Respecting Data Privacy Rights Through Data Encryption

Written by

Data rights are human rights. Whilst that principle is embedded within and encouraged by data regulations, including General Data Protection Regulation (GDPR), Data Protection Act (DPA) and Health Insurance Portability and Accountability Act (HIPAA), it is counteractively provoked by technologies, such as live facial recognition surveillance, that carry the looming risk of abuse and weaponization. Data privacy is often the price for services, whether it be police protection, app use or be given targeted, more relevant advertisements. This dichotomy has been the source of much debate, scrutiny and concern.

Data privacy must be a top priority for all organizations and should be considered from the outset of data sharing initiatives. Of course, avoiding hefty fines, job losses or suffering brand damage are all significant impetuses to protecting data. However, respect for consumers’ data privacy rights will drive organizations to go the extra mile to ensure data confidentiality.

This begs the question; how can data privacy be achieved? Whether or not data privacy, on a wider and global scale, can ever be truly achieved would perhaps be a more appropriate question. However, small measures taken to keep sensitive information protected and confidential can have a positive ripple effect. Individual organizations can take the lead in respecting their customers’ data privacy by encrypting data in transit and at rest.

How Can You Encrypt Data in the Cloud?

Encrypting data is a requirement of most compliance standards. Yet, a recent study found that an alarming 43% of cloud databases are not encrypted. Organizations are under constant attack and, regardless of whether the attack makes headlines or not, the data should be protected. To ensure data privacy when faced with common threats, such as distributed denial-of-service (DDoS) and malware attacks, data must be encrypted before it is sent to the cloud, in transit and at rest.

For ultra-secure encryption, that data should preferably be encrypted with a Federal Information Processing Standards (FIPS) certified randomly generated Advanced Encryption Standard (AES) 256-bit encrypted encryption key. Confidential information stored on a local computer or drive, sent via email or file sharing service and shared in the cloud should be securely encrypted.

The more people the data is shared with, the greater the challenge to ensure data privacy. Storing data in one place and accessed by authorized users only, who have a copy of the encrypted encryption key at hand, can allow for efficient working whilst ensuring data security. Sharing encrypted data securely allows for instant collaboration in the cloud, saving time in what would be days of posting encrypted USB flash drives to and from colleagues.

Controlling the Encryption Key

If the data is stored in the cloud, control of the encryption key is critical. Granted, most cloud service providers (CSPs) will encrypt their customers’ data and some even offer a key management system service, which allows customers to manage their encryption keys. However, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff – much like leaving your house key under the doormat that half the neighborhood knows about.

The user needs full and secure control of the encryption key in order to ensure the data is kept confidential even if the cloud account is hacked. Having your own key management system will not only give you more control of encryption keys but is also more convenient for those using a multi-cloud solution.

Security measures must go beyond the cloud login credentials. If a hacker obtains the user’s credentials, the breach will go unnoticed to the cloud security provider as they won’t be able to decipher between a legitimate user from an attacker. By retaining control of the encryption key, which should be encrypted itself ideally within an ultra-secure Common Criteria certified microprocessor along with a PIN authenticated code, away from the cloud increases the number of security measures from just one authentication method, the cloud account login, to as much as a five-factor authentication.

Backup Encrypted Data Using USB Flash and Hard-Disk Drives

Backing up valuable data onto an encrypted hard-disk drive can save organizations the trouble of losing access to important information during a ransomware attack. Using a PIN protected hard-disk drive will secure the data even if the drive is lost or stolen, avoiding the risk of their data being accessed or viewed by unauthorized persons.

To avoid losing sensitive information in the event of a ransomware attack, sharing information using PIN protected USB flash drives is another safe option. This can be especially useful for remote workers as they can securely protect and back up their confidential data whilst on the go.

Encrypting data using a unique and dedicated hardware based Common Criteria Evaluation Assurance Level (EAL)4+ ready secure microprocessor is the ideal solution. The ultra-secure microprocessor employs built-in physical protection mechanisms, designed to thwart cyber-attacks, such as side-channel attacks designed to defend against external tampering, bypass laser attacks and fault injections.

All critical components within the drive should be covered by a layer of super tough epoxy resin, which is virtually impossible to remove without causing permanent damage to the critical components. If breached, the drive’s tamper evident design will provide visible evidence that tampering has occurred.

Brute force limitation is an excellent feature to look for in a drive. If the PIN is entered incorrectly 10 consecutive times, the PIN will be deleted and the drive can only be accessed by entering the Admin PIN to reset the User PIN. If the Admin PIN is entered incorrectly 10 consecutive times, the encrypted encryption key is deleted and all data previously stored in the drive will be lost forever.

To keep sensitive information confidential, data stored locally on a computer, on a drive or in the cloud, or shared via email or file sharing service, must be encrypted. Data encryption is an important stride towards data privacy, helping organizations comply with regulations like GDPR. As fears of a looming big brother dystopian future grow and as data breaches hit headlines on a regular basis, organizations can stand out as data privacy pioneers and earn their customers’ trust.

What’s hot on Infosecurity Magazine?