[BreachExchange] The Struggle For Both Privacy And Security

Audrey McNeil audrey at riskbasedsecurity.com
Thu Apr 21 20:32:24 EDT 2016


http://www.techweekeurope.co.uk/security/security-management/the-struggle-for-both-privacy-and-security-190526

In today’s digital age we’ve been forced to trade in elements of our
privacy for more convenient communication and collaboration.

As a result what we have historically understood as our right to privacy is
now in question. We’re faced with a number of new challenges: governments
who want unfettered access to our personal data, corporations who would use
our personal information to sell us goods and services and on the other end
of the spectrum individuals or organisations with malicious intent.

With the recent collapse of the “Safe Harbour” agreement the topic of
encryption has moved, from conversations in the server room to lawyers in
international courtrooms.

While it may seem like these issues erupted out of nowhere, experts in the
security field have been cautioning lawmakers about the inability of
legislation to keep up with the pace of innovation for some time. The
tipping point was a case brought against Facebook by an Austrian law
student who argued that the privacy of Europeans was violated when it was
suggested that Facebook cooperated with the National Security Agency.
Ultimately the court concluded that U.S. laws did not offer sufficient
protection against government agencies – thus invalidating the Safe Harbour
agreement.

One of the major pain points is the polarity of the United States and
Europe in terms of their legal initiatives around privacy and security. In
Europe, privacy is viewed as a fundamental right, whereas in the US it can
be viewed as a consumer protection issue – an enormous philosophical
difference. While many use the two terms interchangeably, there is a
difference between privacy and security, but unfortunately confusion
continues to reign. Personal information may be secure – but in many cases
it’s not private.

The cloud, BYOD and keeping business secure

Large technology firms in Silicon Valley have taken the position that
building so-called “backdoors” into software and hardware is not in their
customers best interests.

For firms that store and manage business data, it’s a scary proposition.
The thought of government or hackers prying into sensitive data is forcing
businesses to rethink security and move towards end-to-end encryption.

In this scenario data is fully encrypted and can only be unlocked by the
holder of the key. For example, when a company that stores and manages data
is compelled to turn that data over to the government, or a hacker steals
the data, that data is rendered useless without a key. Thus the data
remains safe, as the key ultimately remains in the hands of the individual
or organisation.

This level of encryption, once considered extreme, was reserved for the
most secure organisations: government agencies, military and financial
institutions. However, in our content-rich world, where organisations want
to control the flow of content, mitigate risk from hackers and protect data
from subpoenas, end-to-end encryption becomes mandatory.

The accessibility of the cloud means people are accessing content from a
host of different devices including tablets, smart phones, laptops and
desktops. As a result it has created a proliferation of ‘bring your own
device’ (BYOD) policies within organisations. This enables employees to
have more autonomy, often working remotely on a variety of different
devices. Unfortunately, it also means there are more potential access
points to company networks for those who would look to exploit
vulnerabilities. End-to-end encryption is one of the ways to ensure data
reaches its intended destination securely.

What comes next?

Despite the concerns created by recent high profile cases over the rights
to our data, cloud computing will still be at the centre of business for
the foreseeable future. Businesses will need the agility that the cloud
provides, specifically the ability to distribute, share, access and act on
information as quickly as possible. For businesses and individuals the
promise of the cloud is the promise of enhanced collaboration and
productivity in the office and around the globe. However, all the speed and
access in the world means nothing if it is creating harmful
vulnerabilities. All of the efforts around cloud computing will be in vain
if the data involved cannot be fully secured.

Moving forward there are measures being taken to keep up with the rapid
innovation of cloud technologies, the most important being Safe Harbour’s
re-birth in the form of Privacy Shield. This new transatlantic agreement
brings promise of more oversight of bulk data collection and gives
Europeans tools to have complaints addressed. While this will ideally lead
to greater transparency and accountability, it is our responsibility to do
everything in our power to protect the privacy and security of our data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160421/54339f3e/attachment.html>


More information about the BreachExchange mailing list