Monday, October 24, 2016

Protecting your data at rest

Data In Transit – Data At Rest

I recently received this question from a user:

Especially given the new anti-privacy laws. Is there a way to encrypt your data to avoid it getting sold to the highest bidder. I already have everything on Google drive, for the most part. It makes it easy since I have so many computers where I do my work and I travel a lot, which increases the likelihood that I lose a laptop or tablet.

Here's my response:

First of all, congratulations on being aware of these issues.

Protecting data at rest is not a matter of one or two simple responses: 

On your computer you may have financial and medical records, password lists, personal emails, and a decade of browsing history. While legitimate internet communication shouldn’t expose static data, your disc drive is a prime target of malware. You have installed “set and forget” technical protection in the form of antimalware software and think you’re protected. Modern operating systems are largely hardened already and user best practices are even more important. Once you click on a link, you’ve given whatever is attached to it permission to do whatever it might. Everyone who sits at the computer must develop the reflex to ask why are they opening an attachment or visiting a website and what are the risks?

Now you can trust that your data are safe once you turn off the computer and lock the door to your office. But that computer is a laptop sitting on the seat next to you on the train or in the coffee shop. Maybe your data aren’t even on the computer but conveniently shared and available “in the cloud.” Either way, some stranger may be able to walk by and pick it up from you.  

How do you protect this?

The answer is that your files should be encrypted whenever they are not in use. Unlike your HTTPS communications, this encryption is something that you must take responsibility for. It’s a nuisance, but it means every time you open a project or share a document you must use a password and appropriate procedures.

Fortunately this need not require entering a unique password constantly. Probably most of the files you handle daily don’t really need to be strongly protected against snooping. Most pictures and emails, even if they’re not public, may not represent a significant privacy or financial risk.

For what does need to be protected, files can be encrypted either individually or in bulk. Modern office suites offer an option to password protect a document as you save it. Compression utilities (“zip”) also can encrypt the files as they’re stored. Their encryption methods are now solid; unlike the password option in Microsoft Office 2003 (.doc files rather than the current .docx format) which could be opened without difficulty if you used another brand of editor.

For larger quantities of files you can use an encryption system like VeraCrypt to create an encrypted virtual disc or even to encrypt your entire computer. If you choose the virtual disc option; it creates a single file that, when you open it appears to the system like any other drive. When it’s closed the contents appear as total gibberish to anyone without the key. The encrypted file can be stored or transmitted without fear of loss of your data. While it can be stored in a shared cloud, it must be synchronized manually as most systems won’t recognize when it has been changed.

But you want universal access of your data in the cloud.
 Again, weigh the nuisance factor of file or folder encryption with the value of its contents. Most “name-brand” cloud providers probably offer reasonable security by requiring a sign-in to your account. Hopefully they also use encrypted transmission while it's in transit. The bigger risk is when you give a collaborator access to modify a document that is synchronized back to your computer. In that case, you have given someone permission to put any file they want on your computer without your intervention. This could represent the ultimate phishing attack if you’re not alert to it.

What if someone doesn't have to break in to see your data?

If you synchronized individual files, the cloud provider has your data and all the meta details associated with it. Unless you've encrypted the individual files with a password, they also have access to that content. Maybe their terms of service promise they won't actually read the files, how will they react if someone comes in claiming to be "with the government" and asks for your data? If their data center is in the same jurisdiction as you they have to satisfy a subpoena; and may respond to an unjustified request.

You can make your cloud storage secure from this loss by using the same practices you use for data on your own laptop. You would have to download and upload the files every time you use them to ensure the protection is always in force. Collaboration also would be problematic unless you were all working with the shared files in a homogeneous environment such as Microsoft Office365.

No comments: