Spy-proof enterprise encryption is possible, but daunting

Privacy concerns are top of mind in light of revelations about NSA data collection

Data encryption could help enterprises protect their sensitive information against mass surveillance by governments, as well as guard against unauthorized access by ill-intended third parties, but the correct implementation and use of data encryption technologies is not an easy task, according to security experts.

Encryption could limit the ability of law enforcement and intelligence agencies to access data without the knowledge of its owner as it travels over the public Internet or by forcing third-party service providers like hosting or cloud vendors to hand it over under a gag order. However, in order for this to work the data needs to be encrypted at all times, while in transit, while in use and while at rest on servers.

The recent media reports about the electronic surveillance programs run by the U.S. National Security Agency (NSA) have raised privacy concerns among Internet users, civil rights activists and politicians not only in the U.S., but also in Europe, Australia and elsewhere.

While there are still unanswered questions about the methods used by the NSA to collect data as part of its recently exposed Prism program, the information leaked to the media suggests that electronic communications have been gathered en masse for years from Microsoft, Yahoo, Google, AOL, Facebook, PalTalk, Skype, Apple and YouTube.

Some of these companies have already denied that the NSA has direct access to their servers or that they were even aware of this surveillance program before it was mentioned in the press. However, the possibility of the NSA having access, directly or indirectly, to the data stored on servers that belong to U.S. service providers is bound to raise data security concerns within organizations that moved or are considering moving their systems and applications into the cloud.

In general, encryption technologies can be used to limit the scope of data collection by government agencies, according to security experts. Even if governments do have the legal avenues to force companies to decrypt and provide access to their data by using national security orders, subpoenas or other methods, at the very least the use of encryption can allow companies to know when their data is being targeted, they said.

"While all reputable companies will want to comply with the laws of the states in which they do business, encryption can give them full visibility into what is being monitored so that they can be a willing and active partner in government investigations," said Mark Bower, vice president of product management at data protection vendor Voltage Security, via email. "Encryption can mean the difference between full visibility into lawful intercepts, and learning about their data being intercepted by the next big leak in the media."

Encryption is likely to be most effective against upstream data collection efforts, said Matthew Green, a cryptographer and research professor at the Johns Hopkins University Information Security Institute in Baltimore, via email.

The challenge is what kind of encryption to use, Green said. SSL is the most common way to protect data transmitted over the wire and the protocol is actually fairly strong, but SSL keys are relatively small and it's not outside the realm of possibility that an organization like the NSA could obtain these keys at some point, he said.

There is already evidence that the NSA is performing upstream traffic interception on the networks of high-level ISPs that operate Internet backbone infrastructure, as shown by the case of Room 641A, an NSA Internet traffic interception facility located in a AT&T building in San Francisco that was exposed in 2006.

"We have no idea what the NSA can do," Green said. "However it's reasonable to assume that even if they can break modern encryption schemes -- a pretty big assumption -- it's going to be pretty expensive for them to do so. That rules out massive non-targeted eavesdropping on encrypted connections."

The feasibility of breaking SSL encryption is also determined by the different configurations in which the protocol can be used. For example, the Diffie-Hellman -- DHE and ECDHE -- configurations of SSL are much more difficult to tap than the RSA configuration, Green said.

In order for encryption to completely prevent unwanted surveillance, the data must be encrypted throughout its life, said Dwayne Melancon, chief technology officer of IT security firm Tripwire, via email. "If it is in the clear at any point (at rest, in use, or in motion) it could potentially be accessed by others without credentials."

This means that data needs to remain encrypted not only as it travels across the global Internet and passes through routers and servers in different jurisdictions, but also while it's used in real time by applications, as well as when stored for backup purposes.

Ensuring that the private keys used to encrypt the data remain secret at all times is paramount. That's not easy to do when running live applications and hosting databases on cloud servers or when relying on other cloud services.

"If an organization relies on the cloud service provider [CSP] for encryption, the CSP holds the encryption keys," said Steve Weis, chief technology officer at PrivateCore, a company that develops technology for encrypting data during program execution, via email. "The organization has no knowledge or control when someone lawfully attempts to access encrypted data. The organization is blind."

Companies should adopt a "trust no one" model for the management of encryption keys, Melancon said. Private keys should not be shared with anyone else, especially third-party service providers, he said.

Even though there are technologies available that can enable the safe use of encryption when cloud servers are involved, getting everything right and ensuring that there are no errors in the overall implementation can require a lot of resources.

"It can be done, but it takes a lot of forethought, a lot of effort, and the use of true end-to-end encryption will increase your costs," Melancon said. "It may also require you to rewrite applications, or switch providers in order to handle all aspects of end-to-end encryption."

When considering that NSA's primary mission is the gathering of foreign intelligence, companies that are not based in the U.S. should probably be even more concerned about the recent revelations regarding the agency's surveillance efforts.

"If you're a European company dealing in sensitive corporate data, I think you'd be crazy to use a U.S. cloud service," Green said. However, that won't stop companies from doing it, he said.

"A big part of the political scandal in the USA right now is the fact that the NSA is spying on Americans," said Zooko Wilcox-O'Hearn, co-founder of the Tahoe-LAFS project, a distributed, fault-tolerant and encrypted cloud storage system. "However, absent evidence to the contrary, I would assume that the NSA is at least as effective at spying on data in European and other locales as in American locales."

That said, Wilcox-O'Hearn believes that companies should also be concerned about other actors spying on them. Those could include law enforcement, military and intelligence organizations from other countries, as well as organized crime gangs or corrupt employees of telecommunication companies and ISPs, he said.

Banks and other financial organizations, as well as companies from the telecommunications industry, that handle very sensitive data usually prefer to keep it on their servers, under their control, primarily because they need to meet regulatory compliance and can't perform security audits in the cloud, said Sergiu Zaharia, the chief operations officer at Romania-based security consultancy firm iSEC.

Such organizations use encryption to secure the traffic between their different branch offices or between customers and their publicly accessible services, but very few of them encrypt data as it travels through their internal networks, between their own servers, at least in Romania, he said.

Other companies, like small online retailers, that choose to use cloud servers to run applications and store customer data don't care too much about encryption or if they do encrypt the data, they don't care if the service provider has access to their encryption keys because they usually don't perform an advanced enough risk analysis, he said.

"All our customers have highlighted their concern with security issues, especially when it comes to services hosted in a third party location," said Dragos Manac, CEO of Appnor MSP, a provider of managed dedicated servers and cloud computing with infrastructure in both Europe and the U.S., via email. "The current Prism scandal is a major blow for governments, but it also hurts service providers."

As far as government surveillance is concerned, service providers are caught between a rock and a hard place, he said. "Not helping the authorities means you are violating the law. Helping them means you may be violating someone's rights."

There is no reason to believe that the NSA, or anyone else, can crack strong encryption algorithms that have been studied and vetted by scientists, Wilcox-O'Hearn said. "On the other hand, it is easy for a programmer or service provider to implement them incorrectly or for a user to use them incorrectly, in which case it would be possible for anyone who had access to the network traffic to read the data," he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags governmentrisk managementbusiness managementcloud computingMicrosoftinternetGoogleFacebookAppledata protectionYahooonline safetyAOLCompliance monitoringGovernment use of ITTripwireAppnor MSPVoltage SecurityPrivateCoreiSECPalTalk

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?