Regulation

Where is Your Data and Why it Matters


By Richard Douglas, CTO, Secure Hosting Ltd, the Bahamas and Bermuda (01/07/2013)

Interconnectivity is now the driving force behind the world economy, but it can also be one of your greatest threats. Your data is the key to your clients’ fortunes, and any threat to its privacy is a risk that you have to manage.

Depending on where your servers are located you could be putting the privacy and security of that data in peril. With the advent of cloud computing, authorities have increased difficulty identifying where offending data is stored. The laws of each country or jurisdiction determine how protected your data and hardware will be. 

The recent leak of two million emails and other documents about company and personal accounts of nationals in 170 countries has shocked the offshore financial industry. Some experts feel that if industry acceptable storage and encryption methods were used, the risk of such a leak would have been minimised. 

There are many security risks that are at play in today’s digital economy and you need to know how to mitigate against them.

Data Residency 

With the advent of cloud computing, organisations may be storing their data outside of their home jurisdiction, thus exposing themselves to a new set of regulations and policies that govern data privacy.

A recent Gartner report title ‘Five Cloud Data Residency Issues That Must Not Be Ignored,’ states the following:

“Many countries have passed national laws to provide authorities with access to enterprise data; this may conflict with the legal protection rights of data in the originating jurisdiction, and may grant secret access to data via cloud service providers without the enterprise’s knowledge or permission.”

Possible exposure can be curtailed by:

  •   The laws in the jurisdiction where your data is stored, is there adequate privacy protection and due process?
  •   Using strong encryption to protect your data 'at rest'.
  •   Speak to your service provider about their policies on data security and privacy protection.

Threats to your Data 

While hackers and bot-nets are a risk to any server, the biggest risk to your data security can come from the government enforcing its laws in the country where your servers are based. With a change in law - or aggressive enforcement - private data can become public quickly. 

This month, concerns over online privacy have been highlighted with revelations that a top-secret program, code-named 'Prism', has been operated by the NSA in the United States and around the world since 2007. The program is said to have direct access to user data of Apple, Google, Facebook, Microsoft and others, and can be used to collect and store phone records, emails, files and other personal information belonging to both Americans and non-Americans alike.. 

A typical example of this growing trend was revealed in a new documentary called "We Steal Secrets: The Story of Wikileaks" in which several insiders and former government officials were interviewed. One such official Michael Hayden, former head of the NSA, stated, “we steal secrets. That's what we do. And in order to do that, you can't do it above board.”  

How to Protect Yourself

“He who sacrifices freedom for security deserves neither.” Benjamin Franklin

In today's digital age, convenience comes with many sacrifices. Here are a few ways to protect your data, your company and yourself . 

Web browsing – There are many ways to protect your privacy while surfing the Internet.  Start with installing a secure web browser, such as Firefox, combined with a variety of  privacy plug-ins to block ads and cookies which thwart tracking your online activities.  If you want to hide completely, consider using a private VPN or an anonymous browsing tool such as 'Tor'.

Email – Remember that under the Electronic Communications Privacy Act of 1986, a government agency can request copies of electronic communications from email providers such as Google, Microsoft, and Yahoo without a warrant and without your knowledge. 

Instead of leaving your email and attachments archived on a server for anyone to access, download your email with a secure mail client such as Thunderbird.  To take it a step further, install a disk encryption solution such as Truecrypt on your Mac or PC and store you email in your own encrypted vault. And if you need to send private emails to friends of colleagues, encrypt those emails with a tool such as GPG. 

Instant messaging – Instant messaging is convenient, and cost effective. Services from Google, Microsoft and Yahoo make it easy to chat and make phone calls online. But, according to the Manchester Guardian ,“Skype, the web-based communications company, reportedly set up a secret programme in 2011 to make it easier for US surveillance agencies to access customers' information.”  

If you are concerned about keeping your instant messages private, use an encrypted messaging tool such as Cryptocat. 

Cloud storage – Online storage solutions like iCloud, Google Storage and Dropbox are a convenient place to store vacation photos and videos of the kids at their soccer game. 

What about business data such as contracts, proposals or even off-site backups?  If you are concerned about privacy and security, then look for a cloud-based solution that encrypts data 'in transit' as well at 'at rest', where only you, the customer, hold the encryption keys.

According to the LA Times: "The accounts of people using Dropbox, a cloud computing service, were accessible to other users during a nearly four-hour period Sunday. The breach was caused by a software update that affected the authentication mechanism of the service, the company said." 

You can even consider an in-house solution such as ownCloud, which allows you to store contacts, calendars and business data on your own private cloud – all encrypted. 

Mobile devices - With recent news that Verizon (and likely every other major telephone carrier in the US, Canada and Europe) is providing 'metadata' to government agencies, individuals and businesses are becoming increasingly concerned.

Metadata includes phone call records, text messages, physical location information (GPS) and possibly live recordings of conversations - although mobile companies and governments alike have stated they are not recording live phone calls.

Complete security on mobile devices will be hard to achieve due to the proprietary nature of carrier networks, but new products such as Silent Circle look promising.

User Threats

According to news reports, 'spear-phishing' has been at the root of virtually every major attack in the last 24 months, including a recent targeted attack against the personal Gmail accounts of US government officials, political activists, military personnel and journalists.

A spear-phishing attack arrives in the form of a well-crafted email, masquerading as a trustworthy entity, such as a friend or business partner.

Attackers gather personal information about their target to make the email look as genuine as possible in an attempt to acquire information such as usernames, passwords, or credit card details.

The email may also contain a malicious attachment which, when opened, infects the victim computer with keylogging or botnet software so that personal information can be stolen.

Be Smart. A 'friend' does not email asking for usernames and passwords - nor do banks or trusted business partners.

When spear-phishing is not used, other end-user techniques such as 'watering hole' attacks are employed.

A watering hole attack is a method of targeting victims based on sites they are likely to visit.

Attackers will profile their victims to determine the types of sites they are likely to visit and will compromise the site to redirect victims to additional malicious code, in an attempt to collect data similar to a spear-phishing attack.

The compromised site then waits for visitors with vulnerable web browsers to visit and exploit. A recent vulnerability affecting Internet Explorer versions 6/7/8 highlighted the severity of this kind of attack.

Keeping your web browser up to date and installing a good anti-virus software with help protect from these kinds of attacks.

The digital age has given us an unprecedented level of communication, sharing and access to information than ever before. But this unlimited access is not without risks. 

By making a few simple changes you can mitigate the risks in today’s digital economy:
  •   Consider where your data is hosted and what regulations it may be subject to;
  •   Be suspicious of emails from 'friends', watch out for phishing;
  •   Regularly update your Web browser and anti-virus software;
  •   Protect your data 'in transit' and 'at rest' with encryption;
  •   Consider how much privacy you are willing to risk for the sake of convenience.

If you think, “it can't happen to me” or “I have nothing to hide,” then consider this: 

“Even if you're not doing anything wrong, you're being watched and recorded. You simply have to eventually fall under suspicion ... and then they can use this system to go back in time and scrutinise every friend you've ever discussed something with.” - Edward Snowden, former CIA & NSA systems administrator and NSA Whistleblower.