Protecting your Sensitive and Personal Data

The Data Security Landscape

Data security has become an increasingly important priority for most organizations. The professionalization and commercialization of hacking means that organized groups of hackers make their money identifying and exploiting vulnerable targets. In some cases, these vulnerabilities are monetized through ransomware, but a common way of making a profit from hacking is stealing an organization’s sensitive data.

As a result, most organizations have been the target of a cyberattack designed to steal sensitive data. In fact, 58% of organizations who responded to a 2019 survey admitted that data had been stolen from their network within the previous 12 months. The value of sensitive data can be significant on the black market and the size of the data repositories held by the average organization means that a successful hacker can make a lot of money.

Beyond the reputational costs of failing to protect customer data, organizations now have to contend with a maze of data protection regulations. These laws and standards are designed to ensure that the data entrusted to an organization is properly protected. Many of these standards point to a variety of different countermeasures and security controls to implement, but one of the most effective means of protecting sensitive data is encryption.

Encrypting Data at Rest

Data can be in one of three different states: in use, in transit, or at rest. An attacker can steal data in any of these states, so it is important for an organization to protect data in all of them if possible.

Currently, there is no effective way for encryption of data in use, and the protection of sensitive data in transit has become widespread with the mass adoption of HTTPS and TLS. Many solutions exist for the protection of data at rest as well; however, the number of data breaches involving unencrypted data demonstrate that many organizations do not make use of them.

One of the biggest challenges with encryption of data at rest is key management. In order for various authorized users to use the encrypted files, they need to have access to the associated encryption keys. The need to provide different encryption keys for files with groups of different members and the ability to support key revocation (when an employee leaves or a key might be compromised) can make the system complicated. This is what makes Ghostvolt’s distributed encryption system so useful and effective.

Encryption and the Cloud

One area where organizations are falling behind in the protection of sensitive data is the cloud. The benefits of cloud computing make it an attractive option for many organizations. However, the differences between an on-prem deployment and a cloud deployment mean that many users and security teams fail to properly secure their cloud storage.

This has been demonstrated by the rash of data breaches caused by cloud users failing to properly set the security settings provided by their cloud service provider (CSP). Most CSPs allow multiple different security levels, with the most common model allowing a cloud deployment to be set to “private” or “public”.

Under this model, the concept of a private deployment is fairly self-explanatory. Under this model, only people who are explicitly invited can access the cloud-based resources. However, this model can be inconvenient due to the need to explicitly issue and revoke access to resources.

As a result, many organizations have inappropriately set their cloud deployments to “public”. Under this model, anyone with access to the cloud storage’s URL can find it (similar to link sharing in Google Drive). Since tools exist explicitly for searching for URLs of exposed cloud deployments, this can and has created significant security issues for organizations.

However, the public/private setting is a non-issue if organizations appropriately store their data in the cloud. About 60% of organizations store their data in the cloud in an unencrypted fashion, leaving it vulnerable to any attacker who manages to gain access to their cloud deployment. Since the cloud is outside their network and designed to be accessed from anywhere, these organizations may not even know if or when their data is breached.

The Need for Data Protection

Most organizations have some amount of sensitive customer information stored on their systems, and some organizations have a lot. These organizations have a responsibility to properly protect this data and to use it appropriately.

Historically, some organizations have failed to do this in highly-visible ways. Facebook is notorious for misuse of data and it is only one of many examples. The rash of data breaches in recent years have motivated governments to pass stricter data privacy regulations to ensure that their citizens’ data is appropriately protected.

Under the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act, and numerous other regulations and standards, organizations need to demonstrate that they are implementing at least the minimum acceptable security controls to protect their customers data or they risk facing substantial penalties and even lawsuits. Due to its effectiveness in protecting sensitive data from being breached, one of the most common requirements is encryption of data whenever possible. Recent data breaches have demonstrated that many organizations are failing to do so, but deploying a usable but effective encryption solution can have a dramatic impact on an organization’s ability to protect sensitive data and on their probability of being the victim of a damaging and expensive breach.