Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/2/2019
10:00 AM
Ramon Peypoch
Ramon Peypoch
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Case for Encryption: Fact vs. Fiction

The common belief that encryption enables bad behavior primarily used by thieves, international terrorists, and other villainous characters is simply not true. Here's why.

Encryption engenders passionate opinions and reactions from a variety of government regulators, technologists, and privacy and security advocates. It's become the de facto standard of online commerce and communication, embraced by technocrats and security pros everywhere.

Conversely, some governments routinely seek to destabilize encryption through legislation, regulation, or dictatorial fiat. A common approach is to require device manufacturers and technology providers to implement "backdoors" in an attempt to break end-to-end encryption in order to surveil conversations deemed high risk. Such efforts are generally met with strong objections from privacy rights advocates.

There is also an evolving focus on user privacy, perhaps most prominently triggered by the passage of the European Union's General Data Protection Regulation, but now surging in many other parts of the world. Regulations and user concerns are forcing shifts in technology vendor practices, for example:

  • Apple's announcements at their recent Worldwide Developer Conference declaring data privacy as a fundamental human right that will be central to all Apple products;
  • The pullback by Google to restrict third-party developers' access to Google user data that previously had been accessible; and
  • Facebook amending its corporate privacy stance given numerous recent scandals.

These threads are converging, putting encryption at the center of major business, government, and societal shifts. The fact is that encryption is a highly reliable method of safeguarding devices and information in the digital age. It is, in effect, the foundation of modern computing and collaboration. While it can't serve as a comprehensive security solution for all issues an enterprise may face, it does offer a powerful backstop when intrusions and breaches occur.

For instance, you might think of encryption as relevant for protecting digital assets from being stolen. But cybercriminals are very savvy and continually up the cat-and-mouse security game; in reality, company assets are stolen every day. It's better to acknowledge that every asset, whether it resides on a corporate website, a government database, or elsewhere, is at risk of compromise. When compromise occurs, encryption is the last layer of defense, preventing thieves from utilizing what's been taken.

Just in recent weeks, we've seen several reports of high-profile breaches involving sensitive customer information:

  • A massive American Medical Collections Agency data breach ensnared data from medial testing giants Quest Diagnostics (11.9 million patient records) and Lab Corp (7.7 million patient records).
  • Real estate title insurance giant First American Financial leaked hundreds of millions of digitized customer documents.
  • There was also research published by Digital Shadows reporting 2.3 billion files stolen.
  • Additional research from the vpnMentor research team revealed 11 million photos were exposed due to a misconfigured cloud service.

While these breaches are filling headlines and causing ongoing customer worries, the situation would likely be quite different had these files been encrypted.

Encryption's Mistaken Beliefs & Unintended Consequences
If we consider government backdoor access demands, aside from the privacy concerns, imposing such actions actually could have unintended and contradictory consequences. For example, a government might compel a mobile phone manufacturer to install a backdoor that breaks encryption in high-risk situations such as terrorism incidents. But once such a mechanism exists, it is implausible in this active cyber threat environment that only that government entity would be able to access and utilize it. Realistically, it will be utilized by both good and bad actors, and is ultimately likely to cause more problems than obviating the problem it was originally intended to solve.

There are a few other common but erroneous beliefs about encryption that need to be dispelled. One is that because it's so hard to use, only sophisticated users can take advantage of it. Practically speaking, encryption is no longer just about locking down hard drives. It's now about protecting information at the point of creation and then being able to dynamically update policies around that data wherever it goes. Modern approaches can actually make this fairly simple to apply.

Another mistaken belief is that encryption is easily breakable. While sophisticated nation-states can harness the significant processing power needed to decrypt protected assets, that's not a common situation. Frankly, it's just easier for attackers to move on to other targets with unencrypted data stores.

Finally, there's a common belief that encryption enables a lot of bad behavior — that it's only used by thieves, international terrorists, and other villainous characters. This is simply not true. Encryption is actually central to our digital lives and enables trillions of dollars of secure commerce from banking transactions to the myriad online consumer and enterprise services we all utilize on a daily basis.

Encryption forms the essential underpinning of our virtual world. With the emotion that often gets packed into discussions and decisions about how encryption should be used, it's important to pause, separate fact from fiction, and responsibly apply this powerful tool to advance the security of the systems and data that enable our modern lifestyles.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

A proven leader in the security industry, Ramon leads Vera Security's product strategy, management and market delivery. Prior to Vera, he was part of the founding team of ProtectWise, Inc. (acquired by Verizon). Earlier he was vice president, web protection at McAfee. With a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.