January 24, 2013

Introducing ZKPAs: Privacy is a part of security

by with 0 comments

Most of you have probably caught on by now that 2013 is ‘The Year of Privacy’. One of many reasons is we’ve just launched our ‘Zero-Knowledge Privacy Ambassador’ (ZKPA) program.

We now have nine impressive ZKPAs from around the world who we want to introduce you to in the coming weeks. You will find these ZKPAs online and offline, specifically advocating for the virtues upon which we built SpiderOak and educating others on zero-knowledge privacy. They will help us dream and expand the program in order to make ‘zero-knowledge’ a household term.

Allow me to introduce to you one of these new ZKPAs, Ryan D. Lang. Ryan graduated magna cum laude from Drexel University this past summer, 2012, with a degree in Computing and Security Technology. While employed at the Camden County Library System, he aided patrons as in-person technical support. He is currently employed in the IT Support department at LT Security.

In his spare time, he works on a book that attempts to adapt corporate best practices to average users. The goal is to convince others of the importance of good security. Earlier writings can be found at Ghacks.net. “I just want to do a little good in this world.”

Ryan wrote the following post:

Privacy is a part of security

It came up in the meeting that several members of SpiderOak felt that privacy and security were separate. I politely objected to no avail, but rather than argue, I elected to compose a concise, persuasive essay.

Security is often described as being composed of the CIA: Confidentiality, Integrity, and Availability. “Confidential” can literally be defined as “private” or “secret.” * Thus, privacy is a subcomponent of security. To attain privacy/confidentiality industry uses technology, policies, and physical controls.

Consider VPNs: Virtual Private Networks. They are designed to keep communications private over a public network. They employ the technology of encryption to achieve this. Another technology employed is user privileges. They can control/restrict access to information, keeping it secret from those who do not need access. SpiderOak takes this a step further by removing access from employees completely.

Policies are rules of conduct that a company sets for its employees. They can be used to define what should be kept private and create ramifications for sharing secrets. While this often relies on background checks and the honor system, the procedures defined by policies can make breaking them harder (e.g. requiring two signatures or a notary on critical documents).

Locks and keys have long been used to secure property. Physical security is as important as digital security. This should include old fashioned locked doors to protect private data (&c.) not only from outside access, but from unauthorized internal access as well. Key files placed on a physical USB drive can be used with TrueCrypt and KeePass, secret keeping programs, to compliment or replace passwords.

These are examples of old and new methods used to protect privacy. Together they form critical parts of industry security best practices. Without privacy, data is insecure.

*http://www.m-w.com/dictionary/confidential (see definition #2)

Personal Note

I find “confidential” to be an interesting word. To me it means: “giving with trust of keeping a secret.” A prime example of this is when you confide in a friend. Another example is when talking to a doctor or lawyer; arguably a better example since there is legal backing. Those professionals have to keep your secrets (within statutes) or they will be fined or even lose their license to practice. I do not think that the majority companies consider the depth of the word “confidential” when forming policies or choosing controls (though they may consider “due diligence”).