encryption-1-freiheit-statt-angst-2013-by-marcus-sumnick
Encryption

The State of Encryption, Part 2: How is it Changing?

NSA revelations have placed an increased emphasis on encryption with MIT Tech Review labelling 2014 “The Year of Encryption”. In part one of our special report, we looked at the technical and social aspects of encryption, in part two, IDG Connect speaks to seven industry experts including an academic and a CEO about where all this is heading.

There is [an] escalating arms race between the bad guys and good guys for better encryption and cracking techniques. This is an age old battle between good and evil expressed in the internet age. One side triumphs for a while but then the other side catches up and the battle rages on,” says A. N. Ananth, CEO of EventTracker.

Some changes need to be systemic,” he adds. “For example, many have called for the NSA to be restricted by the government to stay within a sandbox verified by independent oversight. While recognizing that only a free society will self-impose such restrictions on its own government, it is nevertheless an important step. Closed societies will reject such restrictions but their evolution is less assured, anyway.”

Professor Simon Shepherd of Bradford University disagrees that as encryption becomes more prevalent techniques will need to change to keep up and says:  “We have all the techniques we need for all the security aspects of confidentiality, integrity, access control and key management. Sure, technology advances, but we have all we need currently to do the job.”

On-going changes in technology lead to necessary changes in security and Paco Hope, Principal Consultant at Cigital feels: “Encryption has a [particular] impact on ‘the Internet of Things’ because it imposes significant computing requirements on ‘things’ that would do encryption. If your watch, electric meter, refrigerator, or car has to encrypt all the data it’s sending, then whole classes of microprocessor are excluded from consideration.”

“Fundamentally,” he adds, “techniques like asymmetric cryptography, hashes, and key exchanges are sound. We’re discovering that we need crypto in places where the budget or form-factor make that difficult to achieve. Additionally we’ve discovered that some of the commercial cryptography products we rely on may have been undermined by the spy agencies. So the math is sound, but the implementations of that math may be suspect.”

In November, Eric Schmidt said: "The solution to government surveillance is to encrypt everything,” and there has certainly been a mass movement towards this across the industry. Google has extended encryption across its search facility. Yahoo has made a large scale move to encrypt email. And Microsoft plans to encrypt all data traveling to and from its networks by the end of the year. But what does our panel think?

Alex Balan, security expert at BullGuard, generally agrees with Eric Schmidt’s statement, but believes it is only part of the solution. Why? “Because, without a strong technical background, you have no idea, or control, as to whether someone has managed to get in the middle or, whether the ‘everything’ in your system uses proper encryption (think apps, system components and even hardware). And, of course, it can also lead to a false sense of security.”

“Encryption is just a good step forward and not the solution,” he continues. “The solution is proper laws to ensure transparency when privacy breaches happen and to ensure that they never happen without at least very good reason. People are advocating good control over state surveillance. But because the people making the decisions either lack the technical background or the interest to care about the individual’s privacy, this will not be successful any time soon.”

Hope is also in partial agreement and says: “We cannot sprinkle magic crypto fairy dust on our software and call it secure. If your PC has malware on it, then attackers (government or otherwise) have access to your data before and after encryption. If a web server uses SSL, but is willing to disclose confidential data to an unauthorised party in response to SQL injection, it does not matter that the data is confidential as it traverses the internet to the attacker. Software must be secure in the way it does what it does. It cannot rely on cryptography to protect the data if the logic itself is flawed. So yes, we must encrypt more often, but the lack of crypto is just one weak link. After we’ve encrypted everything, we still have a lot of work to do.”

“Encrypting data is essential,” he continues, “but it is simply not the same as building secure software. As an industry we know how to build secure software, and it requires certain activities in the software lifecycle beyond the eleventh hour penetration test. Firms that build secure software perform source code.”

 Carole Murphy, Director is Product Marketing at Voltage Security stresses: “The recent spotlight on government surveillance has thrust the need for new, easy to use and pervasive encryption technologies into popular media and into consumers’ minds like never before, creating awareness and concern.” This means that now encryption is not only an enterprise need.

“[Today] it’s needed for economic and political requirements as a response to surveillance, and to protect sensitive data consumed and produced by the rapidly expanding Internet of Things. As a result, growth and demand for pervasive, data-centric protection will only increase in the coming years,” she concludes.

Professor Simon Shepherd wholeheartedly agrees with Schmidt’s statement. “Think about the postal service,” he says. “Why don't we send our bank statements and medical information on postcards? Everyone takes for granted the use of envelopes for privacy. It is the same with electronic communication. If we just encrypt everything (which is very easy) then no-one would treat anything encrypted as suspicious. It would just be routine.”

“Of course, government agencies could still do traffic analysis to see who is talking to whom. But they couldn’t read the contents,” he continue. “It would only take an upswell of strong feeling and it would be quite possible to blow a huge hole in government surveillance programmes that they couldn't easily fix.”

"Not all data in the cloud needs to be encrypted,” says Paige Leidig, SVP at cloud encryption company, CipherCloud.  “The use case we see from our enterprise customers is to encrypt sensitive data, like personally identifiable information, financial and healthcare records, and proprietary R&D details. When implemented correctly – using industry recommendations like using AES 256-bit encryption and enterprise key retention – encryption can protect sensitive data even in the event of a breach.”

“But,” Leidig continues, “keep in mind that no single security measure by itself is a silver bullet against all malicious attacks and infections. A proactive defense model requires holistic data protection. You’ll still need your on-premise security systems, e.g. firewalls and anti-virus. Then extend these existing investments into the cloud using encryption, tokenisation, data loss prevention to set access policies. Match these security controls with data visibility and anomaly detection tools to categorize data according to sensitivity levels and to inform on the best security control to implement for a select class of data.”

Ananth is more cautious still: “While encryption is a valuable step to make harder the extensive surveillance described by Snowden et al, this is too sweeping a statement. The revelations of the NSA working to weaken encryption technology, and the exposures of the NSA TAO hacking unit, show that many common technologies are compromised at a very basic level. [This means] a thoughtful policy framework where governments accept restrictions are a necessary adjunct.”

“However,” he concludes “this is about as unlikely as unilateral nuclear disarmament – impossible with realpolitik, only found in Hollywood.”

 

Kathryn Cave is Editor at IDG Connect

PREVIOUS ARTICLE

« Will The Fax Machine Ever Actually Die?

NEXT ARTICLE

SleepOut: The Rise of "Africa's Airbnb" »

Recommended for You

How to (really) evaluate a developer's skillset

Adrian Bridgwater’s deconstruction & analysis of enterprise software

Unicorns are running free in the UK but Brexit poses a tough challenge

Trevor Clawson on the outlook for UK Tech startups

Cloudistics aims to trump Nutanix with 'superconvergence' play

Martin Veitch's inside track on today’s tech trends

Poll

Is your organization fully GDPR compliant?