Data security has always been on the to-do list for software providers, especially for those who emphasize user privacy. COVID-19 has drastically impacted cyberspace, causing an inevitable increase in cybercrime. With many people working from home and using the internet more often, the pandemic has proven the perfect opportunity for cyberattacks. According to Statista, the annual monetary damage of cybercrime in 2020 hit $4.2 billion, as compared to $3.5 billion in 2019 and $2.7 billion in 2018. Data breaches also affect a company’s reputation, which results in customer churn and business damage.
In September 2020, the New York-based sports club owner Town Sports exposed sensitive data of 600,000 employees and clients due to storing data in an unprotected database and improper database security monitoring. The data revealed included full names, billing histories, phone numbers, emails, and mailing addresses. The timing of this massive data exposure was particularly unfavorable for the company, as due to COVID-19 they had shut down 185 gyms and let almost all of their employees go. In the end, Town Sports filed for chapter 11 bankruptcy with $500 million in liabilities. In short, businesses should take seriously adopting effective data protection strategies. We’ll share some basic knowledge of effective data protection and professional data security technologies in this data security guide.
Approaches and technologies that help to ensure top-notch data security
In this section, we’ll give you a quick overview of the best ways to ensure a high level of data security. Later in this post, we’ll discuss each of them in detail:
- Data risk assessment. To ensure maximum security when exchanging data, you should start with estimating risks your company might face. Early in the software development life cycle, threat modeling will help you conduct security analysis and define vulnerabilities related to the system architecture and design. Later, you can spot security problems by means of code reviews or penetration testing. If you don’t do enough testing, issues might not be revealed until an app is in production and is compromised. For proper risk assessment, stick to the OWASP Risk Rating Methodology. Read on to learn more about it.
- HTTPS (HyperText Transfer Protocol Secure) is a more secure alternative to HTTP. A website with HTTPS protects users’ sensitive data much better than a website without it. Using this protocol is especially important for sites that accept payments or require users to enter confidential information.
- End-to-end encryption ensures the privacy of communication between users. It’s a data protection method of encoding data that prevents data leakage during communication between a sender and recipient (e.g. when sending private messages or exchanging emails).
- NaCl (read as “salt”) is a fast and easy-to-use software library tailored to network communication, encryption, decryption, and signatures.
Read also: Code Review via GitLab Merge Requests
How can you estimate the gravity of cybersecurity risks
By following the OWASP Risk Rating Methodology, you can assess the severity of all cybersecurity risks and make an informed decision about what actions to take in response and which cybersecurity strategy to choose. A system for rating risks will help you save time and ensure you don’t get distracted by minor risks while neglecting critical risks that are less well understood.
A universal risk rating system will properly assess all the risks your company faces. Note that a vulnerability that’s crucial for one business might not be crucial for another. Therefore, you should customize the basic framework shown below.
After performing a risk assessment, you might determine, for example, that you need an HTTPS inspection. In that case, you’ll have to ensure your HTTPS inspection products provide appropriate Transport Layer Security (TLS) certificate validation. Products that don’t provide secure TLS communications and don’t transmit error messages to the user are likely to compromise the end-to-end protections that HTTPS is designed to ensure.
Why serve a website via HTTPS?
HTTPS is also called HTTP over TLS or HTTP over SSL. Sites that are served via HTTPS have redirects, meaning that even if you enter http://, you’ll automatically be redirected to a secure, encrypted https:// connection. The Transmission Control Protocol (TCP) helps HTTPS forward and receive data packets. This happens via port 443 using a TLS-encrypted connection.
The basis of HTTPS is public–private key cryptography. The public key is for encryption. The private key is secret and is required for decryption. Both keys are randomly generated and stored on your server.
A Certificate Authority, or CA, cryptographically signs digital certificates. All browsers have a list of CAs they trust. A certificate signed by a CA in the browser’s list is indicated with a green padlock in the browser’s address bar, as it is trusted and belongs to the domain. Services like Let’s Encrypt have made obtaining SSL certificates free.
How TLS/SSL helps the HTTPS protocol and connected components protect data
As a rule, a man-in-the-middle (MITM) attack intercepts HTTP session cookies to steal a user’s authenticated session and allow a hacker to act like the authenticated user. The use of encryption methods like Wi-Fi Protected Access (WPA) and other local IT solutions can complicate such an attack and protect critical data of your users. However, if a site doesn’t require end-to-end HTTPS, an MITM attack still might be successful.
TLS/SSL helps the HTTPS protocol ensure cloud security and the protection of data when transmitting it over the internet. Appropriate use of the protocol ensures that data received by the client is encrypted and cannot be read by any third party. You can also use TLS/SSL for securely connecting components such as microservices with a database or load balancer.
If a mobile app doesn’t use SSL, which is often the case, the app connects, authenticates, and transmits data via the network in the form of cleartext. An MITM attack is able to capture this data unless the proper application security is in place. Additionally, if an app uses SSL but doesn’t correctly verify the SSL certificate, the app becomes susceptible to a man-in-the-middle SSL attack.
HTTPS is good but is not enough
As HTTPS becomes increasingly common, it begs the question: Why encrypt your data end to end if HTTPS provides a high level of security? Well, the thing is that HTTPS is an essential but still only a small component of the cryptography puzzle. To find out what extra security requirements your company needs, answer the following questions:
- How many times does your data get decrypted and re-encrypted while traveling from a user to your system?
- How many systems can access the cleartext during transmission?
- How many departments are responsible for this data journey?
After answering these questions, note the limitations of HTTPS and the benefits end-to-end encryption provides.
What are the limitations of HTTPS?
HTTPS gives the impression that data is encrypted, but it’s not that simple. HTTPS doesn’t encrypt data at rest. This harms data security ecosystem on both sides of the transmission process.
Additionally, HTTPS absolutely ignores what happens to data once the HTTPS connection is terminated, which might happen farther out on the edge of your network than you think (for example, at your load balancer).
This creates a vulnerability, making it possible for you to be attacked at various points of processing (application, load balancer, server), two points of storage (mobile device, server), and one point of transmission (internal traffic).
If your server is the endpoint of your web API but your services for processing, analyzing, sharing, and backing up data are in different places, the situation gets worse. In this case, you can use HTTPS, but you can’t confirm that you’ve encrypted the data, which makes it unprotected. In the case of end-to-end data encryption, data is secure during all stages of transmission.
So how can we further secure communication between users?
End-to-end encryption best practices
So far, end-to-end encryption is considered the most secure method for exchanging data online. This data protection technology allows for encrypting messages at both ends of a conversation (the sender and the recipient). Such an approach prevents someone in the middle (a hacker, government, or service provider) from accessing private information. The trick with end-to-end encryption is that no one except for the sender and the recipient has the private key needed to decrypt the messages.
For many systems that we use in day-to-day life – such as email services and online chats – encrypted messages may still pass through a company’s servers, where they’re decrypted and stored before being delivered to the recipient. This poses a real risk of users’ private information being read or misused if a service provider’s server is poorly protected.
End-to-end encryption is considered safer, as it minimizes the number of parties involved in the data encryption process (and who may be attacked). With end-to-end encryption, a service provider’s server only works to pass messages, while the actual encryption/decryption happens on users’ devices.
Read also: An Extensive Guide to Messaging App Development
How does end-to-end encryption work?
Asymmetric encryption, a more modern implementation of end-to-end encryption, uses a pair of keys (large numerical values) to make secure communication possible:
- A public key is used to encrypt data transferred from a sender to a recipient. The public key is usually generated by a service provider and is available through a public directory to anyone who wants to send encrypted messages.
- A private key is used to decrypt the contents of a message encrypted with the public key; only the recipient has the private key to unlock the message.
Say you want to message “What’s up?” to your friend Nicole in private, using a secure end-to-end encrypted messenger. To do so, you’ll use Nicole’s public key to encrypt your message and turn it into so-called ciphertext.
You’ll then send your encrypted message over the public internet. On its way, your message can pass through a number of the messenger’s servers. Still, the messenger service itself won’t be able to turn your ciphertext into plaintext to read it. Only Nicole with her private key can do so.
Key generation process for end-to-end encryption
With end-to-end encryption, there are no general or app-wide keys or certificates. Key generation and propagation across all chat members (participants) happens in the following way:
Yalantis’ experience with end-to-end encryption
Read also: Ensuring Protection of Sensitive Data in Medical Chat Apps via Access Levels
Another look at the use of end-to-end encryption: non-messaging use cases
End-to-end encryption makes sense whenever two parties exchange sensitive data. Use cases include not only direct messaging but email communication, remote desktop access, and online banking.
Let’s look at this in terms of payment gateways. How to protect credit card information? When a user enters such information during checkout, this data is instantly encrypted and stays encrypted until it reaches a payment processor or an acquirer, where it gets decrypted.
Implementing end-to-end encryption doesn’t necessarily require you to have expensive equipment or training — or to hire many technical specialists.
Keep in mind that reputable payment systems like PayPal encrypt card information themselves. Also, PayPal tracks all transactions around the clock to avoid fraud, email phishing, and identity theft. Retailers can’t access card information as long as they’re using PayPal’s Vault API, as each transaction is encrypted. The Vault API securely stores users’ card data so a retailer doesn’t need to keep that data on their servers.
Read also: Mobile App Payment Gateway Integration
Despite the strength of encryption algorithms, exchanging keys is a challenge. We already know that encryption keys must only be known to the communicating parties. So how can we ensure such a level of digital privacy? With the help of a secure communication channel established by the Diffie-Hellman algorithm. Let’s see how we can use it.
The role of the Diffie-Hellman algorithm in ensuring the secrecy of key exchanges
The Diffie-Hellman algorithm was one of the first famous asymmetric key implementations, and it’s mainly used for exchanging keys. Symmetric key algorithms are fast and secure, but exchanging keys is always challenging.
You need to find a way for all systems to receive the private key, and the Diffie-Hellman algorithm helps with this. It’s used to set up a secure communication channel that is then used by the systems to exchange a private key, which is then used to ensure symmetric encryption between the systems.
Using NaCl to create cryptographic tools
NaCl provides all operations necessary to create great cryptographic tools. Here are its features:
Data-dependent branches. The CPU’s instruction pointer and branch predictor are not tailored to keeping data secret. The history of cybercrime has lots of examples of successful timing attacks that have captured secret keys from these CPU components. NaCl avoids the flow of secret information to the instruction pointer and the branch predictor. There are no conditional branches based on secret information; each loop count is predictable. Such protection is compatible with high-speed computing. Therefore, there’s no sense considering options that provide weaker protections.
Data-dependent array indices. The CPU’s cache and translation lookaside buffer (TLB) are also not tailored to keeping addresses secret. Some successful cache timing attacks have used secret data leaked via addresses. NaCl avoids all flows of secret data to addresses applied in load and store instructions. There are no array lookups with indices based on secret data, and the pattern of memory access is predictable.
No dynamic memory allocation or copyright restrictions. The C-language version of NaCl is intended to be usable in environments that cannot guarantee the availability of large amounts of heap storage but that nevertheless rely on their cryptographic computations to continue working. C-language NaCl functions do not call malloc, sbrk, etc. They do use small amounts of stack space, which we will eventually measure using separate benchmarks. This feature applies only to the C version of NaCl, however. Higher-level languages such as Python are not currently usable in restricted environments. All NaCl software is in the public domain.
How can Yalantis ensure your data security?
As a security service provider, Yalantis uses all the abovementioned technologies and approaches to provide our clients with the highest level of data security.
For instance, here is how we solve the problem of encryption and decryption for group chats:
Key generation and exchange
To establish encrypted connections, we generate all needed keys when a chat is created to ensure secure message encryption. In order to gain additional network security, keys are generated for each individual chat, meaning that keys generated for chat A are useless for chat B.
As discussed earlier, we use the Diffie-Hellman algorithm for securely exchanging keys between parties.
We also apply Curve25519, an elliptic curve providing 128 bits of security that’s specially designed to be used with the Diffie-Hellman elliptic curve. We’ve used Curve25519, XSalsa20, and Poly1305 as encryption/decryption/message verification algorithms. Android, iOS, and Golang, which we use for backend development, all have native libraries for these three algorithms.
Holistic approach to ensuring data security on the project
On the Healthfully project, one of our main objectives was to provide proper data security. Data security is especially relevant for the healthcare domain, given strict security requirements of laws like HIPAA (the Health Insurance Portability and Accountability Act) and heavy fines for leaking patients’ data.
We ensured HIPAA compliance and product security by:
- Making PII (personally identifiable information) and PHI (protected health information) visible only for users with permission to view it
- Setting session expiration times and regulating the number of devices logged in at the same time
- Providing an encrypted communication layer (SSL)
- Allowing only SSL-based connections for data exchange between user and server
- Incorporating a strict password policy
The best you can do to achieve maximum security and ensure your business protection is to apply cryptographic standards that are likely to be relevant for the next five to ten years. Closely following NIST guidelines helps Yalantis find the most relevant solutions that have already proven efficient. For example, Realm has its own cryptographic mechanisms that we apply to the apps we develop.
There are multiple effective ways of protecting, securing, and managing data including encryption, strong user authentication, backups, and erasure. All of them are worth independent articles. In this post, we’ve tried to distill the mandatory components of a cybersecurity barrier.
Note that you can always rely on data security experts to implement security measures specific to your business. After a massive 2016 data breach, Uber hired an outside firm to conduct an assessment of their data security solutions and then implement those recommendations to adopt data security best practices. This step was aimed at establishing methods to safeguard user data stored on third-party platforms and to build strong password protection policies.