What Enterprises Need to Know about Encryption
By Anurag Lal on 28 September 2016
Recent high-profile hacks have raised awareness around the dangers of insecure communication, bringing one feature in specific into the limelight: encryption. Headline-making encryption vulnerabilities in consumer-facing mobile messaging apps have also exposed the security holes commonplace in third-party mobile messaging platforms. For example, WhatsApp, who recently announced it would be using end-to-end encryption earlier this year, was recently ousted for not actually deleting chats that had been cleared or archived on the app.
For the enterprise, these types of security concerns carry much more weight. It’s impossible for most modern enterprises to operate without the use of electronic storage systems and digital communication platforms to transfer information, documents and sensitive files. However, there are a multitude of threats associated with these systems, including the exposure of sensitive business data to competitors and legal consequences from failing to comply with regulatory mandates, like HIPAA or SOX.
Currently, most enterprises secure their business communication through a VPN, which ensures that information is secure once it hits the enterprise’s network. But what about while residing on the end user device or when stored within the network. These are the considerations around encryption that organizations must be aware of.
Encryption Issues Today
Most consumer-facing mobile messaging apps do not leverage advanced encryption methods. Unfortunately, these apps are frequently used in the enterprise, even in industries like healthcare where HIPAA compliance is a point of concern. This is just one example as communication in the enterprise, overall, has taken a very consumer-facing approach related to functionality, without considering security.
Merely using a platform like WhatsApp that boasts encryption isn’t enough. The strength of the encryption algorithms is the most important point of consideration, as weak encryption can often be worse than no encryption at all. It gives uninformed users a false sense of security.
Enterprises need to pay attention to the specific types of encryption keys being utilized. For example, some business systems encrypt data as it moves from one point to another. But along the way, the system decrypts that data and then re-encrypts it. This interruption creates opportunities for an attacker to gain unauthorized access to that data.
Therefore, encryption when in transport is an important consideration alongside two others types: device-to-device and at rest encryption, which means that information, files and documents are encrypted while at rest in the network.
The Future of Encryption
The “Cryptopocalypse” is an idea that references what may happen if a stronger form of encryption does not endure. The modern economy has become dependent upon encryption to protect sensitive financial data as it moves across the Internet. At the same time, advances in computing power and the ability to break encryption has made it easier to break these advanced encryption algorithms.
Fortunately, new encryption technologies appear to be steering us away from this fate, but robust mechanisms of encryption must continue to be deployed and developed on a regular basis. This will become particularly important as the Internet of Things further connects various devices and applications, opening the door for even more vulnerabilities.
Thus, a holistic approach to security in general, and in specific information security, should be adopted by organizations. Enterprises need to look at security as an all-encompassing concept with encryption serving as a very important point of consideration. This holistic viewpoint will provide enterprises with a better idea of how to create a robust system that protects not only their communications, but themselves and their employees.