Data is the digital version of what makes us human. All our family health records, personal family incidents, where we holiday, what we eat and drink, our detailed financial records, subscriptions to what we read and consume, our political and religious affiliations, who we associate with, and where we drive.
Our digital lives are processed, analysed, shared with third parties, sold and accessed, both legally and illegally.
- Legally: The former public protector, Thuli Madonsela, subpoenaed Eskom’s CEO, Brian Molefe’s phone records – there were 58 phone calls with Atul Gupta, and Molefe’s location was pinned to the “Saxonworld shebeen” 19 times – in the run-up to the Guptas’ dodgy acquisition of the Optimum Coal Mine.
- Illegally: Business Day editors had their cellphone records accessed by a private investigator who bribed a service provider employee for less than R4 000 and provided their detailed call records to Gupta-linked companies.
Organisations store our digital lives on-premises, in multiple locations, transforming and re-architecting for multi-cloud and multi-geographic data. This ongoing consumption of data is used by science-driven algorithms for both historical and real-time analytics and decision making.
Who drove you to work today? Your vehicle registration, digital footage of you and metadata about your route is recorded, analysed and ready to be monetised. If anybody had an accident at an intersection, the footage would very likely be sold to various insurance companies.
What if you used Uber to get to work? Your data would be safe right? Just ignore the fact that the details of Uber’s latest breach saw their customer’s data in the process of being reported.
How can this data be protected?
Globally, there has been a rush to legislate privacy. GDPR, CCPA and Popia are recent examples of what is becoming a tsunami of privacy legislation, with huge fines levied against companies that failed to protect customers’ personal information.
Admittedly, current computing technology has big shortfalls when it comes to effective controls to protect data for confidentiality, integrity and availability (CIA), specifically at the confluence of IT systems and people. The reliance on “trusted” officials is always the weakest link that is open to various forms of exploitation. Sensitive data fields are generally said to be in one of three states:
- At rest: The data is in a file on a disk and can be stored fairly safely in an encrypted format provided the decryption key is adequately protected – AES 128- or 256-bit key.
- In transit: The data is in the process of being sent from an edge device (phone, laptop, kiosk) to a mainframe computer – again, if industry standards such as TLS (ideally 1.2 or 1.3) are utilised, that data is generally “safe”.
- In use: For a number of genuine technical shortcomings, protecting the data in use has been the most challenging. Almost all of the high-profile attacks on payment systems occur while the data is in use.
To counter the traditional pitfalls of encryption, technology’s approach to data security has been to apply “format-preserving tokenisation”, whereby data fields that look and feel like the original data get a “token” value that is stored, shared and used, and is only reversed under secure conditions. This approach has had the greatest adoption in payments. The primary driver of this approach has been the credit card companies in the light of massive fraud leading to a potential loss of trust by the general public. Leading card providers created the Payment Card Industry– Data Security Standards (PCI – DSS) that detail increasingly secure steps companies need to adhere to if they accept or process any credit card-related data.
Tokenisation has not been widely adopted outside of the credit card payment industry. With the upswing in outsourcing work packages to specialists, culminating in the move to cloud computing, there has been a big increase in the focus on trusted (or not) insiders who are employed by the cloud provider as opposed to a company whose data is being processed. “Insiders” are available in several formats:
- Completely trustworthy – will always do the right thing
- Completely untrustworthy – will always do anything for the highest incentive
The challenge is the millions of “insiders” that exist in between the two extremes. Besides the usual “bad guys” such as hackers, criminal gangs and nation state actors, you now have state security agencies directly involved. For cloud company CEOs, the dreaded subpoena is now real. In both the US and China, laws exist that carry lengthy jail sentences for non-co-operation with these agencies’ demands.
At the prompting of the cloud providers and under the auspice of the Linux Foundation, all the major chip and cloud providers offer various implementations of confidential computing. As a new technology, there are challenges related to conflicting definitions and responsibilities of making it a reality. If and when privacy concerns become a strong business driver, confidential computing may become an obvious choice.
About Solid8 Technologies
Solid8 Technologies is a value-adding distributor bringing the best of global cybersecurity software vendors and expertise to bear to solve important security challenges and increase cyber resilience across the domains of data security, identity governance, network security, OT security and threat intelligence.
- The author, Patrick Devine, is data security specialist at Solid8 Technologies
- This promoted content was paid for by the party concerned