Are backdoors a necessity, or just a 'welcome' sign to hackers?
In today's age of political instability are backdoors necessary to safeguard national borders, or would it instead increase technical vulnerability and undo the progress that encryption has provided, asks Rick Orloff?
Rick Orloff, Chief Security Officer, Code42
In recent months, the United States government agencies among others have been putting increased pressure on backup and security tech companies to provide 'backdoor' access to their customers' encrypted data.
We find ourselves in a new technological age where half of corporate data resides at the endpoint, away from the stronghold of the datacentre. This trend makes data more vulnerable and companies more aware of risk. After all, as evidenced by recent public corporate breaches, it takes only a single online weakness to bring even the largest of companies to their knees in a matter of days. Add to this the fact that the majority of enterprise customers are skeptical about just how safe their data would be, should a third party, governmental or otherwise, have unbridled access to their information—and it becomes clear why so many infosec organisations are resisting the implementation of hardcoded backdoors into their encryption and security solutions.
Keys under the doormat
The problem with inserting backdoors within encryption is that it creates doorways that are not only available to those that operate legally, but also to those who can hack into them without the owner's knowledge. If the NSA or FBI can do it, so can a malicious third party—something about which the enterprise is understandably concerned.
Issues of contention are not limited to US-soil either, any international company that utilises a backup product or cloud service with an encryption backdoor built-in would be affected. In the UK, David Cameron has also identified his standpoint on wanting to limit or gain access to certain encryption methods so that the security services can monitor data for potential national security threats.
Ultimately, as noble as these agency chiefs and politicians may be—wanting to safeguard national borders—they instead risk stifling innovation in the technology market and damaging their respective economies. This is because, high-growth tech companies with strong views on the subject of ‘backdoor access' are a flight risk—often willing and able to flee country borders to set up in locales where the issue of data privacy is not up for debate.
Of course, you cannot ignore the facts either. The real unscrupulous individuals that government intelligence agencies are interested in monitoring are more than likely highly technically advanced and will be unlikely to use weak or broken encryption. They will instead seek out and find other ways of masking their communications and information. This is a point that should not be overlooked, but instead taken into consideration by governments applying pressure to organisations that are not interested in hiding their information, merely protecting it from hackers.
Keys in your pocket
Whilst it is difficult to predict ahead of time the ultimate decisions made by the White House and Number 10 in regard to encryption backdoors, it is still, and always will be, incredibly important to make sure that sensitive enterprise data is protected—and kept away from malicious individuals.
In a time where BYOD and the quest for flexible working continues to proliferate, and in which the most sensitive of corporate data is travelling all over the country from employee to employee, it is time to change security strategies. Businesses and their security teams need to focus on implementing adequate endpoint backup and protection, with encryption that only allows access for the end user—providing that additional layer of defence against breaches.
The best solutions today back up data not only locally, but also to the cloud. Again, encryption here that keeps data secure whilst on device, in-transit or stored at rest is essential. In addition, if a company is the keeper of its own encryption keys, its data cannot be decrypted when stored in the cloud, so third parties will not be able to decipher the data, even if they should gain access.
Finally, endpoint data protection solutions must be governed with an overarching and stringent control that allows near real-time visibility of what and when data is being moved or stored by employees. Not only does this provide peace of mind to the CIO that a company's intellectual property is not being compromised, it also pre-empts the implementation of the recently finalised Global Data Protection Regulation (GDPR) when it comes into force in 2018.
In this uncertain political landscape, with different governmental agendas and viewpoints it is difficult to know what policy will ultimately come to fruition, as there are lobbyists on both sides of the coin. However, the constant battle of safeguarding data from malware, ransomware and hackers has only got more ferocious—so it is of paramount importance to safeguard sensitive corporate data where it now resides most, at the endpoint.
Contributed by Rick Orloff, Chief Security Officer, Code42