In my last blog post, I discussed the importance of location in data protection. Not physical location but rather legal, political and logical location — which will be the driving factors of data storage in the coming years.
A mere three days after my previous post, a Federal judge upheld the validity of a warrant to Microsoft for email stored by its Irish subsidiary. Microsoft has vowed to continue its fight to protect the privacy of its users from extraterritorial demands. But the ruling enforces the notion that governments will continue to view the legal location (the jurisdiction governing the controlling entity) and logical location (the jurisdictions from which access is available) as valid for lawful demands.
Just a week after that ruling, Yahoo (following on the earlier announcement by Google) announced it would be offering end-to-end encryption of email to their users by 2015, using the OpenPGP standards. It is certainly not the first. Hushmail and Startmail (currently in beta) both offer user encrypted email.
Before that, users with enough technical acumen could use PGP with a local email client, such as Mozilla Thunderbird or Microsoft Outlook, to securely communicate. While Web-based versions of encrypted email offer ease of use, care must be taken that the service providers don’t have access to the encryption keys. Otherwise, one winds up right back in the situation that Microsoft finds itself in today — having to turn over user data because they have logical access to it.
Careful design might not even be enough. Notoriously, all the way back in 2007, Hushmail actually reprogrammed its website to comply with an intercept order in Canada under a mutual legal assistance treaty with the United States. The reprogramming allowed Hushmail to provide the encryption keys to the FBI, letting them decrypt the messages stored on the service. More recently, Lavabit, email service provider to Edward Snowden, shut down rather than compromise the security of its 400,000 users under a similar intercept demand. The owner, Ladar Levison, is facing contempt charges for his actions.
Steps to Keep Data Private
It isn’t just government subpoenas and warrants that companies and individuals need to worry about. Ill-willed employees, contractors with a profit motive, and hackers are all after your data, as well. The fact remains: If another company holds your data and it is encrypted but they hold the keys, your data is not 100 percent protected.
Sure, encryption reduces the likelihood that your information will be compromised — but only as far as the encryption keys are secured. It’s akin to hiding the key to your house under the front door mat. Sure, the house is locked, but the key is with the house. A criminal doesn’t have to go far to unlock the door.
The recent iCloud hack of photos of celebrity Jennifer Lawrence, and as many as 100 others, highlights the need to protect accounts via individual encryption keys. In that case, if Apple stored the encryption keys on the iPhone (and technically had access to them), it would have thwarted the attackers who used a general weakness in iCloud security to render all accounts vulnerable. Previous hacks of celebrity phones were done through social engineering and targeted attacks. Decentralizing the encryption keys on the individual’s devices would have required the attackers to target individuals as they’ve done in the past, not the entire system as they did in this case.
So, assuming keeping your data in house isn’t an option, how do you protect yourself and preserve data privacy?
- Keep your encryption keys in house. Outsourcing your data storage can provide numerous benefits, but don’t outsource control over your data. More and more SaaS providers are realizing the issues that arise for customers who don’t have control over their data. These providers are letting their customers have the option to control their own keys.
- Don’t use a Web-based client. Web based clients can be altered, compromised, have code interjected at the server or client (cross-site scripting), or be compromised through man-on-the-side attack (like the NSA’s Quantum). If you must use a Web-based client, fully understand the risks.
- Use a dedicated client to access your data. Even dedicated clients can be compromised, but they are far more secure than Web-based ones. Avoid automatic updates to critical software components and validate updates before they are applied. Protect the operating system in which it operates. Store encryption keys on a hardened system, with limited access.
Nobody ever said information security was easy. Keeping data in house doesn’t necessarily provide the most protection. You lose the scalability an outsourced provider can bring, not just in raw power, but in scalable security, increased availability, and in protection from denial of service attacks, and many other benefits. Just make sure you use some of the cost savings to beef up your information security talent in house so you can properly protect data in your organization.