(4) Sometimes the Destination is more important than the Journey.
First published on July 19, 2017
PDF of articles here: Are we the New Digital Soylent Green - PDF
("Soylent Green Is People").
Following on from my article on Data Sovereignty and compliance (Data, Data, wherefore art thou, Data!?), the focus recently has moved from Data at Rest (where data is stored) to Data in Transit (data moving along the ether(net)). It has reached a point where it has become a distraction from data sovereignty to the point that organizations are split between two conclusions.
Both of these conclusions suffer from the same issues relating to assumptions on Risk and Compliance. The assumptions are that Risk and Compliance equally relate to Data in Transit and Data at Rest. This is an incorrect assumption. You can’t be compliant with data not under your control. However, you can be responsible for the data that should be under your control.
Imagine if that same assumption was made for Phone Calls or Regular Mail. Would you only call people inside the office on a closed loop telephone system? Would you only send mail internally and by person? The answer is obviously, no.
But they are not the same, I hear the cry. Actually, the dissemination/ transmission of information through each of these processes is essentially the same.
Look at the following scenarios;
A customer calls your office to discuss a file. At the outset of the call, you inform the customer that “call’s will be recorded for….reasons”. That recording would most likely be digital and will contain Personally Identifiable Information (PII)** subject to privacy legislation. As such, it requires a level of security and management to ensure it is not compromised. However, the method of collecting that information i.e. the phone call, is outside of your control. Is the customer recording the conversation, is a third party monitoring it, is there a legal or illegal wiretap on the line? All of these scenarios are possible, but out of the control of your organization. Does that mean that the recording you have doesn’t need to be treated according to best practice and privacy laws? No, of course it doesn’t. Does it mean that a breach of access to that recording is meaningless because the information may be stored (or monitored) elsewhere? Of course not. The recording you have is unique and most likely contains additional information, not part of the call i.e. unique identifiers and links to a client file, notes from your company staff, metadata from the call itself. This makes a potential breach identifiable back to your unique source, under your unique control. So, although the risk and compliance relating to the external parts of the call i.e. external VOIP lines, external servers, caller’s phone, people in the room with the caller etc. are outside of your control, the data at rest in your organization is not. Unless you were negligent in knowingly allowing another party to illegally record or listen to the call, without the customers knowledge or permission, there is minimal risk. Trying to secure those transmission lines, outside of your control would be impossible outside of a closed loop system.
Take that same discussion but this time it is between two separate offices of your organization, one in Vancouver and one in Toronto. Again, you can control the environment at the two endpoints but not the lines in between. You can increase the security for inter office communications but more on that later.
Now take the same scenario but this time with letters between your company and a client. This letter will contain, names, addresses, client number maybe even credit card details or health record details. Do you ask the customer to pick that up from the office for fear of it being read while in transit? No. Again, if you sent this letter completely open (not in a sealed envelope) then you have an issue with negligence and privacy breaches. However, this isn’t how the world works. Even Revenue Canada uses regular Canada Post. Would you refuse to send the letter to certain areas of the world because it might cross an international and legislative line in transit? No. Even secure mail between offices might cross international borders during transit, that does not automatically create a non-compliance or privacy risk.
In both of these scenarios, we have communication with a client and inter office communications where PII** and more is exchanged. In both scenarios, there is a significant risk that data has been transmitted through a third party, not under your control, and as a result it could have been transmitted across international borders.
Does this mean that you have breached privacy legislation? Maybe if you did this in such a fashion that guarantees a data breach then you have bigger issues. However, if you have followed good business practices and maintain compliance, would this stop you from communicating externally? No.
In both of these scenarios, there are ways to increase security for phone calls and regular mail, where required. For phone calls (inter office, B2B and even to your customers), use encrypted VOIP lines. This can also have a cost benefit and increase functionality over a regular phone line using systems such as Skype for Business (not the consumer Skype system). For regular mail, you can use secure and even serialized tamper proof envelopes with checks and balances at both ends. Making these extra security steps mandatory or even a general standard for best practice would seem overkill, yet this is the standard for electronic communications through the cloud. Essentially, your data (and your client’s data) is probably more secure in transmission to Compliant, Data Sovereign cloud providers than that phone call and letter you think nothing of providing.
Would you be more concerned with someone getting direct, unfettered access to your phone or mailroom or intercepting that call or letter en route? So, why is data in transit such a concern?
Even if you think you have a closed loop secure system for transmitting information, chances are you don’t. Is your network connected to the internet? Is there anyone else in the building sharing infrastructure (phone or internet switches provided by external vendors etc.) or are you in multiple buildings without a dedicated hard line between them? Then you have a data in transit risk. That risk is not controllable and is minimal as long as basic precautions are taken.
Remember, most security breaches for electronic data occur at rest due to poor security, human error or deliberate human action. Moving to the cloud can decrease those risks, if implemented properly and with a compliant organization i.e. with an infrastructure that ensures your data at rest is compliant i.e. in your legislative jurisdiction for PIPA, PIPEDA, FOIP GDPR etc.
So, instead of dismissing the cloud because of the risk outside of your control, look at the benefits it can provide in security, compliance, scalability, functionality and cost savings.
Are you more at risk for having your credit card stolen on the daily drive to work, or having your house, office or car broken into? It doesn’t take a retired Police Officer like myself to answer that question.
Considering all the billions of electronic communications moving through the billions of lines in the world, what is the chance that your communication will be intercepted and used against you or your customer? The answer is very slim. It is all about return on investment and risk. Target your internal infrastructure where there is a large amount of data that can be captured and many lines of attack.
“it’s not the destination but the journey” is the common adage. In this case, the journey (Data in Transit) is important and should be secure and compliant. However, we really should focus on the destination (Data at Rest), especially when looking at the cloud for the future. Pick a compliant data center, follow best practices and embrace the future.
**Note: Since this article was written, GDPR came into full effect bringing with it the expanded definition of 'personal information' that went beyond PII.
“means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; ”
