The Hidden Disadvantage Of Strong Encryption
By Andrea Di Fabio, Interim CIO, Norfolk State University
The widespread availability of strong encryption, together with the Snowden effect, has propelled an arms race to aggressively and pervasively adopt strong encryption. Software developers and information security companies are riding this new wave by releasing tools marketed at using strong encryption and anonymity to protect privacy, communication, and information. With many such tool sat their disposal, end users and IT professionals are struggling to select the most effective one, without regards for their hidden drawbacks.
Encryption requires a secret, the key, to create another secret, the cipher text. It is based on the basic assumption that the key used to decipher the cipher text is known only by the party who has a need for that information. Whether symmetric or asymmetric encryption is used, safe keeping of the private key is paramount. Best practice suggests that the private key be protected with another secret, or password. In a perfect world this complexity of key management, encryption and decryption of messages, as well as cross platform deployment and interoperability of encryption applications is transparent to the user. The users need not worry whether data is to be encrypted or not, as the system will either encrypt all data, or auto-magically determine whether encryption is needed or unnecessary. In this same fantasy world, IT professionals have implemented a utopian solution to accomplish the task, and very little time needs to be dedicated to sustaining the technology, training end users, and troubleshooting encryption issues. Now let’s leave Sir Thomas More’s island and focus on the real issue, which is the complexity of encryption solutions.
From an enterprise IT perspective; private sector and government agencies are deploying and using encryption for a multitude of reasons. Whether that is compliance, national security, or protecting trade secrets and intellectual property; strong encryption is used to safeguard sensitive data in transit and at rest. IT professionals use a variety of tools and techniques, such as VPN, full disk or file level encryption, and end-to end transport encryption to accomplish the difficult task of keeping information secure. Deploying enterprise level strong encryption requires specific skills from a dedicated team, and a robust key management system; this is where the complications become apparent. The additional drawbacks come in the form of an enterprise’s in ability to often inspect encrypted communication and data at rest, thus being incapable of detecting malicious activity, and protecting its data and communication from malicious actors. Therefore, implementation of strong encryption must be strategically planned. Its deployment must consider a flexible network and IT architecture that takes into account the risks introduced by the very solution which is aimed at protecting data. This is especially true for an organization with a mature IT infrastructure, where encryption was not a priority in the past. Complexity grows exponentially when such an organization finds itself having to store and process new information that may be protected under requirements such as PCI, or HIPAA, or that is sensitive in nature.
Let’s consider this very organization, which may already benefit from a robust and successful deployment of application-layer firewalls, intrusion prevention systems, and data leak prevention solutions, all working in synergy as a subset of a layered security approach. These technical controls used to be somehow effective when strategically deployed in key locations. Their powerful engines analyze network traffic at wire speed, and make decisions about data and its security based on an increasing number of complex rules, which are regularly adapted according to the evolving threat landscape. Often, encryption renders the organization’s security controls ineffective and makes them blind to malicious attacks and sensitive data exfiltration. To compound the issue, the vast majority of modern malware uses strong encryption to hold data for ransom, and obscure malicious code and data exfiltration. IT professionals have experienced this same issue withIPv6, at a time when vendors’ security solutions were slow in implementing engines that would inspect IPv6 network traffic. An organization is therefore left with two options: real-time decryption or re-architecture. Today, vendors may have solutions for this self-inflicted problem. Many network security appliances are capable of performing real-time decryption when certain conditions are met, but these solution often come at a steep performance cost. With real-time decryption, capacity and scalability issues come to the surface, quickly followed by a CIO’s need for budget realignment. Conversely, re-architecture does not provide the immediate rewards a CIO may strive for, but it is often the winning approach, and one that will support upward scalability and improved flexibility.
From a user and private citizen’s perspective, we are learning to use encryption on our smart phones, laptops and desktops, or verifying that encryption is being used by looking for the padlock in our browsers. In some cases, encryption is already built into the technology we use every day and is transparent to our way of digital life. In the past, encryption used to help us protect the information we cared not to disclose to, or become promised by third parties, such as financial, tax, health, and other personal and sensitive information. Today, it appears as though public skepticism and various conspiracy theories are at the base of a new digital revolution, one where users demand ubiquitous encryption. Little we knew that slowly but steadily, encryption is becoming more prevalent in all aspect of our lives. Skype, Google Hangout, I Message, Gmail, and Hotmail are just a few examples of widely used services that provide strong encryption. Some browsers alert users when websites use weak encryption. More tech-savvy users venture into using more complex and specific tools that provide strong end-to-end encryption such as Red Phone, PGP, and S/MIME to name a few. These tools provide for increased privacy and a higher level of confidence that communication cannot be read by a third party, but this assurance comes at a high price. The burden of protecting and backing up the private key or password is shifted to the user. A lost key, password, or smartphone PIN results in a user permanently losing important data.
Our hunger and demand for stronger encryption and greater privacy is in direct conflict with law enforcement’s ability to lawfully request and review criminal activity in the form of digital information in an effort to protect our way of life. Many organizations, including major cloud SaaS providers are implementing end-to-end strong encryption and are either unwilling, or unable to provide for a lawful mechanism to detect criminal and terrorist communication. These companies exploit their inability to access customers encrypted data by marketing themselves as strong privacy advocates. The end result is that the implementation of strong encryption with cognizant disregard for its disadvantages not only hinders their customers, but often weaken our ability to protect our freedom and nation from cyber-attacks.