Data encryption efforts ramp up in face of growing security threats
Last year there was a lot of momentum in the deployment of data encryption. This was seen on the web, in the consumer space, and in the enterprise. I expect to see these trends continue and accelerate. While current data encryption work covers a broad set of topics from the attacks against old algorithms such as SHA1 growing in strength, to the exciting progress on post quantum cryptography, I want to draw attention to a set of practical trends that will affect businesses in the coming months.
This year we will see encryption deployment accelerate. This trend will be most visible in the browser where https will replace http for most high-traffic sites, and will be driven by the move to http2 (which, in practice, will not support unencrypted traffic as well as initiatives by Google to push sites to use encryption).
Large media organizations, such as The Guardian and The New York Times, are leading the way and have switched to https only. The benefits of encryption include greater privacy for your visitors, as well as preventing the increasingly common practice of content injection.
I also expect this trend to accelerate in categories that are moving beyond transport-level encryption such as consumer and IoT products, where the perceived risk of hackers and state sponsored attacks is growing. WhatsApp, iMessage, and other messaging platforms have deployed end-to-end encryption to more than a billion consumers. In the IoT space, suppliers are starting to offer end-to-end encrypted solutions ready for integration into everything, from light bulbs to cars.
The Enterprise Will Deploy End-to-End Encryption
Currently, enterprise software lags behind the consumer space in the deployment of end-to-end encryption. Many popular tools don't use end-to-end encryption, leaving companies at risk to data snooping and massive hacks. The value of securing data will become more evident as more high-profile hacks and leaks, such as the DNC hack, are revealed.
End-to-end encryption means that the only parties with access to your data are the ones with the keys. If done properly, this can remove all of the back-end infrastructure from the trusted compute base. This is a critical step to reducing leaks, and is especially beneficial for cloud solutions where it is often unknown who has access to customer data: Your SaaS provider? Their providers? Their hosting service?
Key Management Will Remain a Challenge
Data encryption is, unsurprisingly, no silver bullet. The greatest challenge when deploying an encryption system is key management. How are keys distributed and protected? We have seen examples of key management failures from the infamous Comodo hack to the use of stolen code signing certificates.
In your own origination, it is important to protect your keys, especially if they are used to authenticate your software or services to the public. Best practices here are:
· Use Certificate Transparency for your public https certificates.
· Code signing keys should be stored and used on air gapped machines whenever possible.
The Conversation Will Move from Privacy to Trust
Historically, cryptography has been thought of as a tool to enable privacy, but the narrative is moving to one of trust. When Apple shipped encryption by default for iOS, and WhatsApp turned on end-to-end encryption, it was not because their support queues were filled with requests for more privacy. They shipped these features to create a stronger bond of trust for their brand. Encryption allows companies to tell their users, “You can trust us; even if a hacker gets their hands on the data, they won’t be able to read it. Your stuff is safe with us, and only you have access to your account.”
This concept is important not just for consumer applications, but for enterprise software as well. If a company uses a SasS or on-premise product with end-to-end encryption, there’s a level of protection around sensitive company information that can’t be achieved with alternative technologies. Even inside an organization, the IT department doesn’t need access to decryption keys. By employing strong encryption, users are able to trust their organizations and security vendors to keep their information secure, leading to more regular use and widespread support of products that do so.
This year is shaping up to be a momentous year for encryption, with increased deployment across all sectors. It will continue to play an important role in security, as well as help build trust between brands and their customers.