Posted 2 months ago
Data, whether it’s in motion or at rest, is constantly imperiled by hackers and fraudsters. This means that encryption is more important now than ever—a fact that most businesses around the world are quickly catching onto. Even as the consensus grows around the importance of encrypting both caches of stored data and communications like emails and other messages, however, there isn’t really a unified theory of how best to implement encryption in way that makes operational sense while minimizing potential attack vectors. As a result, around two-thirds of businesses list cryptographic key management as either a medium or large challenge.
Based on the current key management landscape, it’s obvious that these businesses aren’t exaggerating. The enterprise encryption landscape is littered with redundancies, such that most businesses are using multiple key management solutions at once in order to secure different applications and end-points. This is on top of the actual encryption tools that they’re using to protect the data in the first place, and the key management tools themselves are often augmented by separate key protection tools.
Sure, it’s better to err on the side of caution, but does the multitude of systems not increase complexity in such a way that overall security actually goes down? Is it really necessary to use a patchwork of different products to gain true, end-to-end protection for email and other messages? Not necessarily—if you can find a solution that has the right features and functionality.
The IT environments we were talking about above are often so complex that admins begin to lose track of where each key is actually stored. Because different solutions are being jerry-rigged to integrate with different application surfaces, keys or certificates quickly become unmanageable. This is obviously a recipe for disaster in the long run, which is why one of the first things you need to look for in any cryptographic solution is that it can be integrated across all of your applications and endpoints with ease. This might seem like too much of a stretch for something like a bank or an insurance company with an extremely complex back office dataflow structure, but it is possible to find plug-and-play solutions that can manage the keys or certificates that are necessary for signing and encrypting messages across your entire infrastructure. This might involve inserting a line or two of code into your various back office applications, or using a hardware or software adapter to integrate one comprehensive solution across the entire ecosystem.
This isn’t just about avoiding the redundancy that’s so common right now—it’s also a matter of decreasing complexity. If you deploy one technology for your SWIFT financial messages and another one for your email, for instance, you have to buy, master and manage two different technology solutions to protect your information, you increase the possibility of human error—i.e. the biggest threat vector in cyber security. You also increase cost and complexity.
Okay, we’ve established that you should limit as much as possible the amount of key management solutions to cover your entire IT infrastructure, but what else should you be looking for in a solution that will actually prevent things like business email compromise, CEO fraud, phishing, and SWIFT fraud? One extremely important criterion is trust. What do we mean by this extremely broad requirement? A few things:
If the encryption you’re using is a black-box solution, the possibility of an undisclosed way in is always going to be present, no matter how many certifications the tool has. Ultimately, the model of trust that’s least prone to backdoors and similar issues is to find an open source solution that enables you manage and distribute keys yourself within your own organization.
Again, the biggest threat that faces companies from a cybersecurity perspective is human error. As such, the easier an encryption management or key management tool is to use the better your security will be. As we discussed above, this starts with installation—if you have a turnkey solution that protects every surface in your IT environment with no fuss, then the odds that a misconfiguration will lead to a vulnerability are slim. By the same token, if the solution you’re working with makes life incredibly easy for admins (who don’t want to spend all of their time manually tracking and distributing keys, enforcing security policies, etc.) as well as for users (who simply do not want to have to think about managing their private and public keys, to say nothing of rotating keys that are going to expire), then you’re setting yourself up for improved security. If not, the window of opportunity for human error to creep in continues to grow, and you wind up with a system where admins can’t keep track of keys and security standards become lax or inconsistently enforced. As such, if you’re encrypting back office processes, you want everything from encryption to key management to be as close to invisible as possible. With email, you want the same—your UI should aid users in their ability to identify potential phishing attempts without requiring any extra effort on their part.
At this point you might be thinking that the only way for a solution to meet all of these requirements would be with a heavy dose of automation. Here, you’d be exactly right. Manual key management (creation, distribution, renewal, reset, revocation, import, etc) is exactly what you’re trying to avoid when you adopt a software solution, so why should you leave gaps where significant manual effort is still required? In an ideal situation, you could even have a single solution that made automated encryption management and key management possible across all of your applications for all transport technologies – i.e. on the application layer. In this way, you’d be able to ensure confidentiality, integrity, and authenticity for corporate communications without any of your users having to lift a finger. Rather than scrambling to figure out where your various keys are being stored so that you can change them out and distribute them before they expire, you can simply set compliance rules and sit back and watch as they’re carried out to the ‘t’. No room for human error involved.
The solution we described above might sound far-flung, but in point of fact that’s exactly what p≡p security is offering right now. We provide fully decentralized, fully automated solutions, covering enterprise email usage, SWIFT CSP compliance for banks and financial institutions, and more. Rather than utilizing separate encryption and key management solutions (potentially several key management solutions), p≡p software can automatically generate, distribute, and store public and private keys, and then use those keys to automatically encrypt, sign, and decrypt messages on your users’ devices.
Because there is no centralized system (i.e. the endpoints are where the encryption and decryption happens), your messages are protected all throughout transit, and even p≡p can at no point decrypt nor read your messages. Not only do we not use a black-box method of encryption, we’re actually fully open source—meaning that our code is being audited by experts both to ensure the strength of our cryptography and the security of our system. We don’t rely only on external certifications to earn your trust; we do it with complete transparency about how we’re protecting your information.
Because the platform is transport- and encryption-agnostic (i.e. you can use whatever cryptography and any messaging system that works for you), it’s designed to fit seamlessly into any IT ecosystem. The fully automated key, trust, and identity management means that the possibility of user error drops virtually to zero, thereby reducing the largest email attack vector while essentially eliminating the possibility of phishing or other business email compromise tactics. If your company’s CFO is really sending out a survey about your retirement savings and pension plans, users will see the message color coded green, because it’s secure and trusted (i.e. it’s a communication channel for which trust has already been established through the automatic exchange of cryptographic keys and trustwords).
If the email’s not really from the CFO, the channel will be marked red, to indicate that the channel isn’t secure and trusted and that the message isn’t coming from whom it claims to be. The user won’t have to take a single action related to encryption or key management—she’ll just know to disregard that message with the secure knowledge that it’s not from a trusted source. Luckily, things are just as easy for admins, who can skip all of the headaches that come with installing multiple solutions to cover encryption, key management, and key protection. Instead, just plug and play.
When key management and encryption feel like herculean efforts from an operational perspective, message protection will always seem like a luxury. With automation, privacy becomes the default—meaning that the current uptick in email scams won’t impact your business.
p≡p Security launches p≡p for Thunderbird and p≡p for iOS, together with new versions for Outlook and Android
Sept. 7, 2020, 6 a.m.