Data Encryption a Critical Security Issue
USA Freedom Act magnifies the need for companies to encrypt customer data
A high-stakes battle over data security and privacy has intensified as technology companies including Apple and Google have lobbied the President to reject any law enforcement proposal that weakens the encryption of customer data.
Security and data encryption continue to be topics on every "C-Level" executive is top priority list. No one wants to end up in the news as the next victim of a privacy breach or the next company that did not protect its customers information. In a news search using the words personal data breach, there are scores of reports where personal information such as social security and credit-card numbers have been breached. In one such incident, a state government site allowed unauthorized access to hundreds of thousands of unencrypted records, including names, addresses, social security numbers and documents with signatures.
Whether it is government agency, research facility, banking institution, credit card processing company, hospital or a Fortune 1000's computers - the risk of compromising private information continues to be very high. This has prompted many to encrypt physical electronic storage, workstations and mobile computers in order to protect critical business data
When encryption is implement, how does an enterprise maintain its IT service quality when the hard disk drive fails? What happens when they have to respond to a law enforcement request? How do you plan and prepare for a data loss when the user's computer is encrypted? These are all issues that should be considered when creating a security strategy which is compliant to all mandated regulations like the USA Freedom Act.
New Mandated Transparancey Requirement in USA Freedom Act of 2015
The bill provides options for private enterprises to be able to better publicly disclose information on requests for information received from the government.
- Robust company reporting. Companies will have a range of options for describing how they respond to national security orders, all consistent with national security needs.
- Allows disclosures by private companies of personal data. This would enable corporations like Google to release aggregate statistics of government surveillance requests.
The Devil is in the Details
Most IT security policies require a multi-direction approach to data security. For example, when setting up a new computer for a user, the IT department requires a BIOS (Basic Input/Output System) password for the system before the computer starts. Other BIOS passwords are hard disk drive specific, meaning that the hard drive will not be accessible without the proper password. Some computer BIOS's employ one password for access control to the system and the hard disk drive. To add a second level of protection, new IT security policies require full hard disk drive encryption. The most common of full hard disk encryption software operates as a memory resident program. When the computer starts up, the encryption software is loaded before the operating system starts and a pass-phrase or password prompt is required. After a successful login from the user, the software decrypts the hard disk drive sectors in memory, as they are needed. The process is reversed when writing to the hard disk drive. This leaves the hard disk drive in a constant state of encryption. The operating system and program applications function normally, without having to be aware of any encryption software.