As many in the privacy industry know, the best way to protect information is to not have it. While this can’t fit everyone’s business model today, zero-knowledge systems that have no access to user information shared through or stored on a service certainly have a head start in the quest for EU General Data Protection Regulation compliance.
With GDPR coming into force in May 2018, companies across all industries are working to understand where and how they are processing, storing and protecting personal data. Massive spending is forecast for technology solutions, legal support and risk management. With that, there is increased focus on the cloud storage and collaboration tools used to transmit valuable operational and customer data sent between third-party vendors and internal teams. Many are faced with managing the risks of relying on mainstream tools to enable various business functions. And so long as service providers maintain visibility into customers’ business content processed on a platform, it requires accepting the risks of that provider becoming a conduit for possible data exposure, which, under GDPR, may trigger rather large fines and regulatory actions.
Minimizing your digital footprint — Not so fast
In working with our partners and customers in different jurisdictions as they go through the assessment stage of their data operations, companies are now looking to proactively minimize their digital footprint. Interestingly, many are actively seeking zero-knowledge tools that provide irrefutable logs to show that data is neither stored nor accessible in non-compliant systems.
However, as it turns out, running a business or an international organization entirely on platforms that protect your data from everyone, including the providers themselves is not that easy. A simple survey of technology services shows there is only a handful that enables server-less computing, and approximately 70 percent are based outside of the United States. Among these tools are collaboration, email, cloud identity management, data storage, authentication and banking services.
While the list may be slowly growing in response to an increasingly evident lack of security guarantees offered by traditional tech providers, there is still far more growth in products that deemphasize data security. This is because zero-knowledge systems run counter to the dominant business model for internet-based technologies: the collection and monetization of user data. It is fair to say that the GDPR aims to regulate the protection of personal data largely because our industry has repeatedly shown that securing personal data privacy is not a priority.
Taking back control of your business data
Having spent the last twenty years probing companies’ defenses to improve their security, I don’t see a sustainable alternative to platforms that are engineered to trust math rather than server configurations, enabling privacy at the device level. With countless attack vectors, one of the most straightforward to prevent, and among the most common to be exploited, is server-side compromises of user databases. For that reason, designing a system that enables enterprises and their end users to have full control over the privacy of their communications allows eliminating that risk.
Now running a privacy platform, it certainly makes security and business sense to me to ensure that we are never able to have the keys to user content. Adding the ability to automate data expiration user-side further increases the privacy and security protection of customers’ business collaboration. This becomes particularly relevant given the report by the Compliance, Governance & Oversight Council showing that almost 70 percent of stored corporate data serves no business or legal purpose and only creates unnecessary risks.
So how likely is it that more technology providers will transition to become zero knowledge?
In supporting companies that protect their digital assets and systems, I have seen a shift among non-regulated organizations to adopt zero-knowledge technology to protect their critical communications and documents — from service providers and competitors to malicious state and non-state actors. Now, with the underlying premise that there are always teams and conversations that require strong privacy, the same phenomenon is taking place among organizations and enterprises operating under strict compliance regulations.
Shrinking GDPR exposure
Businesses processing high volumes of PII, PHI and other sensitive data seeking to comply with GDPR are responsible for protecting this high-target information. This applies to both high-value business operations and to data that companies don’t want to keep, didn’t ask for, and that only creates liability. Think customer support logs that may contain sensitive customer information or real-estate brokers processing credit cards or credit files. The idea that you don’t have to protect and be responsible for information that you and your service provider don’t store suddenly becomes drastically more attractive.
The number of zero-knowledge offerings will certainly continue to rise in response to both data protection regulations, including a massive change prescribed by GDPR and market demand for stronger security guarantees. Gaining control over digital assets by shifting business operations — be it emails, messaging or cloud storage — to what de facto is a black box would significantly narrow the scope of the compliance audits. Under GDPR, the use of zero-knowledge systems enables companies to invoke a breach notification exception due to encryption, rendering data effectively unintelligible to any person who is not authorized to access it.
Given the risks and the high-stakes regulatory landscape, the lack of access to sensitive data in zero-knowledge platforms should become a critical component of most thoughtful GDPR-compliance strategies.
If you want to comment on this post, you need to login.