Actual Security: Protect the Data Rather Than the Infrastructure

With every new hacking, security failure or privacy breach, service providers go out of their way to assure you that your data is safe in their hands. In the wake of the PRISM scandal that alleges that the United States government has funded an eavesdropping program designed to analyze consumer data from communication providers, giants such as Apple and Facebook have strongly denied allowing the government direct access to their servers. In the midst of firm denials from service providers, what should the general public believe?

Defining Security
First, let’s define two types of security: the feeling of security and the reality of security. Most people operate under the feeling of security. This assumes that if you can’t see the danger, something is safe. The reality of security takes the opposite approach. This train of thought accepts, or even assumes, the fact that things may not be secure, contrary to surface-level analysis. It acknowledges that threats may be lurking just below the surface.

Given the ever-increasing threats to our private information, what should our reaction be? Should we trust our data service providers when they tell us that their infrastructure is secure, even as threats and breaches continue to be confirmed? Or, should we realize the reality of security, which is what’s been in front of us all along: our data and personal information aren’t actually secure.

In all of the conversations about data protection and privacy, providers insist that they don’t give anyone direct access to servers. However, even without “direct access,” it is clear that indirect access is somehow gained. If we acknowledge that our data can be stolen or mined by everyone from hacker rings to governments, the question then becomes: what do we do about it?

How to Protect Data
The answer is simple: protect the data rather than the infrastructure. The infrastructure that the data lives on is irrelevant so long as the data is placed inside a tamper-proof package. That tamper proof package is encryption where the only parties who have keys to decrypt that data is the owner of the data and whoever he or she decides to share it with. This way, even if an unauthorized party gains access -“ direct or indirect -“ to a provider’s server, access to the infrastructure will be futile because data will never be available in a decrypted format.

It is essential that each person take responsibility for protecting his or her own data by removing that responsibility from service providers. Inherent trust given to providers has only fueled the feeling of security versus the reality of security. Instead, we must face the reality of security: no matter what assurances are offered, our information isn’t safe in other people’s hands.

Peter Long is the CEO of Lockbox, an Australian encryption company that focuses on data privacy and security, and has more than 20 years of experience in the networking and communications industry. He has held senior technical, marketing, and management positions in Australia and the U.S., including an eight-year stint in Silicon Valley as the global marketing director for Cisco Systems. Long can be reached at [email protected].