Data protection has always been one of the most important components in software products. As the world adjusts to the new reality imposed by the spread of the pandemics, business activities continue going online causing greater demand for software products. Unfortunately, the growth of cyberspace brought increase of cybercrime. According to statistics reports by Statista, the overall financial damage caused by cybercrime almost doubled in the last two years. Along with financial losses, companies suffer from reputational damage that leads to customer outflow. Therefore, effective data protection associated with user privacy has become the key task for businesses.
Let us have a look at approaches and technologies that provide enhanced data protection for your business.
1. Risk assessment.
You need to assess vulnerabilities of your software at the early stage of the development. Among the variety of risk assessment tools, OWASP risk rating methodology allows defining key risks using the following approach:
Risk = Likelihood * Impact
Take these 6 steps to help you with assessing your risks:
1) Identify the risk
2) Estimate the likelihood of the risk
3) Estimate the impact of the risk
4) Determine the severity of the risk
5) Decide what to fix
6) Customise the risk-rating model.
2. Use of HTTPS (HyperText Transfer Protocol Secure)
HTTPS provides better security for websites that work with sensitive data like payment details or similar.
The benefit of using HTTPS (aka HTTP over TLS and HTTP over SSL) for a website lies within secure encrypted connection. HTTPS gives public-private key cryptography, where the public key is used for encryption, and the private key is secret and is used for decryption. Both keys are generated randomly and then kept on your server.
Certification Authority (CA) verifies websites by signing digital certificates and indicates security of a website with a green padlock in the address bar.
TLS (Transport Level Security) and SSL (Secure Sockets Layer) help HTTPS protocol to ensure cloud security and data protection as the data travels through internet. This means that the data reaches the designated users and cannot be read by unauthorised parties. If an application does not use TLS, the transmitted data appears as a cleartext and may be subject to cyberattack.
While HTTPS is an essential element of the website security, yet it is only a part of greater cryptography mechanism. Unfortunately, HTTPS has weak points too. It does not encrypt data at rest and does not protect data once the HTTPS connection gets terminated. Your data security may come at risk at stages of data processing, storage and data transmission. Moreover, if your server is the endpoint of your web API but your processing, analysing, sharing and backing up services are in different places, you cannot guarantee that your data is encrypted.
3. End-to-end encryption.
When it comes to exchanging data, end-to-end encryption is the most secure method. This tool enables to encrypt messages and files so they are readable for the final recipient only. This data protection mechanism prevents any data leakage and ensures that the communication between the parties remains confidential through the private key that only the sender and the recipient have. To this day, many email servers and online chats travel through company servers where they get decrypted and stored. This is where the data becomes vulnerable if the server lacks secure protection. Therefore, end-to-end encryption remains the safest way as encryption and decryption only happen on users devices.
This method is particularly reliable for payment services where sensitive data gets encrypted at the checkout stage and the gets decrypted at the payment processor. Well-respected payment systems, like PayPal, provide data encryption themselves, which enhances data protection.
As mentioned earlier, the secret to data protection is in the encryption key that only the sender and the recipient are aware of. This secure data transmission is established through Diffie-Hellman algorithm. The algorithm sets up secure communication channel used for exchanging the private key to further generate symmetric encryption between the systems.
4. NaCl and Sodium
NaCl (Networking and Cryptography library) is a high-speed tool used to provide higher level of cryptography. Compared to other libraries, NaCl has better usability and higher speed and is used for network communication, encryption, decryption, signatures, etc.
NaCl has the following key features:
Data-dependent branches. The CPU’s instruction pointer and branch predictor cannot ensure data safety. There are multiple examples of secret keys from CPU components becoming accessible to cyber criminals. NaCl prevents the flow of the secret data to the instruction pointer and branch predictor, leaving no conditional branches based on secret data. Such type of data protection is compatible with high-speed computing.
Data-dependent array indices. CPU’s cache and TBL (translation lookaside buffer) are also quite vulnerable in keeping the addresses secret. NaCl prevents the flow of the secret data to addresses that were applied in the load and store instructions. There are no array lookups with indices based on secret data, and the pattern of memory access is predictable.
Smaller memory and availability. The C version of NaCl is specifically created for smaller heap storage that does not interfere with cryptographic computation to ensure system work. NaCl products are not restricted and are publicly available.
An alternative to NaCl is Sodium. Sodium is a great new toolkit that enables developers to add cryptography to applications but remains a portable, cross-compilable, installable, packageable, API-compatible version. It uses the same crypto primitives as NaCl, but works on all platforms supported by DNSCrypt, including Bitrig, OpenBSD, Dragonfly BSD, NetBSD, FreeBSD, SmartOS, OSX, Linux, Windows, iOS and Android.
The variety of available technologies leaves some room for choice. The best option is to consult cyber security professionals to get the technology that works for your business. Otherwise, you should identify your data security requirements to select the technology based on your findings.
If in doubt, here at Magnise we can guide you on what technologies can provide enhanced data protection to your business in particular and how this can benefit you. Get hold of us to find out more.