Who Owns Your data?
What a simple question that has such an obvious answer; or does it? After all we write contracts to ensure the data, we sent to third parties, retain our ownership do we not? Is it not true that data can make a competitive edge over the competition? If data is not that important why are we always concern about the loss of this data? At this point it should be clear that we all care about our data and it can be a make-or-break situation if that data is loss or stolen. So, it seems that the answer to the question “who owns our data” can only be us. No one else will be as concern about our data, and its security, more than we will. Do we show the world that we, in fact, really care about our data?
I know of a case where a business was so concern about the security of their data they required the data to be encrypted before sending it to a third party provider they were contracting with for some services. Of course, there was an NDA in place, but the business still wanted that data encrypted for transport. I am sure that this seems reasonable to just about everyone who reads this. Just from a security perspective it can be seen that confidentiality is very important. In fact, we all know that confidentiality is one of the three basic pillars of security. The other two are integrity and availability. To do the encryption and decryption of the data, GNU Privacy Guard, GPG, was used. GPG uses an asymmetrical encryption process that entails generating a public/private key combination. All of these makes sense and seems to follow standard practices.
The concern I had was when I found out that the business wanted the third-party vendor to generate the public/private keys and then the business would use the public key to encrypt the data and send to the third-party vendor. This is where I became concern. Here is the risk I see with this situation. If you look from the vendor’s view there is no guarantee the data came from the business. This is because anyone can have the public key. If the business generated the keys and gave the public key to the vendor, the vendor can be guaranteed the data came from the business. This is because the private key acts like a signature from the business. It is very reasonable that the business used the private key to encrypt the data since the public key can decrypt the data. This would also lend to a situation where nonrepudiation would exist. The vendor would know for sure data came only from the business and the business would be the only one to be able to encrypt data to the vendor. Principles of Information Security by Whitman and Mattord stated it well “nonrepudiation underpins the authentication mechanism collectively known as digital signature”. Using a signature to receive any important package is common in the real world, why should it not be common in the digital world?
Let’s think of this in a different way. What if the data, the vendor had, ended up creating an issue with the businesses’ reputation? How does the business prove that the issue was from the vendor and not the data? After all, does not the business close the door that would have guarantee knowledge of where the data came? Today there are many businesses being compromised by hacktivist just to make a point. Can we say for sure that hacktivists would not try to ruined a businesses’ reputation if they could? The recent issues with Game Stop and the market shows what a group of people can do when they band together for a common cause. What is keeping this from happing for other vindictive reasons? Today it may seem unreasonable to think that a data exchange could be compromised for this reason, but it was also only a few months ago that it seemed that no one would ever hack a supply chain, yet it happened. Are we willing to risk a business on an assumption that someone would never do that?
Just to be clear, if we really care about our data and its security, why would we want someone else to oversee its encryption?