Avoid government, hacker snooping by owning encryption key management: lawyer
- 03 April, 2015 09:01
Improving interoperability between encryption key management solutions will facilitate the use of encryption to improve governance – and prevent government intervention and hacker theft of sensitive data, a Brisbane-based intellectual property lawyer has argued in addressing a global security conference in the US.
“People are looking at security from the wrong perspective,” Hayden Delaney – an intellectual property lawyer with Brisbane-based firm HopgoodGanim who was chosen as the Australian Computer Society Queensland's 'Young ICT Professional of the Year' in 2010 – told CSO Australia in the lead up to his presentation at the RSA Conference in San Francisco alongside RSA chief security architect Robert Griffin.
“They are getting bogged down in technical details like 'is the encryption algorithm strong enough?',” he explained. “Instead of thinking about that and where their data is geographically located, the much more fundamental question people need to be asking is 'where are the encryption keys held and where are they managed?'”
Given the recent surge in concern around the government's new metadata-retention program and a broader sense that storing data in the cloud compromises data protection, Delaney focused on the growing role encryption key-management solutions to close these holes and make data inaccessible even to software vendors and cloud providers.
“The question isn't about whether the data should be encrypted or not,” Delaney said. “We all know by now that if the data is sensitive, then encryption is a very good way to insulate it from those risks.”
While encryption had gained mindshare for some time, however, the use of specialised software for managing those encryption keys was still in relatively early days as would-be adopters sat back waiting for clear winners from a variety of options.
However, vendor convergence around the KMIP (Key Management Interoperability Protocol) standard had helped fix this by providing a single compliance target that would ensure data didn't become inaccessible due to use of incompatible standards.
The real question in building airtight data security, Delaney said, is “the extent to which you can deploy solutions using an interoperable management solution.”
“That enables the customer to mitigate security matters, and it's something that, from my perspective as a lawyer, makes life easier. It's something that CSOs and CIOs need to be aware of, and something that lawyers need to properly understand.”
Although vendors have typically built their own key-management environments to ensure they performed as necessary, growing interoperability between various solutions was allowing those vendors to push the responsibility for decrypting data away from their data centres and back to the entities responsible for the data itself.
This, in turn, would tighten controls over data and ease broad fears that vendors might be pressured by government forces into building back doors into their encryption technologies.
Such anonymity has been a key feature of the 'Zero Knowledge' approach championed by vendor SpiderOak, which saw customer enquiries surge after the NSA's PRISM program was revealed. SpiderOak's encryption architecture, based on an open-sourced framework called Crypton, prevents it from ever being able to access customers' cloud data.
Discussions about the role of encryption have hit the mainstream recently as UK, US and Australian authorities push for legal access to encrypted communications and users – and even government ministers – begin switching to more-secure, encrypted alternatives.
The ability to apply robust encryption to all enterprise data is likely to embolden organisations that have previously felt key management was one step too far for its security staff –and will, Delany believes, help align the objectives of company lawyers with the capabilities of technology staff and the interests of the vendors supplying them.
“Vendors don't want to hold the keys because that involves huge risk,” Delaney said. “It makes the cloud very susceptible to things like requests by foreign or local governments to access data stored on their infrastructure.”
“If the encryption key management solution is implemented in the environment and pushed down to the customer level, it doesn't really matter: if the government approached them, all they could hand over would be encrypted data. It's an engineering solution to a legal problem.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.