In the wake of an eventful year in information security, the tech giants have moved security and privacy to the top of the IT agenda. Despite some headline-generating missteps (with plenty of help from the National Security Agency and other intelligence agencies), it's clear that most cloud service providers are doing a better job keeping customer data secure today than they were a year ago. In fact, the Electronic Frontier Foundation just released its annual "Who Has Your Back?" transparency report, giving many of the largest tech firms kudos for their data privacy and transparency efforts. We echo this sentiment and congratulate the service providers.
Microsoft, among the vendors given a perfect score in the report, has poured a great deal of resources into the security of the Office 365 platform, building in several security tools such as RMS/IRM, Bitlocker, Exchange Hosted Encryption and S/MIME. The increased focus on encryption reflects an industry-wide shift, with cloud service providers like Google and Yahoo dedicating time and resources to securing customers' data.
However, these encryption tools focus solely on security, and not on the underlying issue that's putting customer data at risk in the first place – control. When organizations leverage the cloud for communications, there are very specific requirements needed to meet security, fiduciary and compliance requirements. Enhanced encryption from cloud service providers is a nice (and necessary) first step, but in and of itself is not sufficient because it lacks the control capabilities businesses need amidst the rise of data ownership concerns. For example, Microsoft's various encryption tools, while useful, do not cover all the organization's requirements. These shortcomings include:
- Failing to persistently encrypt every outgoing email
- Not encrypting incoming messages or internal messages
- They're not transparent to users or administrators
- Email subjects, calendars, invitations, tasks and other Exchange items are not encrypted
- Decrypts email messages in order to perform server-side operations including search, sort, indexing, DLP scanning, and e-Discovery
- Emails are stored in the Exchange server transport in clear-text
Maintaining Ownership & Control
So what can organizations do to maintain ownership and control of their data? Encryption remains the best way to ensure the only people looking at data are the ones who are supposed to be looking. Regardless of how one feels about Edward Snowden, it is interesting to note that Glenn Greenwald, in his new book, asserts that moving encryption to the mainstream was one of Snowden's primary motives for disclosing NSA data mining secrets. Security experts across the globe advocate the use of encryption as the core technical requirement to ensure ownership and control. Bruce Schneier, the internationally renowned security technologist, has the following to say about encryption:
“Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That's how you can remain secure….”
In order to achieve the kind of privacy business requires, control over data is critical. Any solution must deliver on several criteria:
- Encrypt data cross the entire lifecycle. Data exists in three states – at rest, in transit and in use, and must be encrypted in all three to ensure control.
- Ensure that data can be searched, indexed and sorted while still encrypted. In other words, if data must be decrypted for server side operations to work, the data is exposed or vulnerable.
- Enable the business to control its encryption keys. Encryption keys must be created, managed, rotated, revoked and backed up by the business, not the cloud service provider.
- Encrypt data in its entirety. Every single email in the inbox, outbox, sent and deleted folders, as well as message subjects, attachments, tasks, calendar items, invitation messages, and folders must be encrypted – without exception.
- Be invisible to the user. Not to be confused with a lack of transparency – but encryption must be applied automatically, without requiring end-user action. Any need for user action opens up the possibility of human error, guaranteeing that it will eventually fail.
Given the limitations of cloud service providers – even well-intentioned, trusted ones with good products that ensure data security - the onus is on organizations to maintain ownership and control of their data at all times. Fiduciary and regulatory obligations as well as business common sense dictate that businesses take action to do so. Security is of paramount importance, but control is king.