A Case for Encryption

Does the security of your online cloud-stored data-at-rest keep you awake at night?
If it does, you’re not paranoid and you’re not alone. The amount of data being stored online and in the cloud, will continue to grow exponentially. This means that more of our data, whether it is at rest or actively changing, may be exposed to malicious attacks, uninvited scans, and even intrusive copies.

WHATIFWhat would you say if I told you that black-hats, hacktivists, and script-kiddies (hackers) may be the least of your worries? You may be asking yourself “who else do we need to protect ourselves from?” Have you ever suspected that, just maybe, Google, Yahoo, Facebook, the FBI, CIA, and/or NSA maybe exploiting the vulnerabilities of private, sensitive data? Am I beginning to sound paranoid or, is it the truth to state that “all of the above” may have already breached your private personal and business-related data privacy at one time or another?

It is no secret, Google’s terms and conditions clearly state that “Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored” (Dulin, 2017) (“Google Terms of Service – Privacy & Terms – Google,” 2017). Are you okay with Google Scanning your confidential business and personal emails, docs, spreadsheet or any other sensitive data that may be stored on their servers? They make no bones about it; your data is theirs for the harvesting. You most likely authorized access to your personal data by accepting their terms and conditions when you created the account.

How about Yahoo? You’d assume they’d only collect and scan data for the purposes of more accurate marketing and, preventing spam and malware; well, guess again. In a Reuters article, it was reported that “the company developed a custom program to search all users’ incoming email for specific queries given by U.S. intelligence officials”. That’s right Yahoo is collecting private personal and business-related information for government officials. This clearly oversteps the boundaries of a tailored marketing campaign and, this is just the tip of the iceberg when it comes to the privacy and security of your data.

prismIn fact, the NSA, who “under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process” (Gellman, 2013), was exposed for secretly tapping into the “main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials” (Gellman, 2013). Using a tool called MUSCULAR, the NSA and GCHQ “are copying entire data flows across fiber-optic cables that carry information among the data centers” (Gellman, 2013). Which is why we need to be proactive and vigilant about protecting the confidentiality of our critical data. The irony of having to protect your data from, among others, organizations of the same government that created the laws mandating the privacy and retention of sensitive business records is bewildering, to say the least.

So, what can we do to protect the confidentiality, integrity, and availability of our critical data?

Once again, I recommend taking a holistic approach to protecting your data which is far more detailed than one can describe in just a few short paragraphs. However, here are some brief guidelines that will get you going in the right direction.

First, protect your data in transit and while it is at-rest using a virtual private network (VPN) and data encryption. A VPN will conceal the data as it travels from the source to the destination so that it cannot be traced. Encryption will make the data unreadable to anyone without the key. In other words, even if someone does capture your data, they will not be able to read the data unless they have the decryption key or, crack it. Use a strong passphrase when encrypting your data. Something like “GoingTotheStoreInoticed5dogsAnd4CATS!” this will be much easier to remember than something like “4Gks!5feTstrr46hV” and will be very difficult to crack. Store the passphrase in a safe place and make sure that more than one trustee has access to it.

Use a VPN and encryption when backing-up sensitive data. Some backup software vendors (such as NovaStor) provide a built-in mechanism for creating an on-the-fly VPN to facilitate secure movement of data, between backup clients and the backup server; and the ability to encrypt the data before it is sent to the backup server to be stored in the proprietary savefile. Encrypting data before storing it will ensure that your data is secure and difficult to breach whether it is in transit or at rest.

If you have data that is being stored for archival purposes, encrypt the data and consider a cold storage solution. Data stored on tape in a vault (offline) cannot be sniffed or copied in this state. It is the ultimate protection from the variety of organizations and lone-wolf bad actors that may be trying to compromise the confidentiality and security of your data.  The more difficult it is to compromise your data, the less likely it is for your confidential data to be breached. So, take the necessary precautions to ensure the security of your critical data and have the peace of mind that will help you sleep well at night.

Michael Pirro Written by Michael Pirro.
Michael is an Enterprise Support Engineer serving NovaStor’s DataCenter and xSP communities. The views expressed are his own. Learn more about NovaStor’s network backup software.

References

Conger, K. (2016, October 4). Report: Yahoo scanned users’ email for U.S. intelligence agencies. Retrieved from https://techcrunch.com/2016/10/04/yahoo-scans-email-for-nsa/

Dulin, O. (2017, September 7). Don’t trust your cloud service until you’ve read the terms. Retrieved from https://www.infoworld.com/article/3115779/security/dont-trust-your-cloud-service-until-youve-read-the-terms.html

Gellman, B. (2013, October 30). NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say. Retrieved from https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html?utm_term=.759daa6dc63e

Google Terms of Service – Privacy & Terms – Google. (2017, October 25). Retrieved from https://www.google.com/policies/terms/

Vaas, L. (2016, January 14). Yahoo settles class action suit over scanning email for ad targeting. Retrieved from https://nakedsecurity.sophos.com/2016/01/14/yahoo-settles-class-action-suit-over-scanning-email-for-ad-targeting/

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>