A Thumbprint Almost Ended our Vacation, or GDPR and the Cloud

A version of this blog was originally published by ShardSecure here.

By Marc Blackmer, ShardSecure.

A few years ago, we surprised our youngest with a trip to Florida. We did the whole pickup-from-school-with-our-luggage-in-the-car bit and drove straight to the airport. And there was much rejoicing.

It was a heady morning as we set out on the first day of our multi-amusement park weekend. We bought our tickets to the first park and headed to the turnstiles. I was the last of our trio to approach the gate and our trip almost ended right there. Why? They required me to scan my thumbprint, that’s why.

“I’m sorry. You want what?! Why? Where is it stored? What’s your retention policy?” As I peppered the poor kid at the gate with a barrage of questions, I could see the look of exasperation on my family’s faces. So, I made a choice; I gave up a bit of my privacy in order to make memories with my family.

Mired in legalities and uncertainty

Having control over my privacy has always been important to me, and I applaud the efforts of governments to protect their citizens’ personal information in the possession of businesses. But what happens when different regulations overlap with conflicting requirements, differing views on liability, and impose stiff penalties for non-compliance for those businesses?

Until we see how strictly EU courts interpret the Schrems II decision on current GDPR guidelines on data transfers outside of the EU, European businesses and US cloud providers are both in limbo. Consider this scenario that illustrates the primary concern from the EU’s perspective:

A European company stores EU citizens’ personal data in the cloud hosted by a US cloud provider. Even if the data is encrypted, who possesses the key? What’s to prevent the cloud provider – whether legally compelled, or by the behavior of a rogue administrator, or by an attacker with compromised credentials – from accessing that data? Even if the key is held by a third party, the European Data Protection Board (EDPB) appears to lack confidence in encryption to be a sufficient control.

The penalties for companies found in violation of GDPR may be as high as 4% of their global revenue and US cloud providers may find themselves shut out of the European market. And if there is an apparent lack of confidence in encryption, how can these organizations protect their data in the cloud? Is there a way to remove the key management issue?

We need a new approach

A new process known as “microsharding” essentially makes sensitive data unsensitive and unintelligible to unauthorized users without any concept of a key. How?

Think of it as a digital document shredder into which you feed a sensitive document:

• First, it makes sure the shreds (the microshards) are too small to contain any sensitive data: no birthdates, no phone numbers, no addresses.
  
  
• Next, those microshards are randomly mixed into different microshard containers along with some fake microshards to complicate any attempt at reassembly.
  
  
• Lastly, those containers are distributed across multiple, segmented storage repositories of the data owner’s choosing – multi-cloud, multi-region, or hybrid cloud. If someone is able to look at the contents of that container, the information is incomplete and unintelligible. Think what it would take for an unauthorized user to reassemble that one file. The complexity to enumerate, locate, identify, and reassemble hundreds or thousands of files that had gone through the same process, makes it virtually impossible.

The process is reversed to reassemble the file whenever a user accesses this file. This all works for structured and unstructured data.

If you’re familiar with the concept of RAID-5, you’ll recognize the similarities between RAID-5 and microsharding. Where RAID uses an array of disks, microsharding uses an array of cloud storage locations. Similarly, if a storage location containing microsharded data becomes unavailable for any reason, parity data is used to reconstruct microsharded data from the affected storage location and users are none the wiser.

Data at rest should never be modified or deleted directly on the backend. If it is, that activity is an indicator of compromise. Data integrity checks built into the process will roll back any unauthorized modifications or deletions of microsharded data to their last known good state. And yes, this applies should data become encrypted by ransomware.

Nobody can predict which way the courts may rule, and no single approach can make you compliant. What is clear is that microsharding is a more secure way to protect your sensitive data. And it can even be used in combination with encryption for an extra layer of security with little to no additional work required.

Now that approach makes for a good day at the park for a privacy geek like me. But, more importantly, microsharding can give thousands of organizations greater confidence in how to address evolving regulations, security risks, and concerns.