Data confidentiality, while not paramount for CERN’s physics data, is still important when it comes to protecting sensitive contractual, financial, personal, radiation- and science-related documents and files. Just because CERN is “academic”, this does not and must not imply that data confidentiality is not an issue. On the contrary, it is our joint obligation to keep secret what is intended to be seen by just a few privileged eyes. Otherwise, lost data might become a media nightmare for CERN, or an operational risk, with both reputational damage and potential legal and contractual consequences. That’s why a dedicated Data Governance Office has been created. Before they ask, have you thought about how you handle your private and professional data? Do you let it walk away?
Or do you ensure the confidentiality of your private data on your portable devices (laptop, tablet, smartphone)? How do you store that data? How do you make sure it’s properly backed up? Of course, the first step is access protection – making sure that nobody but you (and your trusted peers) can access your portable device. Password protection. Fingerprint reading. FaceID. Whatever, as long as it is “strong” enough. The next step is local data encryption, if possible. Your Windows computer comes with “BitLocker” – just switch it on (and don’t lose its recovery code). Ditto for your MacBook – “FileVault” is your friend. For Linux, Ubuntu is one example of encryption available during set-up.
Things get a bit more complicated when it comes to backing up using removable media, e.g. flash drives, pluggable hard disks or your “network-attached storage” at home. Ideally, they come with an intrinsic encryption method already installed and ready for you to employ (once again, don’t forget the recovery code). If this is only for back-up, physical protection in a physical safe at home, under lock and key, might suffice. But if the purpose is sharing data with a third party, encryption of any confidential data is a must. Note that email communication is usually not encrypted and is therefore as unprotected as a snail-mail handwritten postcard. As an alternative to encryption, you can use platforms like Dropbox or Google Drive to upload your files and make them available for download via a shared URL (which you should communicate secretly). Of course, you need to trust those platforms’ security policies and their data privacy statements. CERNBox can be a valid alternative as long as your personal usage is not excessive.
For professional data, of course, CERNBox or any other CERN-managed storage system is the best and ONLY official way to share data with your colleagues. The easiest approach is to upload and share by granting access to the relevant CERN computing accounts, always following the “principle of least privilege”. Only those who need to know should be able to access those professional documents. We will discuss this more in a forthcoming Bulletin article on data handling.
And if you happen to use a CERN-owned computer (i.e. paid for via a CERN budget code*), it is imperative that this device has local storage encryption enabled. The Computer Security Office will enforce this in 2025 following a recommendation of the 2023 audit on CERN computer security. In addition, an upcoming Subsidiary Policy will require that local USB storage devices not be used for any professional data classified as other than “public”. Last but not least, remember that sharing (unencrypted) documents via email in no way preserves confidentiality. Just don’t do it unless you have encrypted your files first. Otherwise, your data might just walk away…
_______
*… but not a “Team” account.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.