• Respecting data privacy rights through data encryption

    960 640 Stuart O'Brien

    John Michael, CEO at iStorage considers the need for increased privacy in relation to sensitive information and looks at the methods and mechanisms to ensure high levels of data security…

    Data privacy should be a top priority for all organisations. As systems and services increasingly move into the cloud as part of the digital transformation agenda, company data, a much sought-after commodity to malicious threat actors, is ripe for the taking. And, there has never been a more critical time to protect it. Evolving intelligence indicates that the Russian government is exploring options for potential cyber-attacks [1] as a response to unprecedented sanctions and export controls to hold President Putin to account for his war against Ukraine. This puts organisations at risk and means that cybersecurity and data protection must be an absolute priority.

    Even relatively small measures taken to secure data can have an immediate positive effect when rolled out across a business and its stakeholders, but companies are not always quick enough to respond and act. What, then, are the steps that organisations should be taking, and how can they be implemented quickly and effectively to respect the rights of the data owner while implementing the highest levels of protection to prevent data from becoming compromised?

    Encrypting data in the cloud

    Encrypting data is a requirement of most compliance standards. Organisations are under constant attack and, regardless of whether the attack makes headlines or not, the data should be protected. To ensure data privacy when faced with common threats, such as DDoS and malware attacks, data must be encrypted before it is sent to the cloud, in transit and at rest. For ultra-secure encryption, that data should preferably be encrypted with a FIPS certified randomly generated AES 256-bit encrypted encryption key. Confidential information stored on a local computer or drive, sent via email or file-sharing service, and shared in the cloud should be securely encrypted.

    The more people the data is shared with, the greater the challenge to ensure data privacy. Storing data in one place and ensuring that it can only be accessed by authorised users who have a copy of the encrypted encryption key can allow for efficient working whilst ensuring data security. Sharing encrypted data allows for instant collaboration in the cloud, safe in the knowledge that the data is highly secure.

    Controlling the encryption key

    If the data is stored in the cloud, control of the encryption key is important. Granted, most cloud service providers (CSPs) will encrypt their customers’ data and some even offer a key management system service, allowing customers to manage their encryption keys. However, the encryption key is still stored in the cloud and thus accessible to hackers and even the CSP’s own staff. It’s imperative that the user has full and secure control of the encryption key in order to ensure the data is kept confidential even if the cloud account is hacked.

    Having your own key management system will not only give you more control of encryption keys but is also more convenient for those using a multi-cloud solution. And security measures must go beyond simple cloud login credentials. If a hacker obtains a user’s credentials, the breach will go unnoticed to the CSP who will not be able to differentiate between the hacker and a legitimate user. Keeping the encryption key away from the cloud increases the number of security measures from just one authentication, the cloud account login, to as much as a five-factor authentication.

    Back up encrypted data to secure drives

    Backing up valuable data onto an encrypted hard drive can prevent organisations from losing access to their important information during, for example, a ransomware attack. Using a PIN-protected hard drive will secure the data even if the drive is lost or stolen, avoiding the risk of the data being accessed or viewed by unauthorised persons. To avoid losing sensitive information in the event of a ransomware attack, sharing information using PIN-protected USB flash drives is another safe option. This can be especially useful for remote workers as they can securely protect and back up their confidential data on the move.

    Encrypting data within a dedicated hardware-based Common Criteria EAL5+ certified secure microprocessor is the ideal solution to data security. The ultra-secure microprocessor employs built-in physical protection mechanisms, designed to thwart cyber-attacks, and is designed to defend against external tampering, bypass laser attacks and fault injections. All critical components within the drive should be covered by a layer of tough epoxy resin which is virtually impossible to remove without causing permanent damage to the critical components. In addition, brute-force limitation ensures that if a PIN is continuously entered incorrectly the encrypted encryption key is deleted along with all data previously stored on the drive.

    Following these recommendations will help today’s businesses keep their sensitive information confidential, regardless of where it is stored and how it is shared. Data encryption is an important part of ensuring ongoing data integrity, helping organisations comply with data protection regulations and earn customer trust in their abilities to manage safer data.

    About John Michael, CEO, iStorage

    After constantly reading about increasing data loss incidents, iStorage CEO and Founder, John Michael, saw this was clearly a growing problem with damaging consequences and identified a huge gap in the market to establish a business offering ultra-secure, easy-to-use and affordable data storage devices. Applying his 35 years’ worth of knowledge and experience within the data storage space enabled John to come up with ideas for products that would resolve such problems.

    [1] https://www.cisa.gov/uscert/ncas/alerts/aa22-110a


    Stuart O'Brien

    All stories by: Stuart O'Brien