Privacy is a big topic, and it ties into encryption.
Our data, from the news sites we visit to our social media and purchases, is tracked and cataloged. This data is sometimes compiled from different sources to create profiles for each user.
Most of the time, this information is provided by non-voluntary measures; however, sometimes, we offer it even if it’s not required.
I know what you’re thinking… Maybe I can use a VPN and block some of this tracking, use a DNS service, or use similar protection. It could help a bit, but tracking now is so sophisticated that I’m unsure if this helps much. Your credit card transactions will work against you, and the amount of things required to do business on the Internet will likely create a trail that will be hard to shake off.
With every data breach, more of our data is leaked: name, address, phone number, age, gender, and email. Other data points often collected are ethnicity, income level, voting registration, and occupation.
This amount of information, pieced together from various breaches, could be used maliciously. In the same way, advertisers now target us using this data; hackers are likely doing the same. Countries are likely taking advantage of this data.
I’m sure everyone reading this has been sent a notice in email or mail of a notification of their information being disclosed in a breach.
How do we prevent this?
We can’t… Too many companies collect our data… There are companies neither of us of heard of that have profiles on us and everyone we know. These profiles are used for split-second advertising auctions that determine the ad you see or even the commercial on your streaming service…. That is a whole other story.
Since we can’t stop this, what can we do?
Good IT practices are required to secure data, but most importantly, data must be handled carefully, specifically encrypted. Hence, it is only readable with a second factor (usually a key) to decrypt that data, whether in transit or at rest.
If a hacker steals data that has been encrypted using strong ciphers, the data is useless unless the hacker obtains a second factor, such as a key. If the hacker obtains the key, too, well, it’s not the encryption fault at that point…
Our only hope?
Regulatory and other compliance requirements create the frameworks or rules required to protect data in an IT system.
For instance, a company that processes many credit card transactions must do an IT audit based on the Payment Card Industry (PCI). This audit will ensure the protection of secure data, that only data required is collected, and that other IT controls to validate a safe computer environment are used to process or store credit card data. This is an example of a regulatory standard. Other regional requirements or industries have their requirements.
However, most companies collecting data on US citizens have few regulations today.
GDPR and NIS 2 for Europeans are trying to address this topic and reduce the risk by questioning data collection and creating requirements for storing data and potentially deleting a user’s data if requested.
FedRamp is an IT audit that must be passed for cloud-based companies working with the US government. It is based on the NIST 800-53 framework and, in my opinion, is helping the industry as a whole, but it is only applied to cloud-based government contractors.
Why is encryption good?
Encryption is required to keep data safe to ensure confidentiality and integrity.
Encryption is a mechanism to render data unreadable outside the intended parties.
This can be used In two ways,
At rest, when an item is stored, think network share drive or Sharepoint
Or
In transit, when data is moving through the network, think of credit card transactions.
Business can only be conducted online with strong, reliable encryption to protect transactions.
Now, imagine if the government wanted to have a back door in any of the encryption standards…..
Every financial transaction, from Amazon to FanDual, must be encrypted to prevent snooping. A backdoor in the encryption protocol used for these transactions would shake the confidence in any online transaction.
Any security professional will understand the CIA triad, confidentiality, integrity, and availability. These are the pillars of data security.
The government should understand that an encryption protocol with a back door is not secure.
Please think twice before assuming encryption is a bad thing. Without encryption, online transactions would not be possible.
The next time you bet on Fandual or purchase on Amazon, consider how you hope your information is encrypted securely.