As stories of breaches continue hitting the headlines, especially targeting cloud stores and user’s data, passwords, credit cards, and email addresses have become the prized target for cyber criminals all over the world.
In a lot of these cases the information was encrypted, as industry standards recommend. This doesn’t mean hashed, but truly encrypted, with keys that means unless a would-be thief also manages to access the key store then your information is safe. Or at least it should be!
However, when we take closer look in to the statement, “then your information is safe,” there are two parts we need to understand. The first is a relatively simple one. Safe from whom? If a thief, then yes. If your keys themselves are secured, then your information should be safe. However, a lot of hacks seem to come from an internal source to where the information is being held, such as from an unhappy employee, an ex employee who was recently let go, or even an employee who has an axe to grind. The disgruntled employee can use inside knowledge to share a virus, share documents with rivals or misuse company and personnel data. If this organization is a cloud store or service provider that also holds and owns your encryption keys, then in any one of these cases your information is far from safe.
For example, there have been many stories about the sharing of celebrity nude photos in the past couple of years that have made individuals and companies wonder about the security of data stored in the cloud and ask such questions as: Is the data encrypted at the server, while in transport? What level of encryption is used and how much authentication is performed? Because another employee could also have access to the keys to the cloud store your information is in, then your data is no longer encrypted. This is not as far-fetched as it may seem. This has been the case for many breaches over the past few years.
The above scenario is about data theft, when an individual or individuals go out to steal data for their own gain. But what about those scenarios when a government or legal authority decides that they need access to your corporate information? This is not necessarily theft, but it can be unwanted access despite being in the public interest. According to the US’s Communications Assistance for Law Enforcement Act (CALEA), a “communications provider” of any size must allow government agencies access to data. The service providers are not told why the data is needed, only that they must comply.
Government should have the right to do this, as this often has secured us all from many security threats. The question here though is one of accountability. If your supplier owns your security, then they are obliged to pass over not just the documents, but also the keys that allow this information to be decrypted. All of this is happening without your corporate knowledge! The issue is not that the government has access; the bigger threat is lack of knowledge about where corporate data is headed. That is why many tech companies are taking a strong stance on what user data they share with the government and it will continue to be heavily debated moving in to 2017. One possible solution would be if you, as an individual, had ownership of your security. Then the government department could come to you directly, giving you the opportunity to directly pass this information across with full knowledge and the accountability that goes with that.
In summary, if you pass your security to a third party, and they own and store your encryption keys, then you have lost control of your information. It is imperative that you own and store these separately from your cloud suppliers. If you do not, then your information can be stolen or subpoenaed without your knowledge.
No comments:
Post a Comment