Under the CLOUD Act, companies registered in the United States are obligated to share with U.S. authorities data belonging to foreign entities. France’s top cybersecurity official, Guillaume Poupard is working to stop that practice. Poupard, who is the director general of ANSSI–France’s cybersecurity agency–wants to stop cloud providers like Microsoft, Amazon, and Google from sharing…
According to Cisco’s Benchmark Study, average spending on data privacy solutions for both small and large organizations doubled in 2021, with companies budgeting $2.4 million a year for privacy-related issue management. This budget is substantial, but it’s necessary. A Pew Research report shows that nearly 70 percent of Americans feel their personal information is less secure than it was five years ago. And 86 percent have been attempting to decrease or remove their digital footprint.
Last month, we reported on some of the top-rated privacy compliance technologies, tools, and tactics. In this alert, we will provide you with some additional tools to be utilized.
Homomorphic encryption, commonly known as “double encryption,” allows data controllers to analyze data sets without decrypting or seeing the data. When using homomorphic encryption, a user can only carry out limited operations, such as making additions or multiplications. When necessary, data can only be decrypted by properly-authorized personnel.
Despite its benefits, homomorphic encryption has not been sufficiently developed. According to Inpher Technologies, homomorphic encryption “has many years to go.” But down the line, homomorphic encryption should be useful to organizations when used “in conjunction with other privacy-enhancing technologies like secure multiparty computation.”
And there are several industry leaders who are standing behind the practice. An article by Tech Crunch discussed a B2B startup company called Enveil, which “is being led by insurance and financial services giant USAA, with Mastercard, Capital One Ventures, C5 Capital, DataTribe, the CIA’s strategic investment arm In-Q-Tel, Cyber Mentor Fund, Bloomberg Beta, GC&H and 1843 Capital also participating.”
Under Enveil’s subscription-based model, customers can receive one of two products marketed under its “ZeroReveal” branch. The first, an encrypted search tool, permits users to search a database while maintaining that database’s encryption—even for searches made outside of their network. The second is a machine learning (ML) tool that would encrypt data by use of “advanced decisioning through collaborative and federated machine learning in a secure and private capacity.”
This tool could be particularly useful for transmitting financial and health-related data. According to Nathan McKinley, VP of USAA corporate development, companies offering Homomorphic encryption services similar to Enveil’s ZeroReveal solutions are “changing the data usage landscape by enabling sensitive business and mission functions at scale today, and we’re excited to help push those efforts forward through this investment.” Watch for more Homomorphic encryption tools hitting the market soon.
End-to-End Encryption is a technique that maintains the encryption status of data as it is being transferred from one system or device to another. Under this technique, after the data is subjected to public key encryption by the sender’s system or device, it will remain encrypted until it is properly received by its intended recipient and said recipient inputs their unique decryption key. Therefore, as the data is being transferred, it cannot be read or altered.
Similar to Homomorphic encryption, the market is currently experiencing an influx of end-to-end encryption startups. According to Venture Beat, New York-based Ethyca, is offering this encryption service to engineers and product teams for free to encourage privacy compliance.
Implement Zero Trust Architecture
Zero Trust architecture is a security framework that requires all information system users, both in and out of the organization’s network, to have authenticated authorization before accessing data from the network and its systems. Essentially, “Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.”
This framework is currently being recommended by the National Security Agency (NSA) to all federal agencies as a component of a “comprehensive information technology security model.” In February of 2021, the NSA released guidance on how to implement a Zero Trust security model. The following recommendations are made under this guidance:
- Establish “coordinated and aggressive system monitoring, system management, and defensive operations capabilities”;
- Instruct all employees to assume that all requests for “critical resources and all network traffic” are malicious and that “all devices and infrastructure may be compromised”; and
- Understand and accept that when critical resources are accessed, risk is incurred, and your organization must be “prepared to perform rapid damage assessment, control, and recovery operations.”
* * * * * * *
For this week’s ADCG Breach Report and more news updates discussing: the National Institute of Standards and Technology releases guidance on supply chain cybersecurity; Connecticut Governor Ned Lamont signs the Personal Data Privacy and Online Monitoring Act; Clearview AI settlement of a two-year old lawsuit with the American Civil Liberties Union for an alleged violation of the Illinois Biometric Privacy Act; the introduction of California Assembly Bill 1651, the Workplace Technology Accountability Act which would protect worker privacy; and the UK’s Announcement of extensive post-Brexit privacy reform aimed at Big Tech, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.