One expert says that well-implemented client-side encryption, where the corporate user keeps their own key rather than entrusting a third party to guard their sensitive information, is the only sure way to guarantee data privacy when storing data on other people’s servers.
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel.
With the ubiquitous nature of cloud-based services, many people, corporations, and governments have decided to trust cloud providers with their sensitive data. However, as the recent Facebook/Cambridge Analytica incident painfully revealed, this is not always smart. Data breaches can cost companies millions in fines, along with huge losses in customer trust. Ordinary citizens themselves are often the biggest losers in these scenarios, with their personal — and sometimes even financial — data at risk of misuse and misappropriation.
While the Facebook data scandal may have taken some by surprise, security professionals have been warning of this possibility for years. Once data is in the hands of a third party, that party can disclose it without your knowledge, whether legally or illegally, on purpose or by accident. When you consider how many third parties have your data, the enormity of the problem quickly becomes apparent. How can we be sure each third party will treat your data the way you expect?
At both a personal and corporate level, there are huge gains to be made in protecting against data breaches. The fact is that well-implemented client-side encryption — where the corporate user keeps their own key rather than entrusting a third party to guard their sensitive information — is the only sure way to guarantee data privacy when storing data on other people’s servers. Taking Europe as an example, where privacy tends to be more front-of-mind than in the U.S., the GDPR legislation strongly advocates the use of encryption as a safeguard for protecting personal data.
However, our research has shown that only 4% of breached data is actually encrypted, meaning that 96% of data is up for grabs by cybercriminals. This represents a huge opportunity for improvement. Let’s take a closer look at why encryption is the only surefire way that companies can ensure data privacy in the cloud.
Widening What to Protect
Historically, many companies have based their security best practices solely on the risk that a potential breach posed to the organization, without regard for the risk that a consumer or citizen might face. This was based on the myopic assumption that when it comes to value as an asset, personal data was not in the same league as key IP like a trade secret, like the recipe for KFC.
Failing to protect citizens’ personal data is no longer an option in the current climate of “breach a week” headlines. So a mindset shift is currently underway in many American corporations, which entails organizations broadening their concept of what constitutes data protection. When today’s organizations safeguard and encrypt data, it is becoming generally accepted that this process needs to protect not just corporate data, but also the privacy and identifying details of citizens. This is particularly important in a climate that combines: 1) more data being stored digitally; with 2) the interconnectedness of the cloud, which enables many new threats and forms of crime.
Technically speaking, it’s frightening how easy it is to inadvertently trigger a massive data breach. It can be as simple as one click of the mouse on a checkbox that misconfigures access controls and makes personal data publicly accessible, or one accidental drag-and-drop that copies data to somewhere unexpected. In what’s believed to be the largest known data leak of its kind, the Republican National Committee leaked the personal details of 198 million U.S. voters due to a simple misconfiguration on an unsecured and publicly accessible Amazon S3 server.
The Value of Personal Data
Previously, the sensitive data of citizens had an ambiguous value to a company. But thanks to steep regulatory fines such as those required by GDPR or HIPAA, we can now put an actual price on personal data. The answer is up to millions of dollars per HIPAA violation, or up to 2% of global turnover per the GDPR.
If you understand that personal data has clear value, the next step is to determine the best way to protect it. While many cloud providers purport the ability to secure data, there are clear reasons why you can’t simply rely on the level of “security” that a cloud provider offers. Dr. Toby Murray at the University of Melbourne makes this point: “In theory, the market is supposed to incentivize cloud providers to keep customer data safe. Yet history tells us that few organizations can truly be relied upon to have sufficient security, even when their business models depend on them remaining secure.”
As an example, Murray cites certificate authorities such as DigiNotar, which went out of business in 2011 after a significant security breach. “Knowing that your cloud provider might go out of business if your company’s data is breached is little comfort if that breach would also cripple your own business,” says Murray. Dr. Vanessa Teague, a cryptographer at University of Melbourne, adds: “The incentives only work if someone finds out that their data has been breached — we don’t know how many breaches are never discovered, or never reported.”
Most people only think of encryption in relation to privacy, but encryption is also a way that a data owner can use the cloud while still retaining control of their assets. This, in fact, is one of the most valuable features of encryption as a tool — provided that the owner manages the encryption key properly.
Here’s an apt analogy: Say you have a car worth $10 million. Naturally, if you park it in a garage, you’ll look for the best and most secure garage available. Still, wouldn’t you ultimately feel safer if the key was kept in your pocket, instead of given to the valet? While other methods can safeguard the network, the computer, or the file system, encryption is the only way to safeguard the data itself.
The Expanding Role of Encryption
In addition to providing data owners with privacy and control over their files, cryptography also offers two additional layers: integrity, since it ensures that the data isn’t modified from its original form and authentication since it verifies that the data comes from the specified source. An example of this usage is with fingerprint data since encryption ensures two fingerprints aren’t swapped. As Teague points out, sometimes data is evidence. “Think about police cameras, for example,” she says. “The police might not only have to keep the data private, they might also have to prove at a later date that nobody had the opportunity to tamper with it.”
Teague emphasizes another reason why encryption is critical for data security today: not all data breaches occur by accident. “Some occur because the entity to whom you entrusted your data could make money by reselling it or giving others the opportunity to exploit it,” she says. Teague adds that if you look carefully at the dispute between Cambridge Analytica and Facebook, you will see that the Cambridge University researcher who acquired the sensitive data of millions of people did so with Facebook’s permission.
“A cloud provider of any data might, similarly, decide to share it,” explains Teague. “This becomes even murkier if the entity believes your data has been ‘de-identified’ before sharing. Although it may be easily re-identifiable, you may have no way of knowing, and some countries are considering making it a crime for you to try to find out.”
This should make it clear why secondary copies of data — such as backups, archives, migrations, and transfers — should ideally always be encrypted. Since these forms of data live as files, this is easy due to recent advances in file system encryption. Many primary copies of data can also be encrypted, and with more Web systems collecting private or sensitive information (such as identification data and fingerprints), it’s becoming even more important that this happens.
However, despite the obvious need, one must ask why encryption is used so rarely. Unfortunately, cryptography has had a reputation for being troublesome and expensive to implement. With data coming from so many sources and being stored in so many systems, the encryption tools have not been able to keep up with the changing environment.
In a world that’s experiencing unprecedented levels of data breaches, the goal is to minimize the chance of a successful data poach. As Dr. Ron Steinfeld of Monash University notes: “Encrypting stored user information on the cloud server with a key known only to the user should significantly reduce the likelihood of such data breaches.” However, it can be difficult to implement a secure encryption system, since software developers face common problems such as incorrectly choosing cryptographic primitives that are no longer considered secure, or implementing encryption without proper consideration of the requirements for confidentiality and integrity. With this in mind, developers should seek tools and documentation that show exactly how specific tasks should be performed — an “encryption cookbook,” if you will — with clear “recipes” for correctly encrypting a wide range of data, from a Microsoft SQL Server backup to a WordPress website back up.
Since it’s as important for companies to safeguard customer data as corporate files yet there’s an increased prevalence of online threats from spying and hacking, encryption has an ever-expanding role to play in data privacy, control, integrity, and authentication.