Not by Encryption Alone

Did you notice the slight of hand, though? How is that we can see the plaintext in the exchange? Via a screen recording, of course!

I always enjoy seeing this GIF from the EFF’s “Surveillance Self-Defense” page (link) demonstrating end-to-end encryption:

The tool they’re showing is pretty cool. Here, they’re making the point that transport layer security — the browser lock business in this case — is not enough to protect a message between two people, while adding end-to-end encryption ensures that the message is not readable at any intermediate hop in the transmission path. It’s pretty clear in the demonstration, yes?

Did you notice the slight of hand, though? How is that we can see the plaintext in the exchange? Via a screen recording, of course!

Encryption is an important component of any information security strategy, but it’s just that — one component. There is always the concern that, if the data is to be useful, at some point it will have to be decrypted and the contents rendered. If that rendering process is somehow compromised? If the decryption keys were exposed? If the device was recording keystrokes of the user entering a passphrase? …? Suddenly, no matter how sophisticated or strong the encryption is, it’s all for naught — the system is potentially broken.

Data protection is best handled with a holistic systems view of your operation and with pragmatic risk management. Consider how the data is collected or generated, and how it is processed. Consider how it is stored and how it moves within your system. Consider who should have access and how that access is restricted. Consider the devices used to access, consume, analyze, enrich, and retransmit the data, as well as the software and systems present in those devices. Consider the environments where use those devices are used, what would happen if the device was out of their hands, improperly accessed, or lost. Consider what could happen if the system came back and rejoined a trusted network.

Are you confident you’ve taken sufficient protective measures so that you can survive the hit if something goes awry? On the flipside, are you concerned your strategy has gone overboard? Too complex or too expensive?

Think it through — and, if you need an outside set of eyes to review what you have in place, feel free as always to contact us.