By Linus Chang, CEO and Founder, Scram Software (https://scramsoft.com/)
Any company that collects data about EU residents now has a duty of care in safeguarding that data from leakage. But despite being custodians of such data, many companies saw it was low in value, and therefore did a poor job of securing the data from breach. But thanks to steep regulatory fines such as those enforceable by the EU’s new GDPR, it is now possible to put an actual price on personal data, i.e. the size of the potential fine if the data is stolen.
The next step is to determine the best way to protect it. While many cloud providers purport the ability to secure data, there are clear reasons why organisations can’t simply rely on the level of “security” that a cloud provider offers.
Dr Toby Murray, a leader in software security (University of Melbourne, Australia), recently commented, “In theory, the market is supposed to incentivise cloud providers to keep customer data safe. Yet history tells us that few organisations can truly be relied upon to have sufficient security, even when their business models depend on them remaining secure.”
As an example, Murray cites certificate authorities like DigiNotar, which went out of business in 2011 after a significant security breach. “Knowing that your cloud provider might go out of business if your company’s data is breached is little comfort if that breach would also cripple your own business,” said Murray.
Most people only think of encryption in relation to privacy, but encryption is also a way that a data owner can use the cloud while still retaining control of their assets. This, in fact, is one of the most valuable features of encryption as a tool – provided that the owner manages the encryption key properly. While other methods can safeguard the network, the computer, or the file system, encryption is the only way to safeguard the data itself.
Two additional layers of data security via encryption
In addition to providing data owners with privacy and control over their files, cryptography also offers two additional layers: integrity, since it ensures that the data isn’t modified from its original form, and authentication, since it verifies that the data comes from the specified source. An example of this usage is with fingerprint data, since encryption ensures two fingerprints aren’t swapped. As Dr Vanessa Teague, a cryptographer at the University of Melbourne, points out, sometimes data is evidence. “Think about police cameras, for example,” she said. “The police might not only have to keep the data private, they might also have to prove at a later date that nobody had the opportunity to tamper with it.”
Teague emphasises another reason why encryption is critical for data security today: not all data breaches occur by accident. “Some occur because the entity to whom you entrusted your data could make money by reselling it, or giving others the opportunity to exploit it,” she said. Teague added that if you look carefully at the dispute between Cambridge Analytica and Facebook, you will see that the Cambridge University researcher who acquired the sensitive data of millions of people did so with Facebook’s permission.
“A cloud provider of any data might, similarly, decide to share it,” explained Teague. “This becomes even murkier if the entity believes your data has been ‘de-identified’ before sharing. Although it may be very easily re-identifiable, you may have no way of knowing, and some countries are considering making it a crime for you to try to find out.”
This should make it clear why secondary copies of data – such as backups, archives, migrations, and transfers – should ideally always be encrypted. Since these forms of data live as files, this is easy due to recent advances in file system encryption. Many primary copies of data can also be encrypted, and with more web systems collecting private or sensitive information (such as identification data and fingerprints), it’s becoming even more important that this happens.
However, despite the obvious need, one must ask why encryption is used so rarely. Unfortunately, cryptography has had a reputation for being troublesome and expensive to implement. With data coming from so many sources and being stored in so many systems, the encryption tools have not been able to keep up with the changing environment.
In a world that’s experiencing unprecedented levels of data breaches, what is needed is a well-designed, universal file encryption system that secures different types of data to protect against many forms of cybercrime, thereby minimising the chance of a successful data poach. Further, the system must also be easy to deploy, and come with foolproof instructions so that it is always implemented correctly. Dr Ron Steinfeld, a leader in post-quantum cryptography (Monash University, Australia), has been working on one such system, called ScramFS. “Encrypting stored user information on the cloud server with a key known only to the user, as is done by ScramFS, should significantly reduce the likelihood of such data breaches,” Steinfeld commented.
Bio for Linus Chang, CEO & founder of Scram Software:
Linus Chang is CEO & founder of Scram Software, which provides world-class encryption tools enabling SMEs and government organisations to easily and affordably secure data stored locally and in the cloud. ScramFS – the flagship product Chang designed, developed and peer-reviewed alongside international security and cryptography experts – also achieves aspects of GDPR compliance by enabling organisations to implement encryption and pseudonymisation security protections (Article 32) by design and default (Article 25), while also mitigating the obligations of reporting data breaches to data subjects (Article 34).
A computer programmer and entrepreneur from Melbourne, Australia, Chang previously created BackupAssist, a SME software product which has sold over 170,000 copies to 165 countries, with customers including the Department of Homeland Security and NASA.