“Without simplicity we don't have adoption and without adoption we don't have security,” Linus Chang, founder and CEO of Scram Software commented in an interview with SC Media UK about data encryption - and information security in general.
And in those few words Chang summed up a major reason for the current state of widespread cyber-insecurity - and the challenge faced by the industry as a whole, and especially those catering for the non-tech community - ie the general public.
But it is certainly not just the general public that find it difficult. Chang added, “The reason that there are so many breaches is because making cyber-security easy is the biggest challenge.”
A vital tool in defence of our information security is encryption, but cryptography is particularly difficult, even for security professionals, with system administrators often lacking the tools to deploy appropriately; software developers often make mistakes because crypto is so hard, and non-technical users find encryption tools confusing and difficult to use.
This is separate from the fact that a non-specialist can't really verify a manufacturer's claims, or may misunderstand what they are buying, thus not know exactly what they are securing - and what they are not.
Examples cited include the placebo effect where there is a mismatch between expectation and the actual security provided, such as not realising that hard disk encryption only protects against privacy, not an attacker modifying data. Or where it is assumed that data held encrypted in the cloud is therefore safe - but if the data that goes to cloud is initially in the clear and the service decrypts data that is downloaded, it is a poor defence. Whereas the correct way to use such a service is to use client side encryption before it leaves your device so any hacker only gets encrypted data.
Chang explained the reasons for this sorry state: “Software developers find crypto very difficult to implement (research shows) - 90 percent of Apps on Android App stores have errors in their encryption. Only 18 percent of developers are able to do even the most basic encryption. It's not their fault - they're paid to develop functionality.” In addition, many recent server breaches have been attributed to misconfiguration - at some very large organisations.”
Chang says that as result, only four percent of data in last year's breaches is believed to have been encrypted.
Given that Scram's own website notes that the cloud is inherently dangerous, SC asked Chang, so should companies be moving services to the cloud or are the security fears enough to warrant sticking with on premise servers?
Chang responds: “Moving everything to the cloud blindly is dangerous. If you understand the pros and cons, it can provide productivity benefits. As long as you know what the risks are. If every photo you take is sync'd to cloud, that's an example of moving to cloud without understanding as you have to rely on the cloud provider on your behalf and mistakes do happen.” Instead Chang advocates using a system that means you no longer have to rely on a cloud provider to do the work for you. So even if they make a mistake, your data still protected.
Of course Chang is not a disinterested observer - his company is launching products to deliver exactly these type of services, enabling drag and drop encryption from various data types at the client premises to deliver to various services, using an international retinue of true cryptography experts.
Asked about competitor offerings Chang told SC that he didn't believe he had any direct competition, conceding that banks and corporates have already had to encrypt for some time, but that they are served by very big companies and the prices are very high, in the hundreds of thousands for an encryption system and thus beyond the reach of of small to medium sized enterprises.
This is viewed as a particularly pressing problem with full implementation of GDPR in May - when encrypting of data (along with pseudoanonymisation) is a mitigation that would potentially allow companies to not need to report a breach. But it needs to be easy and affordable to encourage SMEs in particular adopt and encrypt early in the process.
So what is the price, or the pricing model? Chang explained that the pricing would be based upon the number of users and the amount of data, but that the exact pricing was still being worked on, though he did say that it was intended to include big discounts to charities. SC pushed - so how about a single user, financial adviser to 100 high net worth individuals? Chang replied, “It will be sub US$1,000 for one person - a couple of hundred, and scale up for the number of users.” So it is the mix of low initial starting cost and ease of use that Chang sees as the USPs in his company's approach - but also the high level cryptographers working on the solutions.
In fact Chang says the products are also able to provide long term encryption, proof against future deployment of quantum computing to crack data that has been stolen now encrypted using current encryption methods. Scram has deployed post quantum cryptography. Chang explains: “To be secure against that kind of attack [described above], we knew that this capability was possible, even if it is currently in its infancy; we can predict when quantum computers will be practical to break most existing encryption and the current estimate is 2029. It's worth noting that many cryptocurrencies are not secure against quantum computing.
He adds: “Encryption is based on mathematical problems and there are still problems which are difficult to solve with quantum computers. NIST has solicited proposals for next generation algorithms from the cryptographic community. So it should be a matter of switching over to those algorithms to protect against quantum computers.”