What is Privacy and How does Privacy matter?

It is perhaps fitting that the top-of-mind topic of discussion for most consumers this year as of January the 28^th comes along – is the change in WhatsApp’s usage terms and their data sharing policy.  Truthfully, the way I understand it, WhatsApp isn’t actually threatening to do anything that Google already isn’t doing with our data.  In fact, Google is probably more invasive to people’s online lives each day than WhatsApp will ever be – but that’s a topic for another day. 

The point, however, is that most people I talk to, seem to want to guard their privacy very jealously online – but still, use online software that does anything but protect their privacy.  This is clearly evident in most people’s lack of understanding of what Google already does versus what WhatsApp is “threatening” to do.   There is a clear gap between what online privacy ought to be versus what the average user understands it to be.  Let’s take a look at why Privacy should matter at all.

Why privacy matters?

There are several reasons why privacy matters in the digital age where users and enterprises are increasingly storing data in the public cloud.  It is estimated that more than a third of people’s data is in cloud storage today. 

First off, what may seem like disconnected pieces of information from discrete parts of people’s data, can be pieced together to know things about businesses and individuals that they didn’t intend to share in the first place. 

Secondly, what you may consider ok to share today, may not be something you consider ok to share down the road – but once data is in the cloud, the lack of control makes it virtually impossible to go back and change your mind. 

Last, but not least, privacy policies that you “accept” when signing up with cloud storage vendors are ‘subject to change’ and are virtually impossible to keep track of.

Why is privacy important even more for businesses?

The average online user is not a technical or legal expert and can perhaps be forgiven for not understanding the nuances of online privacy.  But, disturbingly, I have found that many businesses don’t understand privacy or its importance to them as a business.    

Most discussions around data privacy center around the right to privacy of individuals.  But with regulations like GDPR that have effectively shifted the accountability around privacy to businesses, privacy of data has become a business / regulatory problem.

If one thinks about it a little, Data privacy can be a bigger problem for businesses than for individuals.  Most individuals at some level, are willing to trade some privacy for convenience.  Businesses have too much at stake to allow any breach in privacy of their data.  The resulting penalties can be enormous.

And in the current climate where digital transformation and cloud adoption have been accelerated by the pandemic and the resulting WFH policies, the public cloud and SaaS vendors are being trusted with more and more enterprise workloads and data.

There is a lot of discussions around security in such a context.  CISOs are talking about Zero Trust models, SASE appliances, and so on – but I see very little discussion around Data Privacy.  In fact the two get confused and it is many times assumed that data that is secured is also private.

Conversations around security and privacy usually go like this:

“So, how can we be sure our data is safe in the cloud?”

“Why, it is all encrypted of course”

“Is it encrypted both in-transit and at rest? What encryption algorithm do you use?”

“We use AES-256 for data at rest.  And we use https with TLS 1.2 for all on the wire communication.  Your data is encrypted at all times”

“Wow, that’s great.  Thank you.”

Conversation done.

What’s missing here is that nobody asked (and nobody mentioned) who can decrypt the data after it has been encrypted.  Who holds the encryption keys?  Can the cloud/SaaS vendor or any of their employees decrypt and read the customer’s data?   

The sad truth, many times, is YES.  While there might be legal documentation and deterrents/penalties which serve to limit the cloud or SaaS vendor’s access to a customer’s data – most of those remedies can be applied post-facto only after a breach or damage has occurred.  Often, there is no technological barrier that prevents the SaaS/cloud vendor’s access to the data.  And as a customer, when you’re missing that technology barrier – you’ve sacrificed privacy. 

Secure? Yes. But is it Private?

Sadly, a number of SaaS vendors can claim security, but cannot truly claim privacy.

Most SaaS vendors today offer to encrypt the data sitting in their data centers, but the encryption comes with some risks.

1. Most public cloud vendors own and control the encryption keys, or in the least retain the ability to decrypt data with keys the customer might actually control. This means that they are in a position to decrypt data at any time and gain access.
2. Public cloud vendors don’t usually go out of their way to access their customers’ confidential data, but the chances of a cloud provider gaining unwarranted access to critical customer data is far too likely for the comfort for most enterprise security teams.
3. Also, if asked by government bodies to turn over sensitive data, many public cloud vendors have no choice but to immediately comply and share data in decrypted form, because the laws of the land may require them to do so.

Segregation of Duties

The key to delivering privacy is to understand a concept called the separation of duties or segregation of duties.  Encryption can provide security, but without strict segregation of duties, it is as good as no privacy at all or weak privacy at best.

When segregation of duties is unclear or doesn’t exist, there is an implied loss of data privacy, which in turn leaves the organization in a less defensible position with respect to regulation.

Let us try and examine the segregation of duties in a bit more detail with a real-world example.  It is interesting that I can use a real-world example, because in the real world, as a society, we have surmounted this problem already.

The best analogy is safe to deposit a box in a bank.  You may use the bank’s premises to keep valuable belongings – just like you may use the cloud to store valuable business data. 

But when you rent a safe deposit box, you also have the option to lock it and bring a key back with you – thus preventing unauthorized access.  So, you trust the bank to be secure, but you take it upon yourself to ensure privacy by retaining the key to your safe deposit box.

Segregation of Duties, when employed together with strong encryption provides the same advantage in the digital world.  Strong encryption allows you to secure your data in the cloud – but retaining control over the encryption keys, allows you to control who gets access to that data. 

So, this year, on Data Privacy day – if you’re entrusting your data to the cloud, ask the right questions – and make sure you get the right answers.  With enterprise data, there is just way too much at stake!