In this post I analyse the recent INE/Cloudflare case according to Schrems II ruling, where the Portuguese DPA ordered suspension of all transfers of Portuguese census data to the USA. I then abstract the architecture pattern inherent to INE/Cloudflare situation and reason about possible implications for non-EEA SaaS in the future. I finalise the post by giving some examples of possible technical measures that can be implemented to provide the adequate level of protection when using SaaS services (whether non-EEA or EEA).
Recently, the Portuguese Data Protection Authority (DPA) has ruled out that Statistics Portugal (INE in Portuguese) had to…
In this blog post I address Bring Your Own Key (BYOK) and the concept of (cryptographic) key control. I start by first giving a high-level overview of what BYOK feature entails and then why it is important for organisations to control the encryption keys that are used to protect the data. I then address the question of whether BYOK solves the key control problem when deploying applications in a Cloud Service Provider (CSP).
We thought we solved the problem, but it seems we just have created a new one.
This post addresses the concerns related with remote (digital) signature services in the context of the eIDAS regulation. I start by introducing the concept of digital signatures and their requirements within the context of eIDAS. Then the high-level overview of the concept of remote signature service is defined, as well as its main implementation flavours. In the end I explain why I consider that the remote signature services (as described here) should not be used to provide signatures that aim at replacing handwritten ones.
This blog post addresses the impact of Schrems II in organisations within the European Economic Area (EEA) that host their services in public cloud services (owned by companies that are not part of EEA). In particular, I address the impact of EEA organisations that host their services in Microsoft Azure or Amazon Web Services (AWS). This analysis is non-exhaustive and the impact of Schrems II has more wider ramifications than the ones specifically addressed in this post.
Please note that I’m not a person with legal background and this is just a summary of the all the conclusions I’ve drawn…
What does this yes mean then? That you are spending your efforts in the right way? That applications are getting safer?
Let’s see what kind of things have improved and what’s still missing.
Applications do rely more and more on secure connections, including internal network communications (which was not the case a couple of years ago). I believe the shift to secure communications has been motivated by different reasons, such as:
Making sense of the GDPR as a software engineer (and social human being)
Article 25 of the General Data Protection Regulation (GDPR) addresses data protection by design and by default as a general obligation for data processors and controllers. From a software engineer’s perspective, it is really challenging to distill the relevant information and concrete action points from this new regulation. We can get stuck easily.
Software engineers need concrete and actionable answers on what and how to do things. Unfortunately, legislation and legislators are hardly ever concrete either because they might not be inclusive enough, or because there’s a…
Maintainable security. This topic that has been floating in my mind for a long time.
Information security is the hot topic of the moment, either because the GDPR demands it as prerequisite for privacy enforcement or because people are becoming more and more aware of its importance. The trust people put in online transactions is what makes it one of the most important and challenging things of the modern internet. Without information security, online services would not be possible.
As for Maintainability, although most people are not even aware of what that means and do not consider it yet as…
BSides Lisbon was a one day event on information security (InfoSec) organised by AP2SI, a Portuguese organisation that is trying to develop InfoSec in Portugal. Although this wasn’t the first edition, this was the first time I participated in the BSides event. The event is very international (with speakers from different parts of the world and all the talks in english) but the audience was mostly Portuguese. Many students from software engineer and computer science were attending the event.
As a native Portuguese living abroad, I’m very glad that these awesome events are happening Portugal. Creating InfoSec awareness in Portugal…
Sometime ago I started doing security analysis; more specifically secure code reviews of enterprise software systems. I instantly realized that real world software systems more than often do not implement crypto correctly, and even more scary is that most developers don't really know how to do it right.
To be honest I wasn’t expecting that industry software was lagging behind on this matter. But, after some discussions with co-workers and reading a lot, I indeed realised that there’s a huge gap between cryptographic knowledge and software development.
After Googling for a while, I’ve found tones of blog/forums posts with bad…
When was the last time you gave a piece of personal information to Google? Did it bother you?
I’m almost sure you didn’t even think about giving Google access to your location when you were late for that appointment and trying to find the fastest way to get there.
What is (digital) privacy after all?
Everyone talks about privacy, but do you know what digital privacy really means? …
Cryptography Consultant and Product Owner @ ABN AMRO I mainly write about Security and Privacy. Opinions are my own.