How to protect sensitive data on the Internet: 4 basic principles

How to protect sensitive data on the Internet: 4 basic principles

World Data Protection Day is an international holiday celebrated around the world every 28 January. It is also called Data Privacy Day in the United States.

This day commemorates the signing of Convention 108 in the Council of Europe, aiming to protect human rights in personal data processing.

Also, private data privacy is protected by the Budapest Convention on Cybercrime (2001) and Article 8 of the European Convention on Human Rights.

Isn’t it amazing that all 47 member states of the Council of Europe, as well as the USA and Canada, care about our privacy? Should we care at all about our data protection in online or offline worlds?

Well, actually we should.

Let us talk more on what we can do to reduce risks and protect both corporate and personal data privacy.

1. Authentication

Authentication is a process of your identity verification; it proves that you are who you are saying you are.

In the real world, different types of ID are used for that purpose - passport, driving license or library card. In virtual it’s usually login and password. This is a single factor authentication and not the most secure one.

Weak passwords like 12345 or qwerty are still popular and make the life of bad guys much easier.

Surely, you can (and must!) create a long and complex password or even password phrase. But it’s barely possible to memorize many such passwords (as you need a different one for every system or service you use) and it’s strictly not recommended to write it down.

Fortunately, there are special apps and services - password (or secret) managers - to solve this problem. Such apps can generate unique and complex passwords, store it securely, conveniently auto-fill forms on the websites, etc. Many of them can be also used to store not only passwords but other sensitive information - credit card numbers, passports or social security info, electronic documents, etc.

Popular services include Google Password manager (available in Chrome), LastPass, Enpass and many others, free and paid.

As we mentioned above, login&password is just one authentication factor, while last years two- or even multi-factor authentication methods become more and more popular.

The first method to add the second factor is through SMS or phone call. While it’s simple and still very popular, last 2-3 years it was ranked as weak: a phone can be stolen, a SIM-card can be cloned, a text of voice call can be intercepted, etc.

The second method is to use one-time codes generated in special apps (usually on your phone). Google Authenticator or Authy are examples of such apps.

Unfortunately, this method is also vulnerable to phishing attacks.

Maybe the most secure way to implement multi-factor authentication is hardware tokens (usually it’s a USB/Bluetooth/NFC fob). Especially when it’s used together with modern protocols based on asymmetric cryptography (like U2F). We would recommend using such keys - YubiKey is a great example of such hardware.

If it’s possible to add biometric factor - for instance, fingerprint, it makes the access truly multi-factor.

We do recommend to configure multi-factor auth in all services where it’s possible. Fortunately, many modern ones offer or even require such an option - email, messengers, social networks, banks, etc.

Okay, so we have complex passwords and multi-factor auth. Is our data completely safe now and we can take a break?

Well, not exactly. Move on to the next chapter!

2. Stored data encryption.

It happens and everybody can lose a laptop, a phone or a USB stick. As a result, somebody can get access to information stored on your device.

It’s possible that you have some sensitive information there - current projects or customers data on your laptop, PayPal or private photos on your smartphone. There’s no doubt you don't want it to be published or used by your competitors.

What can you do? Encrypt your drives.

Windows supports full or partial disk encryption starting Vista using tool named BitLocker. However, it’s not supported by different OSes, so you can't decrypt it on Mac or Linux.

Mac also has an embedded tool for disk encryption - FileVault.

Such tools allow encrypting internal laptop or desktop drives as well as external disks. If you need to work on different platforms, you can use some independent solutions like VeraCrypt. It’s free and opensource, by the way.

There are similar tools for mobile OSes too.

Well, so all your devices are protected with strong authentication and all data is encrypted. If you lose it, nobody can get access. Wait...but what about you?

There’s a real story happened to our friend, future Ph.D., whose laptop with all thesis materials was stolen from a car. So the guy needed to urgently restore the thesis from scratch using partial notes and memory.

How to avoid such issues? Backup copies may help. And yes, better not to leave your belongings in a car.

3. Backups.

We recently published a post regarding that.

There’s a 3-2-1 rule, made popular by well-known photographer Peter Krogh:

  • Have at least three copies of your data.
  • Store the copies on two different media.
  • Keep one backup copy offsite, for instance in a cloud.

Host-telecom cloud storage is hosted in reliable EU-based data-center and allows to keep a few copies of your data on different servers. As additional protection, network connections are encrypted.

There’s one more important tool you can use to increase privacy in global Internet. We’ll talk about it in the next chapter.

4. VPN.

The Internet is global, but insecure network, full of threats and risks.

VPN is an acronym for Virtual Private Network; it can be used to protect your privacy in the wild Internet.

Companies with remote employees frequently use VPN technology to provide secure access over the public Internet.

VPN also hides your IP address and as a result can be used for accessing resources not available from your country. For instance, if you traveling in Europe and want to keep enjoying some Netflix shows available only in the US (or vice versa).

VPN is also useful when you connect to public open networks such as WiFi in hotel, cafe or airport. For the sake of convenience, such networks are usually not protected, so malicious actors (or networks owners) can easily intercept your data, such as your credentials, email addresses or personal info.

At best your data would be just sold to advertisers.

There are several free VPN providers. However, as you can imagine there’s nothing free and usually, such companies are making a profit out of your data. So it makes not too much sense to use it if you care about your privacy.

There are multiple paid VPN providers as well. However, such services usually attract the attention of different authorities and law enforcement agencies, who’re always eager to collect such data.

Is there a solution? Well, there is at least one. You can spin up your own VPN server on a virtual or dedicated hardware machine (preferably with Linux onboard).

It can be OpenVPN - well-known secure opensource solution, or a modern but yet not so popular WireGuard.

But how is that better than a VPN service?

The provider has no access to your VPN server and hence can't directly get access to your logs and data. Anyway, it already got paid for VPS or dedicated server, so there’s no need to seek profit in collecting and selling private data. For general purpose hosting/data-center provide long-term relations with a customer are more important than potential profit from traffic data selling.

Regular data-center is much less attractive goal for authorities comparing to dedicated VPN service.

We at Host-telecom do care about our customers' privacy and allow access to customers equipment only according to the Czech court order. There’s no single case over last 10 years.

Conclusions

You can't rely on the government on protecting your privacy, despite the law acts and conventions. You care about your data - act accordingly.

To reduce your privacy data risks, follow those practices:

  1. Improve authentication: use complex unique passwords, add strong multi-factors such as hardware keys or biometric.
  2. Encrypt all or most sensitive parts of your disks on any of your devices, including removable
  3. Make backup copies
  4. Protect your Internet connections with VPN

Happy Data Protection Day!

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

    Spelling error report

    The following text will be sent to our editors: