End-to-end Encryption – Nuisance or Safety Net?
By: Fred Sadler
Public and government attention is being focused on the loss of electronically maintained personal and financial data, in major publications such as the New York Times and the Washington Post. Feature articles raise serious concerns about lost, stolen or misused personal and financial information. These losses have been so extensive that they are now being categorized as “mega breaches,” because they are so extensive that it may be impossible to confirm the number of actual data breaches in companies, and agencies during a particular time period.
Sadly, some of the largest data losses last year resulted in compromising a combined estimate of 178 million records - nearly 78 million records at Anthem were compromised, and another 22 million files were lost by the US Office of Personnel Management, alone. It isn’t difficult to locate information about other breaches, such as the 40 million credit card numbers stolen from Target in 2015, and the list goes on. We have to continually ask ourselves, whether our systems are adequately protected, and regardless of the answer, what can - or should - we do to enhance that protection, if only to ensure that liability is minimized if a breach results in litigation.
A number of companies such as Symantec, Fortinet, Barracuda, all offer excellent network security products to aid in preventing breaches. However, many security experts agree that breaches are inevitable, and human errors within an organization, or attempts to illegally obtain sensitive, personal or proprietary information, haven’t been slowed down by government intervention. The key to ameliorate the damages caused by a breach, therefore, is to protect the data before a breach occurs. Destroy those records that aren’t needed any longer, and ensure that they can’t be reconstructed.
But for those records which we all maintain for legitimate business reasons, do we have an encryption program, which will minimize a hackers ability to access and use that information? Hackers always will try to find new ways to break-in, but those breaches will have a minimal impact on our companies, our customers and ourselves, if the data was protected in a way that can’t be reconstructed, used or sold.
With current technology, end-to-end encryption may be the one of the most effective ways to protect data. But, if end-to-end encryption is a key element to secure data, then why isn’t it used more often? And when it’s used, what post-encryption issues should be considered to allow for future access? Data encryption already is generally used to meet policy, or regulatory and agency requirements, to ensure data privacy and security. Those specialists working with these issues understand that a vital component of any protective structure includes creating and designing systems that address these issues when the system is created, and before going “live.”
While encryption technology can be used for end-to-end protection, the Public Key Infrastructure (PKI) encryption technique is among the safest and simplest to use. In PKI, every database has a pair of keys: one Public, and one Private. While the public portion is available for anyone to use, the private or confidential components of any database are only available to the persons who own or operate the systems. PKI systems provides a level of security that makes it, for all practical purposes, impossible to de-crypt from the outside. That simple change renders lost or stolen data useless, because the storage system can’t be accessed by unauthorized persons.
The concept is simple enough, and can be used in any organization. In some limited cases, companies or agencies may prohibit this type of encryption, because they have concerns about reversing the process, so that data can be used internally, for appropriate business reasons. And, there may be concerns that most search engines can’t scan encrypted data, to aid in locating needed information. Or, organizations simply may not have considered how beneficial encryption can be, and how it can be a vital part of the programs that protect data, and assist in preventing breaches. Regardless of the concerns, if data is lost, stolen or misused, we need to ask how costly it would be to address breaches, what the loss of our reputations and consumer confidence would be, and whether reconstruction of such data would be too expensive. The benefit of trying to access encrypted data in house, is that is minimizes the potential for loss or misuse. Having internally encrypted data actually helps protect your business processes.
But, as some firms correctly ask, how should a security program address lost encryption tools, or even just passwords if the database manager leaves the firm? “An automated method to recover the keys to decrypt data is an important step but ensuring access is limited only to authorized persons is a security must.” stated Sam Andoni, President of Zeva, Inc., one of those companies trying to solve this important security dilemma (www.zeva.us). The security concerns go even further. Any agency or company deciding on the use of end-to-end encryption must require strong authentication as well as controlling access, to limit who can decrypt the data of an end user. This is an authentication issue, which must be supported by comprehensive logging of system events with detailed reporting for system management, compliance reporting and audit support similar to the key handling policies of the Federal PKI program.
End-to-end encryption may be the answer to concerns, and enhancing your protection of internal, confidential data, when combined with staff training to ensure the appropriate use of encryption and PKI methodology. You’ll quickly find that this becomes part of your organization’s culture of privacy and confidentiality in the workforce. And, from an IT standpoint, this could be part of your preparation to address any future hack, loss or breach.
About the Author: Fred Sadler retired as the Director of the Freedom of Information Act and Privacy Act office of the US Food and Drug Administration. He is a former president of the American Association of Access Professionals, frequent speaker and current consultant on disclosure related issues with an emphasis on openness, transparency and pro-active disclosures.