Tuesday, October 29, 2013

Intelligence Agencies Sold Us Down the River

How should enterprises proceed in the future?

By Volker Oboda, CEO TeamDrive

With every passing day we hear more and more horror stories stemming from the eye-opening information we received thanks to Edward Snowden’s leaks. Lately, the stories have not only been about PRISM, Tempora or XKeyscore, but, lately, the stories have revolved around the arbitrariness of the intelligence agencies and their decision to act at their own discretion in terms of what to and what not to do and allow. Each and every one of us needs to ask ourselves, “How can we deal with a threat like this? Not one coming from an alleged malicious hacker, but, instead, a threat coming from those agencies whose sole mission is to protect us and our privacy.

Enterprises Forced to Act

Besides government offices and agencies, enterprises, and any and all other organizations who work with particularly sensitive and personal data, each and every one of us possesses information we deem critical and worth protecting. In the face the current debates on espionage, whether based on attacks on data in personal or business environments, the overall threat continues to rise and, of course, data in business environments are particularly worth protecting at a maximum level.

Today’s mobile society is constantly changing and improving the way we work and communicate with one another. At this point it is almost hard to imagine business partners, coworkers and customers alike communicating without mobile devices and mobile applications. The overarching challenge here consists of how to successfully secure the communication in everyone's interest and at any price. Sensitive information and business critical data have no place in the hands of unauthorized third parties, intelligence agencies or, for that matter, even random standard users. It is necessary to prevent unwanted access no matter who the unauthorized person is. Naturally, this also applies to the creating, editing and sharing of data with a trusted third party.

Concepts like “Bring Your Own Device” (BYOD) have led to a new dimension of, and need for, privacy protection within the enterprise. It has also allowed organizations to meet new and existing challenges to secure business critical data and intellectual property. In addition, the uncontrolled growth of IT security holes (shadow-IT) due to Dropbox, and other preferred personal cloud solutions, cause this situation to be even more nerve wrecking.

This, in turn, leads to an increased threat to an enterprise’s ability to securely protect its critical information and data while at the same time creating a beneficial situation for both malicious hackers and intelligence agencies alike. Nevertheless, employees should continue to work with the same comfortable technology and solutions, but in a more secure manner.

Just to Control is Not Good Enough. SSL is Unsecure

Professional skeptics have once again gained the upper hand, due to the current security debates, and advise users to turn their backs on the cloud and, instead, strengthen their own IT infrastructures. Control is an important issue. Enterprises that operate and supervise their own data and systems have more, if not total, control over the processes that take place and they also have a better overview of where their data is located. However, these debates underestimate just how much of a global world we are living in and how much we rely on mobile devices and applications to run our daily business.

This means employees still need to be able to move about freely with their devices, data and information, while having the control lie in the hands of the enterprise’s IT department. An important factor each enterprise, in particular each vendor of IT services, needed to consider for years is encryption. It is evidence of incapacity that suddenly, out of nowhere, vendors started to harden their systems cryptographically sell this as an added value to their customer! Security is not an added value! Security is a central component of each product and this expectation existed before the events of Edward Snowden. That includes encryption.

SSL-encryption is Unsecure

Here is something that should not be forgotten. The NSA and GCHQ infiltrated some of the best known encryption technologies used to secure common Internet data transfers, among them SSL .This means all vendors exclusively using SSL as an encryption standard should be now classified as unsecure. Solely, the AES 256-bit encryption standard is still secure. According to estimates, we will not have the technological capabilities to crack AES 256-bit encryption until 2018 . The duration also partially depends on the strength of the password. Security experts recommend to choose a password length of at least 20 characters and to use a combination of upper and lowercase letters, numbers and special characters.

End-to-End Encryption is Inevitable

Despite all assurances, encryption is useless if the vendor owns the key that allows access to the encrypted data. For this reason there is no way around the fact that the user should exclusively own the private key, the data is encrypted in the user’s local file system and is, afterwards, transferred via an encrypted communication channel to the vendor’s servers where it is also stored in its encrypted form. On no account should the vendor have the capability to restore the private key in order to access the data.

New Age Disruption analyst René Büst also sees it that way . He thinks who has control over the data is an important topic but, however, calls attention to the idea that sooner or later external communication will be necessary and hardened end-to-end encryption is inevitable. Büst recommends to pay attention to the following respective characteristics of encryption:

  • Advanced Encryption Standard – AES 256 to encrypt the data.
  • Diffie-Hellman and RSA 3072 for the key exchange.

In addition, Büst makes it clear that the meaning of the entire communication being end-to-end encrypted needs to be strengthened. This implies that the entire process a user passes through with the solution is encrypted from beginning to end. This includes:

  • The user registration process
  • Logging in
  • The transfer of data (sending/receiving)
  • The transfer of key pairs (public/private key)
  • The storage location on the server
  • The storage location on the local device
  • The session while a document is being edited

How Enterprises Should Act

The interplay of trust and security is becoming more important. However, a vendor only gains the trust of its users if it opens up and allows its technical insights to be transparent to the user. This type of voluntary transparency cannot be found with many IT vendors, whereby these vendors are justifiably criticized. For this reason, enterprises need to find a vendor that has no secrets and is eager to communicate with its customer. Besides building trust, enterprises should also consider:

  • Regaining control over your data and systems.
  • Building trust within your organization and your vendor. This can be established with either a good relationship or with contracts.
  • Considering a hybrid scenario to support your employees while they are mobile.
  • Continuing to offer employees, customers and partners the opportunity to securely access their data and information.

What should by all means be considered is the end-to-end encryption of the entire communication and the avoidance of media disruptions during the encryption. Moreover, to identify secure encryption methods and to consider these methods during vendor selection.

[1] http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security/print
[2] http://nsa.gov1.info/utah-data-center/
[3] http://clouduser.de/en/analysen/how-to-protect-a-companies-data-from-surveillance-in-the-cloud-20234

No comments: