Analysis of the INE/Cloudflare case where the Portuguese DPA order suspension of data transfers to the USA according the Schrems II ruling and reasoning about general implications for SaaS solutions.

CDN services architecture

In this post I analyse the recent INE/Cloudflare case according to Schrems II ruling, where the Portuguese DPA ordered suspension of all transfers of Portuguese census data to the USA. I then abstract the architecture pattern inherent to INE/Cloudflare situation and reason about possible implications for non-EEA SaaS in the future. I finalise the post by giving some examples of possible technical measures that can be implemented to provide the adequate level of protection when using SaaS services (whether non-EEA or EEA).

The INE/Cloudflare use case

Recently, the Portuguese Data Protection Authority (DPA) has ruled out that Statistics Portugal (INE in Portuguese) had to…

Bring your own key (BYOK) is a marketing feature available in most of the public cloud providers to enable the customers to use encryption keys generated by the customer.

In this blog post I address Bring Your Own Key (BYOK) and the concept of (cryptographic) key control. I start by first giving a high-level overview of what BYOK feature entails and then why it is important for organisations to control the encryption keys that are used to protect the data. I then address the question of whether BYOK solves the key control problem when deploying applications in a Cloud Service Provider (CSP).

The concept of bring your own key (BYOK)

We thought we solved the problem, but it seems we just have created a new one.

Alice signs a document with her private key and Bob can verify Alice’s signature using her public key.

This post addresses the concerns related with remote (digital) signature services in the context of the eIDAS regulation. I start by introducing the concept of digital signatures and their requirements within the context of eIDAS. Then the high-level overview of the concept of remote signature service is defined, as well as its main implementation flavours. In the end I explain why I consider that the remote signature services (as described here) should not be used to provide signatures that aim at replacing handwritten ones.

Digital signatures

Encrypted hash

This blog post addresses the impact of Schrems II in organisations within the European Economic Area (EEA) that host their services in public cloud services (owned by companies that are not part of EEA). In particular, I address the impact of EEA organisations that host their services in Microsoft Azure or Amazon Web Services (AWS). This analysis is non-exhaustive and the impact of Schrems II has more wider ramifications than the ones specifically addressed in this post.

Please note that I’m not a person with legal background and this is just a summary of the all the conclusions I’ve drawn…

Yes, some aspects of software security are slowly improving. But, the more accurate answer is: there is still a lot to be done.

What does this yes mean then? That you are spending your efforts in the right way? That applications are getting safer?

Let’s see what kind of things have improved and what’s still missing.

What has been actually improving?

#1 Active usage of secure connections

Applications do rely more and more on secure connections, including internal network communications (which was not the case a couple of years ago). I believe the shift to secure communications has been motivated by different reasons, such as:

  • Browser vendors started spreading awareness: not so long ago the major browser vendors started forcing the usage of secure connections. …

Making sense of the GDPR as a software engineer (and social human being)

Article 25 of the General Data Protection Regulation (GDPR) addresses data protection by design and by default as a general obligation for data processors and controllers. From a software engineer’s perspective, it is really challenging to distill the relevant information and concrete action points from this new regulation. We can get stuck easily.

Software engineers need concrete and actionable answers on what and how to do things. Unfortunately, legislation and legislators are hardly ever concrete either because they might not be inclusive enough, or because there’s a…

9 best practices to make your software security future proof

How maintainable is the security of your (web) application?

Maintainable security. This topic that has been floating in my mind for a long time.

Information security is the hot topic of the moment, either because the GDPR demands it as prerequisite for privacy enforcement or because people are becoming more and more aware of its importance. The trust people put in online transactions is what makes it one of the most important and challenging things of the modern internet. Without information security, online services would not be possible.

As for Maintainability, although most people are not even aware of what that means and do not consider it yet as…

Photo credits: Claudio Andre

I attended BSides for the first time and I was thrilled

BSides Lisbon was a one day event on information security (InfoSec) organised by AP2SI, a Portuguese organisation that is trying to develop InfoSec in Portugal. Although this wasn’t the first edition, this was the first time I participated in the BSides event. The event is very international (with speakers from different parts of the world and all the talks in english) but the audience was mostly Portuguese. Many students from software engineer and computer science were attending the event.

The importance of bringing information security knowledge to Portugal

As a native Portuguese living abroad, I’m very glad that these awesome events are happening Portugal. Creating InfoSec awareness in Portugal…

Crypto implementations of enterprise software are likely to be broken

Sometime ago I started doing security analysis; more specifically secure code reviews of enterprise software systems. I instantly realized that real world software systems more than often do not implement crypto correctly, and even more scary is that most developers don't really know how to do it right.

To be honest I wasn’t expecting that industry software was lagging behind on this matter. But, after some discussions with co-workers and reading a lot, I indeed realised that there’s a huge gap between cryptographic knowledge and software development.

Did you know that most of the examples of the implementations using crypto in popular forums/blogs are wrong?

After Googling for a while, I’ve found tones of blog/forums posts with bad…

My thoughts about (digital) privacy

When was the last time you gave a piece of personal information to Google? Did it bother you?

I’m almost sure you didn’t even think about giving Google access to your location when you were late for that appointment and trying to find the fastest way to get there.

What is (digital) privacy after all?

Everyone talks about privacy, but do you know what digital privacy really means? …

Bárbara Vieira

Cryptography Consultant and Product Owner @ ABN AMRO I mainly write about Security and Privacy. Opinions are my own.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store