Últimas notícias

Fique informado

Privacy By Design: Responding To The EU-US Privacy Shield Ruling



Identificar, confiar e conectar. Quantas vezes por dia nos autenticamos?

Controlar credencias de acesso nas organizações é tão difícil quanto


ONLYOFFICE, plataforma colaborativa, apresenta sua estrutura de segurança de dados

Confira a entrevista na íntegra com Nadya Knyazeva, Gerente de Comunicação da ONLYOFFICE, a plataforma open source que possui mais de sete milhões de usuários no mundo


Lei da Internet das Coisas segue para sanção presidencial e deve impulsionar o mercado de eIDs

Os equipamentos que utilizam a Internet precisam ser identificados para a autenticação precisa máquina a máquina e, em alguns casos, é primordial estarem blindados contra invasões hackers.


Doutor Fabiano Menke Concede Entrevista Sobre a Evolução das Assinaturas Eletrônicas

Nesta entrevista Dr. Fabiano Menke fala sobre a Lei 14.063 de setembro de 2020 e sobre o Decreto 14.543 de novembro de 2020 sobre os tipos de assinaturas eletrônicas


A certificação de plataformas de telemedicina para uso da assinatura digital

O uso de certificados digitais para assinatura de documentos clínicos é adotado no Brasil desde a primeira resolução do Conselho Federal de Medicina (CFM), em 2007


Decreto 14.543/2020 regulamenta o artigo 5º da Lei 14.063/2020

O decreto 14.543/20 define alguns requisitos do artigo 5º Lei 14.063/2020.


17-Year-Old Critical ‘Wormable’ RCE Vulnerability Impacts Windows DNS Servers

Cybersecurity researchers disclosed today a new highly critical “wormable” vulnerability affecting Windows Server versions 2003 to 2019.


Lockdown Stories: How Cybersecurity Has Been Impacted

On the evening of Sunday March 22, UK Prime Minister Boris Johnson announced the plan for public lockdown in the battle against COVID-19.


Last week, the EU Court of Justice struck down the EU-US Privacy Shield agreement

This agreement was the mechanism under which US companies were able to process and use privacy-related data since a similar ruling in 2015 with respect to the old Safe Harbor mechanism.

The implications are wide and far reaching, and companies of all sorts will scramble to demonstrate compliance with the Standard Contractual Clauses, or SCC, that can be used in contracts to ensure privacy-related data is treated right.

This is especially difficult as many organizations have turned to Software-as-a-Service and the data centers behind them. The question has now become how do CIOs and CISOs exercise data autonomy and easily identify which  vendors can make the journey soon enough to avoid fines versus which ones can’t. In other words, which ones operate on a privacy-by-design principle and which ones don’t.

One  term we will hear a lot is Data Sovereignty, the principle that data should stay in the national or even regional physical jurisdiction to ensure that that region’s laws and practices are the ultimate authority.

This is closely related to but not the same as Data Autonomy, which to put it simply is about authority and control over data: you decide where it should be, how it should be used, who should see it, how to correct it and how to ensure your policies happen the way you want them to. There’s overlap between the two ideas, but it’s not 100%.

The SCC aren’t just words to paste into a contract. They are measures that must be reflected in technical architectures and business practices. Companies have to be able to assure Data Autonomy technically and then to ensure strong business practices like onward use of data and it privacy, handling claims and statements of purpose.

Of the two, the first is the hardest to do if data structures, applications, storage, use cases and other interactions with data aren’t private-by-design.

For decades now, we have talked about secure-by-design as a principle: that software must be architected and coded as close to source as possible to use strong cryptography, to account for identity and access, for updating and patching and so on.

To be private-by-design will require security be done well, and that the notions of data autonomy and data sovereignty be considered early on too. Adding them later will be expensive and extremely difficult to bolt on.

By contrast, changing business processes is much more simple. Hiring people in the right places, creating policies, and setting up operations are human efforts and can happen in weeks.

Changing architecture takes years, and adding it late in the game can and will lead to performance degradation, availability issues, feature limitation and hard-to-prove and hard-to-verify claims. Audits will be especially painful when things get up to full speed.

After inspecting data in-house, the dialog in boardrooms should be assessing what employee, customer and partner data is in non-organization, third data centers. Are you aware of where it is and can you determine what happens to and with it? 

And then it’s time for the tough conversations. Vendors will have to provide timelines for SCC compliance, and the warning signs will be equivocation over what’s needed, claims that Big Data or machine learning (or even AI) requires pooling of data (which it does not) or attempts to redefine data.

In the end, excuses will be many; but now is the time to make sure that you have Data Autonomy and can enforce Data Sovereignty. Privacy restrictions and rules will get ratcheted up, and any vendor in any field that can’t give a timeline for how and when they will demonstrate this isn’t future-proof with respect to privacy.

Data isn’t a right to possess; it’s a privilege to interact with. The EU model will start to influence more, and even if we get a Privacy Shield 2.0 (Safe Harbor 3.0?) will only give a temporary reprieve to IT and security vendors collecting vast amounts of data.

It’s also a wake up call to make sure that data is, in fact, used for the purposes it’s collected for and not for business models behind the scenes. The privacy revolution is ongoing, and the recent EU rulings aren’t the end of the book but rather are at most the end of an early chapter in a longer story.

Let’s all work to get private-by-design into all that we do, especially in a work-from-anywhere world with more and more cloud services and third party data centers in use.

Source: Forbes

Maximum SSL/TLS Certificate Validity is Now One Year. By Patrick Nohe

What to Expect from Brazil’s New Data Protection Law

Performance Improvements via Formally-Verified Cryptography in Firefox

Present your solution and services on Crypto ID!  

Our purpose is to attend our readers interesting, therefore, we select our articles and announcing companies. Content and advertisement should be relevant to IT market, encryption and digital identification. If your company is part of this universe, download your media kit, write to us and be part of Crypto ID!


+55 11 3881 0019