“The defence against the dark arts in the digital realm.” Edward Snowden’s emotive description of the benefits of encryption lay at the heart of his talk at the SXSW culture and technology conference in Texas earlier this week.
Back in September, Snowden described encryption as ‘your friend’ in combating surveillance and eavesdropping. It makes sense. If you scramble your data so that it is useless then it doesn’t matter if someone is listening in. Whether that listener is conducting anti-terrorism screening, actually trying to steal your data or comes across your data accidentally because you lost it, you’re safe. Deploying encryption feels like proactive step, you are assuming the worst and minimizing the impact – much better than building a perimeter and hoping for the best. So not surprisingly, many organisations have reassessed and beefed up their approach to encryption, with major internet brands claiming that all of their services and even their back-end systems will be encrypted. I wouldn’t be surprised to hear that Snowden himself uses encryption as a way to keep his files out of the hands of his hosts in Russia – something that he claims to be able to do!
The challenge is that, like most things relating to security, we have a moving target. During his SXSW talk, Snowden called for the use of ‘stronger’ encryption as a way of keeping one step ahead. This might seem strange to those that think of encryption as being black and white, either on or off with no shades of grey, but it’s an important point.
It’s difficult to spot the difference between good and bad encryption, the end result looks the same, but the level of security that is provided can vary enormously. He’s not calling for the world to invent a new, stronger encryption algorithm, but rather that organisations do a better job of using the proven capabilities that already exist – it’s all about implementation. Those deploying encryption systems face a number of decisions – which algorithms to use, whether to build or buy, what keys lengths to use, which key management policies to define, to name just a few. Weak specification and poor implementation can dramatically reduce the effectiveness of any encryption system.
In this post Snowden era, some of these issues seem basic. Hopefully the use of out-dated algorithms and unproven technologies is behind us but key management remains a thorny topic. Indeed, the key managements systems and people that operate them might well become the next focal point of attack. The trouble with key management is that there are lots of aspects to it. Keys have lifecycles and are vulnerable at each phase of that cycle. One of the phases that hit the press earlier this year was ‘key generation’, the process of creating random numbers that eventually become keys. This is not as easy as it sounds and rumours that some commercial products have intended flaws in this area still persist. The other phases of the lifecycle such as storing keys, delivering keys, replacing keys and destroying keys also present numerous opportunities for keys to fall into the wrong hands, be used for the wrong things or simply get lost. It seems obvious but it’s true, encryption is just maths, whereas key management is about secrets and people – and that’s where the challenges start.
Whether or not we agree with Snowden’s motives or actions, there can be no doubt that his revelations have succeeded in putting encryption on the global stage. The conversation is translating into action for organisations across the world. According to our latest Global Encryption Trends Study, more organisations than ever are taking a strategic approach to encryption, with business unit leaders gaining influence over their company’s use of encryption to define enterprise-level data protection strategies. But when it comes to challenges, key management stands out, being rated with the ‘pain level’ of key management being rated at 9 or 10 on a scale 1 to 10 for severity by nearly 30% of respondents.
Edward Snowden might have sparked an international debate about privacy but let’s not forget that he started out as the perpetrator of a good old-fashioned insider attack. It’s ironic that his call for the widespread use of encryption might mean that he has made life harder for those that wish to follow in his footsteps. Although many headlines echo his statement “I would do it again”, the question is: would he be able to? My guess is that the NSA will have been at the front of the queue of organisations heeding his advice to improve their data security. A future Edward Snowden might still be able to steal data, but if it is encrypted there would not be a whistle to blow.