Keep your keys in your pocket -- only you should be driving your data
Generally speaking, an enterprise data security company and a National Security Agency leaker might make for strange bedfellows. Yet, some of the controversial Edward Snowden’s comments at the New Yorker Festival have us nodding our heads -- with reservations, of course.
In his video interview, Snowden warned about the vulnerability of some popular storage and collaboration tools, calling them "dangerous services" that are "hostile to privacy". Indeed, we too find it troubling that a vendor or government agency can access (and distribute) personal or corporate information, without the consent of the data owner.
We should look at the matter like this: These are your data, and only you have the right to say who can or can’t access them. It doesn’t matter who wants to see the information: The federal government, or the service providers entrusted to keep the data safe.
One method to overcome this vulnerability is to use information rights management (IRM) technology to protect content, for its full lifetime. With IRM, the user applies access management at the individual file level, and controls what can be done to the document -- even after it’s been shared with third parties. Additionally, IRM encrypts the document to prevent unauthorized access to its contents.
The Provider is the Weak Link
However, there remains the issue of cloud provider vulnerability. Vendors with access to your data can give them to, say, a law enforcement agency (if requested). But the vendor-held encryption keys can also make the usually reliable encryption barrier useless if a hacker obtains those keys. The sturdiest locks on your home won’t keep the possessions inside safe if the door key is right under the welcome mat. So, having the keys to your data residing anywhere but with you opens you up to more risk.
Given the near-ubiquity of the cloud in our everyday lives, there are ever-expanding opportunities for unauthorized parties to exploit security vulnerabilities and access our data. This especially applies when the data make their way through third-party cloud platforms. (Just think of the recent hack of the Apple iCloud, and the subsequent leak of all those celebrity personal photos.)
There are organizations and individuals who rely on vendors to encrypt and protect their private data, intellectual property, or other sensitive information. But these customers still leave themselves open to two possible points of protection failure:
- When a government demands the solution provider grant data access
- When there is a successful data breach at service provider’s data center -- a single hack of a server could compromise all of a provider’s customer authentication tokens.
In a Dangerous World, Customer Data Encryption is Key
Permanent encryption of files ensures the data is protected from anyone who doesn’t have the keys to unencrypt them. But typically, the keys that encrypt cloud data are in the hands of vendors and providers. This makes the keys themselves susceptible to the vulnerabilities described above.
However, imagine if it’s the cloud customer who decides who can use and access the encryption keys. Then these issues significantly diminish: a hacked provider won’t have the data keys to lose. Nor will the provider have the ability to hand them over at the request of the NSA or one of its affiliated organizations. (Incidentally, these data "requests" are usually made without anyone alerting the data owners.)
Empower the Client
Customer-managed key (CMK) solutions make the physical location of the files less relevant. That’s because no party, regardless of location or jurisdiction, can decrypt the data without those keys. The CMK technology also allows the cloud platform to be used to its full potential, without increasing risk.
Many chief information security officers have been slow to move to the cloud. This is in part from concerns about software-as-a-service (SaaS) vendors having access to their data. With CMK capabilities removing that hurdle, cloud adoption could accelerate. Ultimately, access to a CMK solution should ease most customers' privacy concerns about using a SaaS provider.
Compliance through CMKs and IRM
Additionally, it’s an attractive option for regulated industries, such as health care, law or finance. It will also appeal to companies that want to leverage the cloud, but have concerns about foreign governments requesting access to their sensitive content.
In the US, expected changes in data privacy laws over the next 12 months to 18 months (ushered in by Mr. Snowden’s leaks, as well as numerous hacking incidents), will drive industry significant change. It’s possible adopting CMK will allow businesses to anticipate those changes ahead of time.
Now, all the outstanding technology in the world won’t help if you don’t match it with best security practices. So, just as you don’t leave sensitive personal information lying around, you must take care to know what sorts of content needs to be protected. You must create company policies that clearly define confidential data, what files may be shared with partners, what files must be deleted, and so on. And of course, make sure employees are compliant with these rules.
That said, customer managed key technology could provide an important step for ensuring data privacy and data security. While it’s an emerging solution now, in the future it is likely to see wider adoption as vendors realize they need to implement it to stay on the security forefront.
Image Credit: eenevski / Shutterstock
Daren Glenister is the field chief technology officer for Intralinks, a global provider of secure collaboration tools for highly regulated industries. Glenister interacts with the company’s enterprise customers across the Americas, gathering valuable feedback that helps steer the direction of the company’s award-winning secure collaboration solution, Intralinks VIA. Glenister has 20 years of experience in security, software and customer relationships. Prior to joining the Intralinks team, he was vice president of technical sales of the security division at CA Technologies.