I recently had a conversation about data protection, specifically protecting the confidentiality and integrity of sensitive data. Over the course of that conversation, realized that there is a LOT of confusion on the topic. How do we protect data? When does the data have to be protected? What constitutes protected? Ultimately, we discovered that the person was sending sensitive information via unprotected email and potentially exposing it to prying eyes. As I type this, the issue is being resolved, but I wanted to take a moment to shed some light on the topic and hopefully help someone else secure the data they are responsible for. Stopping massive data breaches isn’t going to be quick or easy but, if we all do a little, we can do a lot.
The Basics – What is Data?
For the purpose of this article, when we refer to data, we’re referring to Personal, private and / or sensitive data. Some examples are PII, ePHI, financial records, etc.
What is protection?
For the purposes of this article, when we refer to protecting data, we’re referring to encrypting it with strong encryption.
This isn’t a talk about encryption (so don’t run away), but it is important that you understand the basics of encryption. Simply, encryption is the process of combining plaintext (the data) with a cipher (an algorithm, think of this as a magic black box) to create ciphertext. An example is ROT13, where you move letters 13 places forward (so A becomes N, B becomes O, etc.). If the plaintext is bob and the cipher used is ROT13, the ciphertext would be OBO. In order to protect (encrypt) data, you need to *do something* (apply the cipher). In order to use (decrypt) data, you need to *do something else* to it (typically apply the cipher in reverse).
When does my data need protection?
The opportunities for an attacker to compromise our data are while it’s at rest (stored on a computer) or while it’s in transit (being transmitted from one computer to the other), so we’ll talk about two types of protection.
Protecting data at risk used to be complicated but, with recent versions of Microsoft Windows, it’s as simple as enabling the built-in full disk encryption Bitlocker. To enable Bitlocker, simply enable Bitlocker in Windows Features and then right-click on the drive that you’d like to protect and Enable Bitlocker. Another option is Veracrypt, which we’ve discussed here before. With both options, your hard drive (plaintext) is passed through a cipher (magic black box) and you use a key (your password) to unlock the magic black box.
Protecting data in transit (we’re going to focus on email) gets a little more complicated. When we protected our hard drive earlier, the password that we enter when we log into our computer is the key to unlock the cipher. When we send email, we lock the magic black box (the cipher) with a password but, without a key to the magic black box on the recipient end, they can’t read the message (unlock the magic black box). I’ll cover two options here but there are several ways to address this. Ultimately though, there is going to be *some effort* required on both the sender and receiver to make it work.
Method One – Proxy. This option has several brand names but, basically, you create a message (text, attachments, etc.) and ‘send’ it. The proxy sends a message to the intended recipient with a link to access the message. The sender generally has the ability to control what the receipient can do with the message once they view it (forward, reply, etc.). Using this method, the message never leaves the secure (proxy) environment and the recipient has to log into the proxy to view or interact with the message.
Method Two – Public / Private key pairs. The most popular example of this is PGP, or Pretty Good Privacy. With PGP, both the sender and the receiver install PGP software on their computer (there are free, open source tools for most operating systems for this) and create a ‘key pair’ that includes a public and private key. These keys are mathematically linked so that anything that one encrypts, the other can decrypt but neither can do both. They then exchange public keys (with anyone that they want to exchange encrypted emails with) and protect their private key. When they want to send an email, they encrypt it with the public key of the intended recipient before sending and optionally ‘sign’ the message with their own private key. When the intended recipient receives it, his or her email client (with the PGP software installed) will use their private key to encrypt the message (that was originally encrypted with their public key). If the sender also ‘signed’ the message with their private key, the recipient will use the senders public key to verify the signature.
The take away here is that, in order to ‘protect’ data, we have to encrypt it and encrypting it means that we have to ‘do’ something. To encrypt data at rest, we need to encrypt the drive that it’s on (or store it in an encrypted format). We can use our password to lock and unlock the magic black box and access our data. To encrypt data in transit though, we have to do something *and* the recipent has to do something. If the recipient doesn’t do anything to unlock the magic black box, there’s nothing stopping someone else from doing the same.
Misc / Erratta
- PII – https://en.wikipedia.org/wiki/Personally_identifiable_information
- ePHI – https://en.wikipedia.org/wiki/Protected_health_information
- HIPAA – https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
- GLBA – https://en.wikipedia.org/wiki/Gramm–Leach–Bliley_Act
- Encryption – https://en.wikipedia.org/wiki/Encryption
- Ciphertext – https://en.wikipedia.org/wiki/Ciphertext
- ROT13 – https://en.wikipedia.org/wiki/ROT13
- Bitlocker – https://en.wikipedia.org/wiki/BitLocker
- Veracrypt – https://www.piratica.us/?s=veracrypt
- Email Security (Proxy) – https://www.appriver.com/services/email-encryption/
- Email Security (PGP) – https://www.openpgp.org/
- Public Key Crypto – https://en.wikipedia.org/wiki/Public-key_cryptography