An Interesting Approach to Encryption

Encryption is essential for communications and files that contain sensitive or confidential information, and it’s important on a number of levels:

Users and their employers need to protect sensitive content like intellectual property, trade secrets, marketing plans, and even content like embargoed press releases when sent through email or stored in the cloud.
They also need to protect content that is subject to privacy regulations like the GDPR in order to avoid running afoul of their regulatory obligations.
Cloud providers need their customers to use encryption to prevent governments from successfully accessing confidential files: if customers’ files are encrypted and therefore inaccessible to providers, that effectively lets them off the hook, since they have no access to their customers’ content.

PreVeil has released an interesting technology that is designed to encrypt users’ emails and files. The system offers end-to-end encryption of content using the Curve 25519 and XSalsa20 ciphers, including email subject lines and file names (FIPS-compliant algorithms are also available). Every email and document sent through PreVeil is encrypted with a unique key and no key is ever visible to the server that stores the information. Users each receive a public/private key pair, with the public key stored on the server and the private key stored only on each user’s individual devices. All document creators digitally sign document keys to ensure the authenticity of the content they’re accessing.

A unique feature of PreVeil’s encryption technology is its use of “Shamir Secret Sharing”, a technique that allows the distribution of users’ keys among what PreVeil calls an “Approval Group”. Each user’s key is cryptographically fragmented and distributed among members of the group. While each of these fragments are stored by PreVeil on its servers, the keys used to decrypt each fragment are not stored in a central location. This provides an extra level of security that can help to prevent damage resulting from the takeover of an administrator’s privileged account.

PreVeil is designed to integrate with various email clients, including Microsoft Outlook and Apple Mail, and also offers PreVeil Drive, which the company bills as an alternative to Dropbox, OneDrive, Box and other file-sharing solutions.

Pricing for PreVeil varies from free for individual users that offers one gigabyte of storage, to $10 per user per month for 100 gigabytes of storage, to $20 per user per month for corporate users (five terabytes of pooled storage).

More information on the company is available here.

Went From Windows to Mac, Now Thinking of Moving Back

Back in 2006 I made a decision to move our business to the Mac. I liked the elegance of the Mac’s design and how everything “just worked” in a way that Windows — at least at the time — didn’t. Subsequent introductions from Apple proved me right: the iPhone, the iPad and Mac desktops and laptops work very nicely together. I can answer and receive phone calls, send and receive text messages, share passwords, and share data easily on any Apple platform. My iPhone, iPad and MacBook Pro will remember all of my Wi-Fi connections and reconnect automatically whenever I revisit a location. The interfaces are all elegant and well designed.

But then Steve Jobs passed away and, apparently, Apple’s almost maniacal obsession for good design did as well, albeit more slowly. The Mac still works, but just not as well anymore. The company has shifted focus to the iPhone and iPad, even more or less dismantling its Mac team back in 2016. New versions of MacOS are more like point releases, offering interesting new features and functions, but many are more gimmicky than they are useful. While not Apple’s fault, Microsoft Office 2016 is a major step backward compared to Office 2011, but users are more or less forced to “upgrade” because of Microsoft’s end-of-support for 2011.

While I still like the Mac, a recent failure of my iMac’s Fusion Drive (Mac’s combo of a solid state drive and conventional hard drive) has served as something of a trigger and brought me to the point that I am now seriously considering going back to Windows. The drive started failing in late June and failed completely in late July. Since I don’t have on-site service available from Apple (more about that below), I took it to my closest Apple Store. The iMac stayed there overnight and was diagnosed with a software failure that connects the two parts of the Fusion Drive. After Apple “fixed” the problem, and after completely reinstalling MacOS and all of the applications, everything was back up and running…for 11 days. A couple of hours on chat and the phone with Mac technicians resulted in the same recommendation: we will have to bring the iMac back to the Apple Store for diagnosis.

The good news: Apple offers on-site service. The bad news: in order for Apple to authorize on-site service they need to know exactly what’s wrong with the computer so the technician can bring the one part that needs replacing. And in order for them to know which part the technician needs to bring, the customer first has to bring their computer to an Apple Store to have it diagnosed. I doubt that most Apple Support personnel have ever read Joseph Heller’s Catch-22, but Apple’s on-site support policy certainly embodies its primary theme.

So, we are at a bit of a crossroads: stay with a Mac ecosystem that is in decline, or go back to Windows that, by all accounts, is much better than it was just a few years ago? I’d enjoy hearing your opinions.

Security Defenses are Not Adequate

We have just completed an extensive survey of security and compliance professionals in mid-sized and large organizations, asking about the current state of their cyber security defenses. We will soon be publishing a white paper discussing the results. Here’s a bit of what we found:

Fifty-five to 58 percent of organizations admitted that they are not fully protected against security threats like payment scams, spear phishing attacks and email spoofing.
Four of the top five concerns that security and compliance professionals have in the context of their organizations’ cyber security are focused on email-related threats.
Sixty-five percent of security and compliance professionals admitted that their organization has suffered a successful attack and/or data breach during the past 12 months, with the most common being a phishing attack successfully infecting systems on their network with malware (28 percent), and a targeted email attack launched from a compromised account successfully infecting an endpoint with malware (25 percent).
Corporate executives represent 16 percent of the attack surface in the typical mid-sized and large organization, despite the fact that they account for only two percent of the total number of employees.
Forty-two percent of those surveyed told us that their anti-ransomware defenses are either not improving the catch rate for ransomware attempts over time or the catch rate is actually going down.
Only 28 percent of those surveyed believe that their end-user training regimen focused on web surfing best practices is “very good” or “excellent”; only 39 percent believe that their user training for detecting and addressing phishing and other unwanted emails is this good.
The average cyber security budget will increase by 7.4 percent in 2018 compared to last year; 67 percent of organizations are increasing their budget and only two percent are decreasing it.

Please let us know if you’d like an advance copy of the white paper.

Here are some upcoming security conferences that should be on your radar:

InfoSecWorld, Lake Buena Vista, Florida (March 19-21)
Black Hat Asia, Singapore (March 20-23)
RSA Conference, San Francisco, California (April 16-20)

Preparing for the GDPR

The European Union (EU) will put the General Data Protection Directive (GDPR) into effect on May 25th, and with it some potentially difficult and onerous requirements. Here are a few potential issues with which companies worldwide will have to contend:

Article 7(1) of the GDPR states, “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” That means that anyone who signs up for a mailing list, a webinar, an email newsletter or any other type of communication from you will need to be fully informed of the “processing” that their data will undergo, and you will need to keep an accurate record of each instance of consent that has been granted. For example, someone who signs up to be on your corporate emailing list is granting consent for their information to be used strictly for the purpose of receiving email from you – you need to maintain a record of that consent. If they sign up for a webinar that you have announced to them in an email, they are granting consent to be contacted with regard to that specific webinar – you need to maintain a record of that, as well.
Our recommendation: excellent and up-to-date recordkeeping is going to be of paramount importance in order to remain compliant with the GDPR. That means good archiving of data subjects’ information, including the ability to search for and retrieve this information quickly and completely, and the ability to defensibly delete this information when needed.
Article 22(1) requires that a “data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling…” and that includes their “location or movements” (Recital 71). What that likely means is that there is a prohibition on determining whether or not someone is an EU “data subject” based on things like their IP address when completing a form on your web site, for example. So, if someone who lives in the United States is on your corporate mailing list, where their information is not subject to GDPR compliance, but later moves to an EU country, where their data is now subject to the GDPR, is the onus on you to know they’ve moved? According to a strict interpretation of Recital 71, you’re not allowed to collect their IP address when they interact with you, and so you may not be able to determine that they have moved.
Our recommendation: act as if everyone is subject to compliance with the GDPR and process information accordingly.
Articles 12 through 23 of the GDPR are the “Rights of the data subject”, which include things like their right to access and have corrected any information that a data processor or controller has on them, and their right to have that information deleted – their “right to be forgotten” – albeit with certain limitations. There are some serious implications for data controllers and processors in these requirements:

You need to know where all of your data is located. Data subjects’ information that might be stored on a departmental file share to which IT or legal does not have ready access, information stored in employees’ personal Dropbox accounts, or information stored on ex-employees’ personal devices could make it difficult or impossible to respond adequately to a data subject’s request for information or their right to have this data corrected or expunged.

Even with access to all of your data, an organization with malicious intent could organize a group of a few thousand people to request their data simultaneously. Given that the GDPR gives data processors and controllers only one month to comply with these requests (up to three months in some situations), an organization with inadequate content management systems in place could easily run afoul of the GDPR.

Our recommendation: conduct a thorough data inventory to determine where all of your data is located, give IT access to it, and implement a robust and scalable archiving capability that will enable all corporate data to be searched and produced quickly and with a minimum of effort.

Many thanks to Anne P. Mitchell, an Internet law and policy attorney and legislative consultant, for her input to this post. Her firm is offering consulting on the legal aspects of the GDPR – you can contact her .

For more information on the GDPR, you can download our most recent white paper here.

How Long Should You Retain Records?

We have been asked many times how long businesses should retain their records, whether in email, files or other venues. The simple answer to the question is that there isn’t “an” answer. Instead, there are a number of issues to consider in determining how long you should retain your records:

What does your legal counsel advise?
What have court decisions in your industry revealed?
What is your organization’s tolerance for risk?
What are the consequences of disposing of records too quickly versus keeping them for too long?
What do government and industry regulations require as minimum retention periods?

To address the last question, we are assembling a database of regulations focused on data retention. We published the first edition in December with 421 regulations, but will be publishing the next edition in March with approximately 1,000.

Here’s a sample of the types of data retention regulations that exist today:

Manufacturers and importers of chemicals must retain documents related to notification of risk, contact information about entities to whom chemicals are distributed, production volumes and other information for three to five years (40 CFR 82.13).
Entities that operate as swap data depositories must retain records related to swaps or related cash or forward transactions for a period of five years, the first two years in an easily accessible place, but records of oral communications may be kept for only one year (17 CFR 1.31).
Underground mine operators must retain certifications for safety equipment for one year (30 CFR 57.4201).
Anyone who imports nonroad and stationary engines must retain documents supporting the information required in EPA Declaration Form 3520-21 for five years (19 CFR 12.74).
Entities that operate air curtain incinerators that burn yard waste must retain records about all opacity tests for five years (40 CFR 60.1455).
Manufacturers of heavy-duty vehicles and engines must retain records estimating how their fleets will comply with GHG emissions standards; estimated vehicle configuration, test group and fleet production volumes; expected emissions and fuel consumption test group results and fleet average performance; and other information (49 CFR 535.8).
The Canada Revenue Agency (CRA) requires entities subject to various sections of the Income Tax Act, the Employment Insurance Act and the Canada Pension Plan to retain for two to 10 years any books and records that will permit the CRA to determine taxation, the qualification of registered charities, permit the verification of various types of donations, etc. (CRA Information Circular IC78-10R5).

There are two key takeaways from this:

There is no such thing as an “unregulated” industry or company in the context of data retention: every business in every industry must retain records for some length of time.
Data retention is not easy, particularly in the context of being able to find archived records, disposing of them properly, and migrating them to new archives and other information platforms. The technology used to archive, search for and migrate records is critical.

For more information on our Data Retention Requirements Guide, click here.

What About Shadow IoT?

There has been so much talk about “Shadow IT” — employees using their own smartphones, tablets, cloud applications and mobile apps — and its impact on corporate IT that many don’t worry about it anymore. Many IT decision makers have simply acquiesced to the idea that employees will use their own devices, mobile apps and cloud applications, and so are finding ways to work within this new reality as opposed to fighting it. To be sure, Shadow IT has major implications for security, the ability to find and manage corporate data, the ability to satisfy compliance obligations and the like, but Shadow IT is here and it’s here to stay.

But what about “Shadow IoT”? There are a large number of personally owned IoT devices already accessing corporate networks, such as Apple Watches, Fitbits, Alexa/Google Home devices and the like. For example, an Apple Watch can be used to access corporate email and text messages, Fitbits send emails to wearers with their weekly status reports, and , to name just a few examples on the tip of this iceberg. Fueling this trend is growing corporate acceptance of the idea of integrating IoT with business processes — companies like Salesforce, Capital One, AETNA, SAP and SITA, among others, are embracing use of the Apple Watch and developing applications for it. Moreover, the use of wearable IoT devices can increase employee productivity — a Rackspace study found that productivity and job satisfaction both benefited from their use.

While personally managed IoT devices represent an enormous boon to their owners, they also can create a number of security risks. For example, researchers at the University of Edinburgh were able to circumvent the encryption that Fitbit uses to send data, leaving users vulnerable to theft of their personal information. In 2015, a Fortinet researcher discussed a proof-of-concept that could infect a Fitbit device with malicious code that could then send malware to a PC connected to the device (a claim that Fitbit denied). Researchers at Binghamton University found that sensors in wearable devices could be used to determine passwords and PINs with up to 90 percent accuracy. Apple Watches have been banned from cabinet meetings of UK government ministers over fears that the devices could be hacked and used to listen in on these meetings.

Does your organization have a policy to protect against Shadow IoT? What security measures have you implemented specifically to address this threat? I’d like to get your feedback on what your organization is doing for a future blog post.

The Impact of the GDPR on Cloud Providers

We just published a new white paper on the European Union’s (EU’s) General Data Protection Regulation (GDPR) and will soon be publishing the results of the two surveys we conducted for that white paper.

In the second of the two surveys we conducted, we asked the following question: “Will your organization increase or decrease use of cloud technology as a result of the GDPR?” We found that 50 percent of respondents indicated they would do so, 39 percent said there will be no change, six percent said they didn’t yet know, and only five percent said that use of the cloud will decrease. That tells us a few things:

Many decision makers are still unsure about how they’ll deal with the GDPR. A thorough reading of the regulation, as with most government rules, leaves room for interpretation. For example, if data on an EU resident is subject to a litigation hold in the United States and the EU resident exercises his or her right to be forgotten, should the data controller violate its obligations to retain the data or violate the GDPR? That uncertainty will lead many to seek the assistance of third parties, many of which will be cloud providers that have more expertise in dealing with these kinds of issues.
Many organizations will pass the buck to their cloud providers. Because many organizations are simply not sure about how to deal with the GDPR, particularly smaller ones that can’t afford a team of GDPR-focused legal and compliance experts, they will rely increasingly on cloud providers who they anticipate/expect/hope will navigate the intracacies of the GDPR on their behalf. We believe that will accelerate the replacement of on-premises solutions with those based in the cloud.
Consequently, the choice of cloud providers will become extremely important. Since a cloud provider that inadvertently violates key provisions of the GDPR while working on behalf of their clients will not be a shield from prosecution, GDPR savvy will become a top priority when selecting new, or staying with existing, cloud providers.
The new ePrivacy Regulation that will supplement or replace key provisions of the GDPR will impose significant usability restrictions on even simple activities like web surfing. For example, it is very likely that web site visitors will need to grant permission for each and every cookie dropped into their browser when visiting a web site, yet that web site operator will not be able simply to block content for those users who do not grant permission. This will make the choice of a web host extremely important in order to comply with both the GDPR and the ePrivacy Regulation.

In short, while the GDPR increases privacy protections for individual users in the EU, it is increasing the risk for those that wish to provide content to them. Many companies, particularly smaller ones, will seek to mitigate that risk by handing it off to cloud providers.

You can download our newest GDPR white paper here, and get more information on the ePrivacy Regulation here and here.

How to Protect Corporate Data When Employees Leave

A key part of employment – particularly in a good economy – is that employees leave employers on a regular basis. According to data from the US Department of Labor, mean turnover among US-based employees in 2016 was 23.8 percent. That means in an organization of 1,000 people, nearly one-quarter of them will quit or otherwise be terminated during a year’s time, or about 20 people per month.

How do employers ensure that departing employees don’t take important data assets with them when they leave? The answer, it turns out, is that they don’t protect against this eventuality. Our research found that for many organizations, information governance policies, practices and technologies focused on data protection are not well implemented, if they are implemented at all. This puts these organizations at significant risk from employees who either quit or are terminated involuntarily and take with them key data assets, such as customer lists, trade secrets, financial projections, or various types of intellectual property.

Here’s what we found in a recent survey:

In only 48 percent of organizations can HR data be relied upon to determine when someone is going to leave a company.
Only 33 percent of organizations are sure they can detect if an employee that has left the company is still using their access to corporate data.
In only 16 percent of organizations does HR take the lead in ensuring that access to data sources, devices, accounts, etc. is disabled for departing employees.
Only 24 percent of organizations know when third parties stop working on their systems and data, and only 12 percent know if employees or third parties are sharing access to data through the same account, bypassing any terminations processes.

There are several processes and technologies that organizations can implement that will enable them to gain visibility and retain control over their sensitive and confidential data assets, while assuring that employees are not leaving with these assets. There are a number of technologies that can be implemented to protect corporate data from exfiltration by departing employees, but a governance-based model for user lifecycle management and access management can provide organizations with a high degree of assurance that only the right employees have the right access to corporate data at the right time.

For more information about these issues, please feel free to download our white paper, Protecting Corporate Data When Employees Leave Your Company.

You Should Not Archive Your Email and Texts

This is not a political post, I promise!

There are some lessons to be learned from the FBI no longer having access to five months worth of text messages between two staff members who were investigating former Secretary of State Hillary Clinton’s use of a private email server to conduct government business and the issue of Russian intervention in the 2016 presidential election, and Mrs. Clinton’s use of that private email server for sending classified and non-classified information. The one lesson I will discuss here is a simple one: you should not archive your email and texts.

More accurately, you, as an employee of your company, government agency or non-profit organization, should not archive your own email and texts.

Archiving should be based on pre-established and evolving corporate policy, not your choice of what content to save and what to discard. If your emails, texts, social media posts, files and other electronic content contain business records or any other content that is relevant to retain, it should be retained and archived automatically based on a set of corporate policies that have been established and approved by senior management, legal counsel, compliance, finance and any other stakeholders that are focused on the best interests of the enterprise. You, as an employee, should be involved in that process, but only as a voice among many in determining what to retain — you should not be the one who makes the final decision about what gets archived and what is discarded.

The reason for this is a simple one: there may be incriminating evidence, like mistakes or downright malicious activity in an email or text, that an individual might want to hide from the view of others. Someone responding to an email might mistakenly delete an important business record buried deep in the thread of an email that he or she did not see. Someone might fire off a text message or social media post in anger that reflects poorly on a client or colleague. In short, there is a temptation to delete information that violates corporate policy and we, as employees, should not have the ability to delete information in an attempt to cover that violation. While it might benefit us in the short term, it harms the organization in the long term.

In short, any good archiving process should prevent employees from being the key arbiter on what gets archived and what doesn’t.

A Better Solution Than Net Neutrality

Much has been made of yesterday’s controversial Federal Communications Commission (FCC) decision to overturn the net neutrality rules that were implemented in 2015. Broadband providers will no longer be subject to US government requirements not to block web sites or charge for premium services, essentially changing their status back to “information providers” instead of “common carriers”.

What would it be like if we applied the concept of net neutrality to other types of businesses? For example, what if the US government required car dealerships to sell any make of car from any manufacturer, not just a single make? What if grocery stores had to sell any food manufacturer’s product and could not charge more for better positioning on its stores’ shelves? What if magazines could not charge more for a full-page advertisement or one on the back cover, but instead had to charge the same price for every ad, regardless of its size or placement in a magazine?

Ridiculous, right? Even the most ardent supporters of net neutrality wouldn’t support these types of government restrictions on auto dealerships, grocery stores or magazine publishers.

Why not? Because consumers have a large number of options for all of these products. In most urban and suburban areas, there are numerous car dealerships and grocery stores from which to choose, and there were 7,216 magazines published in the United States in 2016. US consumers have a large number of options for just about everything they want to buy.

Unfortunately, the same cannot be said for Internet Service Providers (ISPs). As noted in an Ars Technica article from 2016:

“At the FCC’s 25Mbps download/3Mbps upload broadband standard, there are no ISPs at all in 30 percent of developed census blocks and only one offering service that fast in 48 percent of the blocks. About 55 percent of census blocks have no 100Mbps/10Mbps providers, and only about 10 percent have multiple options at that speed.”

The situation is actually worse than that, as former FCC Chairman Tom Wheeler noted in 2014:

“About 80 percent of Americans homes could buy 25Mbps broadband, but generally from only one provider. At 25Mbps, there is simply no competitive choice for most Americans. Stop and let that sink in…three-quarters of American homes have no competitive choice for the essential infrastructure for 21st century economics and democracy. Included in that is almost 20 percent who have no service at all! Things only get worse as you move to 50Mbps where 82 percent of consumers lack a choice.”

So, what we have in the US broadband market are two problems:

A lack of consumer choice, especially for higher speed broadband.
The ability for ISPs to throttle or block services as they see fit now that net neutrality will soon be abolished.

What if we solved the second problem by simply reinstating net neutrality? It would do nothing to solve the first problem because net neutrality would never attract new ISPs to the market — if anything, it would drive some of the marginal ones away. But what if we solved the first problem? It would easily solve the second one. For example, imagine you had a choice of seven high-speed broadband providers for your home or business. Would it matter if one or two providers blocked or throttled Netflix, Vonage or any other Internet service you wanted to purchase? Not really, because you could switch to another provider that allowed them, effectively using market forces to prevent providers from blocking or throttling any service. And, you’d end up saving money because these seven providers would be aggressively fighting for your business, giving you all of the benefits of net neutrality without government intervention and at a lower cost.

Yes, I realize that having lots of different providers from which to choose is sort of a “boil the ocean” problem that is not easily solved because of a number of factors: providers tend to be natural monopolies, local governments charge lots of money for franchise fees, there may not be enough space on poles or in underground conduits, etc. But solving the fundamental problem we face in broadband services — lack of competition — is not going to be solved via net neutrality. We need to find a better way to solve it.