WavebreakmediaMicro - Fotolia
In everyday life, we use a lot of data. Some is sensitive, and some isn't, but in order to ensure data is secure, it must be encrypted. When data is shared with another person, organization or business, it's important not to send it unencrypted because a malicious attacker can view and modify it in transit. This tip discusses how organizations use data in everyday life, which security dangers are possible when storing unencrypted data on different devices and in some services, and how to mitigate the risks by using encryption in the cloud.
The dangers of online and offline data storage
There are a variety of dangers involved in storing unencrypted data on different devices, as well as using unencrypted data in some services.
- USB drives: An easy way to transfer data between two computers is to store it on a USB drive. If the USB drive is lost or stolen in transit, an attacker can access everything on it. Like transferring data over a network, the data stored on a USB drive has to be properly encrypted using protocols like HTTPS or SSH.
- Hard drives: Data stored on a hard drive is accessible by an attacker if she is able to steal the hard drive. Usually hard drives in work PCs are safe, since they are locked in an office, but they are still accessible to burglars who may steal the whole PC. The risk is somewhat greater when it comes to a lost or stolen laptop. In such circumstances, all the data on the laptop hard drive is accessible by connecting to the hard drive and opening the files. The fact that the system -- be it Linux, Windows or something else -- is password-protected doesn't necessarily stop the attacker from getting access to the data, as this level of protection can be easily bypassed.
- Cloud file synchronization: Cloud synchronization is used to back up files on a hard drive in case the hard drive fails or if the user wants to have the files accessible from anywhere with an Internet connection. Commonly used cloud synchronization services include Google Drive, Dropbox, SugarSync and Amazon Cloud Drive. Depending on the service, the files synchronized to the cloud might not be encrypted when stored. In these cases, the attacker may be able to steal the data from the cloud service itself, which is accessible from anywhere there's an Internet connection.
- Cloud SQL databases: Various cloud applications use back-end SQL databases for storage. Usually the data stored in a SQL database is not encrypted, but it includes sensitive information for the application, like usernames and passwords. There are many different providers that offer remote SQL databases that may be used by applications to save the data to and load the data from. Since the stored data is not encrypted, an attacker who accesses the database can steal the data directly.
- Mobile phones: Mobile phones have become a necessity in daily life and people take them wherever they go. Since phones are constantly available, they are used for different tasks, like reading emails, accessing work data, taking pictures and videos, among other tasks. But it's possible many people are not aware the data on their mobile phones is not encrypted. When unencrypted, sensitive personal data on mobile devices is more easily accessed by attackers.
Securing online and offline data storage
Data needs to be properly encrypted when stored on various devices and when used in services, but it's even more important to do so when it's stored in the cloud, since such data can be accessed from anywhere. There are certain necessary steps enterprises can take to protect data on devices and in services, including:
- USB drives: There are several software programs available to encrypt USB drives, such as DiskCryptor, VeraCrypt and BoxCryptor. On the other hand, programs such as TrueCrypt, whose development has been discontinued and is not actively developed anymore, are considered insecure and should be avoided.
- Hard drives: For Linux systems, enterprises can use DM-Crypt LUKS, and Windows systems can use BitLocker to encrypt whole hard drives in a PC or in a laptop.
- Cloud file synchronization: It's important for enterprises to ensure the service used supports zero-knowledge and the data uploaded to the cloud is encrypted. Enterprises shouldn't use something like Dropbox, but should instead switch to an encrypted synchronization alternative like SpiderOak, Wuala, Tresorit and the like.
- Cloud SQL databases: For safe storage of databases in the cloud, organizations can use ClearDB, ZeroDB and so on.
- Mobile phones: Android mobile phones already support disk encryption out of the box, which can be enabled in the settings. A password is needed to encrypt the whole disk, and it has to be provided every time the user accesses the system. Enterprises cannot use patterns or PINs since they are easily brute-forced and unfit for encryption.
There's always a chance data stored in the cloud might be stolen by a malicious attacker, which is why it is so important to have encryption in the cloud prior to storing data there. This way, an attacker who steals the data won't be able to make sense of it, since he doesn't know the password or have the private key used to encrypt or decrypt the data.
Prior to saving data to the cloud, be sure to fully investigate whatever service you're considering using to ensure the data is properly protected. The data must be encrypted on the client-side before being sent to the cloud where it is stored. The most important thing is to understand the technology you're using to make sure proper security measures are in place, and to ensure the best security practices are followed.
About the author:
Dejan Lukan has an extensive knowledge of Linux/BSD system maintenance, as well as security-related concepts including system administration, network administration, security auditing, penetration testing, reverse engineering, malware analysis, fuzzing, debugging and antivirus evasion. He is also fluent in more than a dozen programming languages, and regularly writes security-related articles for his own website.
The U.S. government struggles to counter negative reports on data encryption standards and learn how homomorphic encryption can help enterprise security.