple's iCloud Private Relay and Google's "IP Protection" both improve some aspects of user privacy, with different
approaches and coverage. As Google plays catch-up to Apple in this area, users should understand what these features do
and what they leave in place. The goal should be genuine online privacy, and as we've discussed in our article on &lt;a href="https://www.peakhour.xyz/blog/tls-fingerprinting/"&gt;TLS fingerprinting&lt;/a&gt;, network-based fingerprinting
is becoming increasingly important for protecting services in this changing environment.&lt;/p&gt;</content><category term="Security"></category><category term="Residential Proxies"></category><category term="API Security"></category><category term="Account Protection"></category><category term="GDPR"></category><category term="Fingerprinting"></category><category term="Bot Management"></category></entry><entry><title>APRA Cybersecurity Guidelines</title><link href="https://www.peakhour.io/blog/apra-cybersecurity-application-security-financial-services/" rel="alternate"></link><published>2023-10-12T12:31:00+11:00</published><updated>2024-12-01T13:00:00+11:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2023-10-12:/blog/apra-cybersecurity-application-security-financial-services/</id><summary type="html">&lt;p&gt;Comprehensive guide to APRA cybersecurity requirements for Australian financial institutions. Learn how application security platforms help meet CPS 234 compliance and Information Security Manual guidelines for protecting financial services infrastructure.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Website cybersecurity is a practical requirement, and Australian organisations have a substantial body of guidance to work from.
While the Australian Government's "Essential 8" focuses broadly on workplace security, the Australian Prudential Regulation Authority (APRA) offers a more specific
&lt;a href="https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism"&gt;Information Security Manual (ISM)&lt;/a&gt;
with recommendations that apply to business websites.&lt;/p&gt;
&lt;h2&gt;Why Website Security Matters&lt;/h2&gt;
&lt;p&gt;When your business operates a website or web application, you are not just managing content; you are responsible for protecting data.
Inadequate security controls expose you to risks such as data breaches, malware, &lt;a href="/products/ddos-protection/"&gt;DDoS attacks&lt;/a&gt;, and reputational damage. Company executives and operational staff need to implement relevant recommendations to minimise risk and liability
if a security breach occurs.&lt;/p&gt;
&lt;h2&gt;APRA’s ISM: Tailored for Websites&lt;/h2&gt;
&lt;p&gt;APRA's ISM guidelines are practical for website owners. These are the key recommendations for websites and why they matter:&lt;/p&gt;
&lt;h3&gt;Network Traffic and Anonymity (ISM-1627, ISM-1628)&lt;/h3&gt;
&lt;p&gt;Blocking anonymity network traffic reduces the ability of malicious actors to hide their identity. This improves
accountability when investigating suspicious requests and reduces security threats.&lt;/p&gt;
&lt;h3&gt;Cloud Service Providers (ISM-1437)&lt;/h3&gt;
&lt;p&gt;APRA advises the use of cloud service providers for hosting online services. A well-managed cloud platform can
provide security controls and operational maturity that are difficult to match on premises.&lt;/p&gt;
&lt;h3&gt;Content Delivery Network (ISM-1438)&lt;/h3&gt;
&lt;p&gt;A CDN is not only a performance tool. It can filter malicious traffic before it reaches the origin and provide an additional
layer of security.&lt;/p&gt;
&lt;h3&gt;Origin Exposure and DDoS Mitigation (ISM-1439)&lt;/h3&gt;
&lt;p&gt;Hiding the origin IP and using cloud providers for DDoS mitigation helps protect your primary server by dispersing traffic
across a distributed network.&lt;/p&gt;
&lt;h3&gt;Data Encryption (ISM-1781, ISM-1139)&lt;/h3&gt;
&lt;p&gt;Encrypt all data over the network and use only the latest version of TLS to protect data in transit.&lt;/p&gt;
&lt;h3&gt;Logging and Auditing (ISM-261, ISM-580, ISM-0585, ISM-1661)&lt;/h3&gt;
&lt;p&gt;Comprehensive audit logging is vital for tracking activity and identifying irregular patterns. Logs should be
detailed and reviewed periodically.&lt;/p&gt;
&lt;h3&gt;Web Application Firewall (WAF) (ISM-1240, ISM-1490, ISM-1509, ISM-1657)&lt;/h3&gt;
&lt;p&gt;A WAF provides a control point for monitoring and filtering incoming traffic, enabling you to block harmful requests.&lt;/p&gt;
&lt;h3&gt;Backup and Configuration (ISM-1511)&lt;/h3&gt;
&lt;p&gt;Back up your data, website, and configurations, and store them securely, preferably in a version-controlled environment such as Git.&lt;/p&gt;
&lt;h3&gt;HTTPS and SSL (ISM-1277, ISM-1552)&lt;/h3&gt;
&lt;p&gt;SSL certificates and HTTPS should be standard for all web content. This helps safeguard data integrity and user
confidentiality.&lt;/p&gt;
&lt;h3&gt;Scaling and Monitoring (ISM-1579, ISM-1581)&lt;/h3&gt;
&lt;p&gt;Ensure &lt;a href="/learning/performance/how-to-pass-core-web-vitals/"&gt;your website&lt;/a&gt; can scale during demand spikes and that you have real-time monitoring for capacity and availability.&lt;/p&gt;
&lt;h3&gt;Virtual Patching and Antivirus Scanning (ISM-1690, ISM-1288, ISM-1694)&lt;/h3&gt;
&lt;p&gt;Virtual patching and antivirus scanning help protect your website against new vulnerabilities and malware.&lt;/p&gt;
&lt;h3&gt;Content Types (ISM-0649)&lt;/h3&gt;
&lt;p&gt;Only allow the specific content types your website needs to run. Restricting this reduces the risk of malicious content affecting your website.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Incorporating APRA’s ISM recommendations into your cybersecurity strategy makes your website more resilient against
cyberattacks. Treat them as essential operating practices for
website security, not as guidance to skim once and set aside.&lt;/p&gt;</content><category term="Financial Services Security"></category><category term="Compliance"></category><category term="Account Protection"></category><category term="Application Security"></category><category term="Threat Detection"></category><category term="GDPR"></category><category term="PCI DSS"></category></entry></feed>