What to look for when buying encryption solutions — 7 crucial tips
by Perry Chaffee, on Tue 15 October 2019
As tech has facilitated the rapid migration of value from the physical to the digital world, crime has followed the money online. In the resulting high-threat world we live in, cybercriminals and cybersecurity experts are in a high-stakes arms race. Attackers seek new ways to gain unauthorized access to data and information systems and defenders try to find new ways to prevent this. These strategies quickly become highly technical and highly nuanced. The devil is in the details, and for those lacking the deep technical knowledge, explanations can quickly become confusing.
Making things worse, cybersecurity vendors often employ marketing and sales teams with only a basic understanding of the solutions they’re peddling, and who are quick to throw around all the latest buzzwords for the sake of impressing prospects. After all, cybersecurity vendors are businesses, and businesses earn money from closing deals, not necessarily from delivering best fit, best quality solutions. Do they need to know everything about encryption? No. Do they want you to know everything about encryption? Of course not. They simply want to know what keywords to use to get their site to the top of your search results, and what buzzwords to throw around during a sales call to get you to hand over your money. “It’s military grade encryption,” they’ll say, “It’s unhackable, unbreakable… all the other big companies use it, and your competitors use it too.”
For business leaders who are simply trying to protect themselves, these conversations often aren’t far off from pharmaceutical commercials on TV about miracle drugs: “Try this new medication, it will change your life! You don’t need to understand how it works -just trust us… by the way, our attorneys require us to give you this list of possible side effects which include nausea, diarrhea, cancer, blindness, tinnitus, migraine headaches and death.”
When it comes to comparing different solutions for encryption and encryption key management, you may feel as lost as if you’re trying to decide between one of many 14 syllable medications that all look the same and sound equally unfamiliar. Sure, you can Google each of them and their manufacturer will tell you all the reasons why they’re great and why you’ll die without them. If you’re looking for a second opinion before trying one, here are some basic questions you should ask:
Is the vendor selling snake-oil cryptography?
Terms like “military grade encryption” don’t actually mean anything. They’re just used to sound impressive, and should be viewed as a huge red flag. If a vendor is unable to explain their solution without resorting to these tactics, you’ll never know what kinds of inadequacies and vulnerabilities the marketing tactics are hiding until it is too late.
Is the encryption algorithm a proven industry standard, or a “advanced, new, cutting edge algorithm”?
When it comes to encryption, always, always, always go with industry standards. These solutions are well tested and proven by the world’s leading cryptographers. Home grown solutions often lack this level of testing, could have unknown vulnerabilities, and could be unreliable. This can lead your data to be lost or compromised. Remember that the bad guys aren’t the only ones who can execute Denial of Service attacks; you can do it to yourself also.
What is the encryption architecture; how is the encryption standard implemented?
Just because an industry standard is used, doesn’t mean it is used correctly. If the encryption isn’t properly implemented, it can completely invalidate the value it provides. Think of it like locking the door and leaving the key in the lock. This is not very useful, but easy alarmingly common in the encryption world. Though you may not have the deep technical knowledge necessary to assess the architecture yourself, look for reviews by independent 3rd parties. Also consider looking for open source solutions where you or your team can parce through the feedback and reviews from the open source community to avoid using software with obvious and severe problems.
Will this encryption architecture actually work for my use case?
There is no silver bullet, and trying to apply a “one-size-fits-all” solution to your business could do more harm than good, creating user experience problems or leaving you open through vulnerabilities unique to your use case that aren’t addressed in an off-the-shelf solution. Be wary of vendors who claim that their standard, off-the-shelf encryption solution will easily integrate into your unique, customized architecture straight out of the box. There’s a good chance that modifications to your architecture itself may be needed in order to ensure the value of the security solution is actually achieved, and a good vendor will help you assess and accomplish this.
When and where is the data encrypted?
Typical solutions use server side encryption, where the data is encrypted at rest while being stored by the provider of the site or service. If they are ever hacked, it is possible that all of the data could be compromised in bulk all at once. As another attack vector, hackers can seek to intercept data while it is in transmission between the server and the client. For this reason, end-to-end encryption is becoming more common. Many companies consider data to be well protected with a combination of these two approaches, but in reality the most secure approach by far is to first encrypt the data on the client side, before it is ever transmitted or stored. With client side encryption in place, the data is never useful either during transmission or while stored at rest. Even if the provider’s server is somehow compromised, the data would all be encrypted with a separate key for every single client -which means that bulk compromise isn’t possible, and breaking the encryption for each individual record isn’t practical.
Where are the encryption keys stored?
Many companies, focused more on compliance than on security, are tasked with encrypting data at rest. One of the simplest (and unfortunately most common) ways to do this is to store the encryption key right on the same server as the data to be encrypted -this is also one of the least secure methods. It is like being required to protect something with a lock, but then leaving the key right there in the lock. If the server is compromised, the encryption key for the data on the server is usually also compromised. Hackers love this, because there’s a central point of failure which then gives them access to everything they want.
There are a variety of alternative approaches, but the most secure of all of them is for the client to physically possess the encryption key for their data. With this approach, there is a different key for every client, and they are all physically distributed. Hackers hate this, because it makes bulk data compromise extremely impractical.
While there are multiple ways to equip users with encryption keys on the client side, they can become cumbersome when combined with traditional 2FA or MFA solutions. Fortunately, there is one solution which allows the user to consolidate their authentication and encryption tokens in one device/app/service, dramatically improving both security and convenience for the whole system.
Is the focus of the solution on compliance or security?
Remember that just because something is compliant does not mean it is secure, and that most companies who suffer data breaches were compliant at the time. However, when something is truly secure, it often exceeds compliance requirements. If you focus on compliance, you’ll have a checklist to point to when you get hacked. If you focus on security then in addition to being compliant you’ll also build a reputation of quality, credibility, and trust while avoiding negative impact of a data breach.
Think of compliance as having a driver’s license in order to drive. You shouldn’t be driving at all unless you have one, but just because you do does not make you a safe driver. Having a valid license may keep a driver who causes a serious accident out of jail, but it doesn’t keep those involved out of the emergency room. If you value your business and its customers, make sure your focus is on security rather than just compliance.
Although cybercrime continues to escalate and incidents continue to become both larger and more frequent, a little common sense will go a long way in protecting your business and its customers. Asking these simple questions can help you avoid the risk of implementing a solution that causes more harm than good.