Balancing Compliance and Governance With Encryption Security
Security firms sometimes find themselves caught in a tug of war between client security and compliance with government or regulatory agencies. We caught up with Lori Rangel, Silent Circle’s Director of Products, to get her take on the current state of affairs.
How do you see the current security and compliance landscape?
While the goal of compliance regulations is to ensure security and privacy practices are being adhered, to, there are in some cases conflict or tension between the security needs of customers and regulations such as GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), FedRamp (Federal Risk and Authorization Management Program), etc. There are a myriad of security and privacy issues to address such as lawful intercept, mass surveillance, regulatory or internal controls, as well as both legal and government compliance. For example, with legal compliance you have to retain all communications between attorneys and clients, but you also have to retain that information in a way that complies with other regulatory requirements such as GDPR. The question is, how do we store and encrypt data in a way that is less vulnerable to hacking, and remains compliant?
There are a lot of factions, be it third-party legal, law enforcement or government agencies that want to be able to decrypt information. Since encryption is moving heavily towards a model where no one domain holds the key to unlock the data, it creates an even more complex situation. At Silent Circle, we believe that all companies must be good stewards of data. It shouldn’t be an “us vs. them” scenario.
Should there be a “magic key” to decrypt data?
That’s the heart of the debate, isn’t it? Silent Circle provides an encrypted communication platform used by law enforcement, government agencies, financial institutions, and a variety of other industries to transmit sensitive and confidential information safely and securely. We secure our customer data through strong peer-to-peer encryption – that means that the customer’s Silent Phone device or Silent Circle application generates all of the keys necessary to encrypt and decrypt messages with verified conversation partners. We do not believe that a “magic key” can ever be adequately secured against compromise or inappropriate use – you simply cannot build an iron fortress with a paper door and expect that only the good guys have access to the door! If it’s designed to be impenetrable, it’s got to be impenetrable to anyone who doesn’t have the proper access.
Silent Circle supports our customers compliance, security, and privacy needs, but do so without accessing their data or even having the keys to do so. Customer data belongs to the customer, and Silent Circle cannot access it under any circumstances. As a result, if a law enforcement issue arises, we don’t own or have access to our customer’s data – only the customer does.
Do security firms have any influence on how governments work to identify and prevent terrorism and other crime?
In recent years security professionals have gotten a seat at the table when it comes to discussing data encryption standards and how that interplays with law enforcement efforts. It’s encouraging to see this kind of dialogue happening outside of a vacuum. Of course we all want to end terrorism and stop crime before it happens, but there’s a palpable push asking for the magic key that provides access to intercept communications or unlock devices. The problem is that if encryption is designed in such a way that a “lawful backdoor” exists, that’s an opportunity for bad actors to gain entry as well.
We know that mass surveillance has not been very fruitful in preventing crime. Even with all the mass data collection and oversight it doesn’t really thwart terrorist attacks, and that’s what we’re worried about, right? The parties responsible for the Paris attacks, for example, weren’t even using encryption. This doesn’t mean we shouldn’t be vigilant, but it does remind us to be wise with how we use our resources.
What other motives might be driving the desire for data access?
Crime, and especially terrorism is on the rise. It’s understandable that law enforcement would want every tool available to intercept and prevent tragedies. Some might assume that mass data collection in the clear would help support those efforts. But you can’t have it both ways. The encryption that criminals might use is the same encryption that law enforcement is using. Government agencies across the globe are under cyber attack in some form or another. Whatever tools they are using to break encryption for criminals is the same tools the criminals are using to break theirs in return.
Have you seen a shift in enforcement emphasis with the new administration in Washington?
In the past we went through a phase where governments were strictly opposed to encryption. Now we see things like GDPR that specifically stipulate that strong encryption must be used when storing data.
In the U.S. there’s even legislation under review that says if you don’t reveal to the public when you’ve been breached, you might face a hefty fine. This comes in the wake of the Equifax breach. As a whole, I think we’re understanding that the value of data encryption outweighs the risks associated with bad actors. Still, there will always be those who want unlimited access.
Are there special considerations for storing data at rest?
Any time you are required to store data at rest, you are presented with an intrusion risk. The safest way to remediate the risk is not to retain the data in the first place, but that isn’t always an option for corporations or government entities bound by compliance. The encryption utilized to secure data at rest is often bound by its own governance and regulation. The challenge is to adapt the encryption technology and secure it so that it can’t be unlocked by anyone but the customer, while still adhering to compliance regulation.
What does “compliance with a subpoena” mean?
This is basically a request to allow access to data by court order. When this happens, security companies must perform their due diligence on behalf of the customer. This could include alerting them to any inquiry, for example. In a lot of cases, this isn’t an option because part of that order, may prevent them from alerting the customer. In our case, we couldn’t provide any data, since we don’t store it. Plus, we couldn’t give them any decryption codes since we don’t generate those either. The customer’s device handles all of the encryption and decryption.
The onus is on the customer as it should be. They are the owners of their data and communications. Silent Circle provides privacy by design. We give them the lock and the key. You wouldn’t want the company that sells you the lock to the front door of your house to have a copy of the key, would you?