What Digital Security Really Means
Let's get one thing straight: if you're dealing with sensitive information online then that data should be encrypted. If it isn't, you could be making a big mistake, possibly to the tune of millions of dollars. Every company should be working to secure their digital data. There is no such thing as perfect security; never has been, never will be. But good security is definitely better than none. And yet, there's been a disturbing trend, in the wake of RIM's struggles with foreign governments over the privacy of its encrypted network, to lambaste "the cloud" in a misrepresentation of what we mean when we talk about digital security.
Here's an analogy. In the days before the internet (ok, and still even today), important documents were printed out on paper. And that paper was stored in filing cabinets. And those filing cabinets lived in an office. Hopefully they had drawers that locked, or were behind a door that locked, and only certain people had the keys. If somebody did something bad, hopefully that wrongdoing wasn't recorded on paper, but if it was then you could always try to burn the paper before it was discovered. It certainly wasn't the case that just because you'd locked your paper in a cabinet in your office that the legal system couldn't see it if they asked for it. Or maybe that an enterprising journalist with some lockpicking skills couldn't get to it. The only way to truly secure your data was to not print it out and put it in a filing cabinet in the first place.
Today, digital documents like email have replaced the paper, computers the filing cabinets, and servers (in "the cloud") the locked offices. In the United States, practically the same laws of discovery apply to digital data as physical. In this absurd article on eSecurity Planet, the author quickly concludes that no wireless email is safe from government spying. Well, uh, yeah. Neither is your paper mail. Your landline phone calls are just as at risk as your cell phone calls. The article goes on to explain how wireless networks can be hacked, and that using encryption is essential for your data security. It leaves off the part about how locks can be broken, and keys (physical or digital) can be requested by judges.
This is the fallacious leap being made: that somehow handing your data off to S(P|I)aaS cloud solution fundamentally changes the security of that data. Just take this quote from a sensational article over on GigaOm:
Either way, your data could be at risk. If you send messages over the BlackBerry network, use Skype to call overseas, or send email or use the new voice-calling options from Google, theoretically what you say could be monitored by a foreign government, if India gets its way.
Really? Guess what: if you send a regular letter through the mail to another country, theoretically it could be read by that government. In some countries, that isn't even theory, it's fact. Going back to our analogy, this is really no different than if you were to store some of your locked filing cabinets full of sensitive paper documents in some other company's warehouse, maybe because you didn't have enough space in yours. Which is actually not an uncommon practice; just ask IronMountain.
I see the main source of people's fear with putting their data in the cloud is that it's no longer completely within their control, and that it's consolidated. If the government wants to see what you've locked in those filing cabinets, at least you know they're looking, and they have to come to your office to do it. But if instead everyone keeps their cabinets in one big warehouse and the government is handed the key by the warehouse owner, it might feel like some security has been compromised.
But of course, that's pretty much a fallacy too. The data passed around the web is never more secure than any physical letter bouncing around the post offices. Data gets passed around servers randomly and with little or no regard for who or what may be lurking there. Corporations harbor legions of computers infested with malware. Data breaches from emails sent to the wrong people, laptops stolen from hotels, usb drives disappearing, employees posting indiscriminately on social networks, etc. etc. highlight that your company's privacy is probably more at risk from itself than any enforced government espionage.
Do I think governments should be given free access to any network data? Certainly not. And it's unfortunate that the increasingly consolidated world of the internet (coupled with this new millenium's climate of terrorism-fueled fear) has perhaps shown some true colors of many governments that we had hoped weren't there. But that isn't an indictment of the cloud or those who trust in its security. We should be happy that hosted solutions mean the data whose privacy we're fighting for is now at least encrypted, where even a few short years ago there would have been no barrier at all to government access.
Because that's what we really mean when we talk about digital security. We mean that the data is being protected from simply being read by anyone who feels like it. That at rest or in motion (in the filing cabinet or in the mail), your sensitive data is not going to be read by anyone who shouldn't read it. That may or may not end up including certain governments, but leave the cloud out of it and remember this common sense: if you really don't want something to be read, don't write it down.
Rustock Botnet Wisely Abandons TLS
The big email spam news from last week was regarding MessageLabs' August Intelligence report, and the revelation that the Rustock botnet had risen to account for nearly 41% of all spam being sent. At over 46 Billion messages sent per day, that's a lot of spam. But the interesting part of the story is that the increase came after the botnet shrunk to about half its former size. How was this possible?
The reason most likely lies in the fact that the botnet operators dropped their use of TLS encryption on the spam they were sending out. Using TLS to encrypt email causes a significant processing overhead, so by eliminating its use the botnet was able to send out more email per infected computer - in fact, over two times more - allowing greater volume even with the reduced number of hosts.
It was actually unclear why Rustock was using TLS to begin with. Speculation is that the operators may have hoped to get more of their spam past filters by encrypting it, which turns out to be a pretty useless tactic. Because TLS only encrypts the session and not the actual email content, then spam blockers have no problem identifying the malicious email once it arrives at the source. For example, with a hosted anti-spam service like SpamStopsHere, there's nothing stopping our software from accepting the encrypted connection, receiving the "secure" email, reading it and clearly recognizing it as spam, and discarding it before it ever reaches the customer's inbox. After losing a large chunk of their botnet, it's no wonder Rustock reverted back to unencrypted spam and "quantity over quality."
But this anecdote serves to highlight a larger issue, which is the use of TLS for encrypting email in the legitimate business world. It may seem absurd to compare the email choices and habits of the most prolific spammer in the world with those of, say, a healthcare provider, but there are some relevant points to be made. While the HITECH Act has made secure communications a priority for any company handling sensitive information, how to properly handle email encryption is still pretty murky. The important distinction to make is that there are two cases to consider: data at rest and data in motion. Using TLS only covers data in motion, which is why using it to encrypt spam doesn't actually help a botnet get more past the filters. To do that, they'd need to use encryption for the data at rest.
In the next few weeks, we'll have a few follow-up articles that go a little more in depth with how TLS and alternate solutions can work to encrypt your emails and get your organization HIPAA compliant. If there's anything specific you'd like to see discussed, please let us know in the comments.
Extending Encryption Wednesdays
Today is the last Wednesday in August, also marking the end of our Encryption Wednesdays promotion where we gave free consultations to businesses interested in email encryption.
Or at least, it was planned to be the end. But we got such a huge response that we didn't have time to fit everyone in and we're still getting new signups. So we took it up with the top brass and we've decided to extend the service for the rest of the year. That means every Wednesday until December 29th we'll be offering free consultations on email encryption. Just use our handy form to sign up. We'll still only be allowing signups up to one month in advance at a time, mostly for our own sanity so we don't get backloaded. Of course, there are no obligations and no costs to you, so even if you're a few months away from making a decision on email encryption, it really doesn't hurt to make the call now and be prepared for later.
Thanks to everyone who participated and made Encryption Wednesdays such a big success. We're looking forward to talking to a lot more of you.
Encryption Wednesdays in August
We recently attended Hosting Con 2010 in Austin, TX., a conference which brings attendees from all over the world to discuss the current and future state of the hosted service landscape. We had a great time there both sharing and learning about all the ways that hosted email services are improving business, and had a lot of discussions on how hosting solutions have emerged to replace the time consuming and costly traditional software/appliance model. But the key topic was definitely the increased necessity of encryption over the past year.
Years ago when Greenview Data first began to offer a hosted email encryption solution, encryption was most prevalent in the health care sector due to the type of data transmitted and of course the HIPAA laws. However, in most other environments it was a frequently overlooked "best practice" due to the monumental effort involved. We recognized this need and began working with key players to produce a hosted service that was simple, cost effective, easy to implement and maintain, and satisfied all regulatory requirements.
Over the past year we have seen a tremendous increase in the demand for this service in response to the changing business landscape. Five years ago, our focus was on the large hospital market; now our email encryption customers extend to every facet of the healthcare and financial sectors, as well as many other organizations that either simply want to keep their data safe or are required to by state-wide mandates. We have added numerous encryption specialists to respond to this growing demand and to ensure we have top-notch support to cater to your needs when you need us. Today, we're extremely proud of our hosted encryption service, and especially the strong and dedicated customer support team behind it.
We understand how important, but often cumbersome and time consuming, email encryption can be. And we also believe that it's important for everyone to be well-informed on the topic and aware of all their options, because email encryption isn't just a vanity service - it's a vital step in ensuring our safety and privacy on the internet. To help with this situation, we are pleased to announce Encryption Wednesdays for the entire month of August. Each Wednesday during August, our encryption team will be available for scheduled appointments to discuss email encryption with any interested organization, with the same manner of personalized attention our customers have come to expect from Greenview Data since 1980. Best of all? We're doing this completely free of charge.
These consultations are a time where we can discuss your unique situation, determine your needs, explore possible solutions, and give you honest answers to any questions you may have. To schedule an appointment simply fill out this form with information about your environment and your available times. One of our encryption specialists will be in touch shortly to confirm your details, and finalize the appointment.
If you determine that our hosted email encryption service is a part of your encryption solution, we can initiate your setup while we're on the phone and have you up and running in under 48 hours. You may also determine that your organization doesn't have a need for email encryption at this time, or that our service just isn't the right fit (although we doubt that - we've got something for everyone). That's fine. We just think it's good for everyone to have all the facts to make an informed decision about an issue that is so important.
Creating a Culture of Security
With the recently updated HIPAA rules being approved and HITECH data breach notification laws starting to be enforced, information security is going to be in the news more than ever. And not in a good way. I'd put good money down that in the next few years, as these new laws really come into effect, we'll see an explosion of data breach disclosures. But more than that, they're going to be of this variety:
That's because, with all the talk over "policy" and "best practices", we still don't have a culture of security that lends itself to keeping data where it belongs and out of the hands of those that shouldn't have it. Just take a look at these recent data breaches. What do I mean by a culture of security? It's twofold, and invloves:
- Having a clear understanding of what it means to have secure data. Not just knowing that encryption is "good" but how it actually helps secure data and in what ways it differs from other techniques like passwords, limited access, etc.
- Making data security a habit and a default mode of thinking, rather than reactive or secondary. The question of data security should never be along the lines of "should I do more to secure this?" but rather "is it ok to do less?" Presume a level of highest defense, and then learn where you can relax standards.
It should go without saying that you need #1 before you can really get to #2, but unfortunately I think it's a common practice for businesses to try and skip right to #2, providing little or no training for the individuals they are entrusting and expecting to follow through with the procedures in place. You can build the most impenetrable castle in all the land, but if you don't properly tell your soldiers when and why to open the drawbridge, sooner or later you're going to have a trojan horse on your hands.
Do I expect everyone in an organization to know the difference between TLS and AES, what asymmetric key cryptography is, or how to forge email headers? No, of course not. For any organization dealing with sensitive data, creating a culture of security isn't about technical knowledge as much as it is an attitude. You don't have to know how encrypted email works, but you should know how, when, and why to send and receive it, and never miss an opportunity where it's called for.
Part of the problem for many organizations is that they will need to create this culture from scratch. Dealing with the security of digital information is not something that the health industry (or finance, or government, or really anyone for that matter) has had to deal with in the past. It's a different beast, and requires education and commitment. Fortunately, we finally have some good tools for the job. For example, Greenview Data's hosted email encryption service makes it incredibly easy to send encrypted email. Besides the smart content filters that automatically catch and encrypt emails containing sensitive data, a user can send an encrypted email by simply including a key word in the subject line such as "SecureIt". But without a culture of security, these tools will go to waste. Again, it will probably take a few years and a lot more missteps before we get there, but everyone's got to start somewhere.
Interested in developing a culture of security? Please share your thoughts and experiences in the comments below! Or give us a call at 800-458-3348 to talk to a Greenview Data encryption expert about how you can improve the culture of security at your organization.
The Future of Encryption
The hot topic nowadays is privacy, specifically in reference to personal information and disclosure. It's become relevant for both businesses and individuals, but the situation is increasingly hairy as we push social networks and cloud services to be more and more prevalent. Can the need for secure information and the desire for publicly shared information peacefully coexist?
Currently, state governments such as those of Massachusetts and Nevada have pushed through strong regulations on email encryption and data breach notifications, and in all likelihood similar legislation will soon be passed at the federal level. At Greenview Data, we offer a hosted email encryption solution that meets these new HIPAA/HITECH & state regulations, but this is only one data security endpoint that businesses need to address. The recent case of some hospital employees losing their jobs for sharing patient information on facebook is just one example.
Which brings us to the personal side of the issue. There has been no shortage of discussion on problems with individual privacy in the midst of the explosive growth of social networks the past few years. It seems that facebook can't go a month without being in the news over privacy issues, and plenty of other sites have had their share of information leaks. Yet these social networks only continue to grow in popularity.
Yes, despite data privacy and security issues being thrust into the limelight, it's hard to see progress, especially when the government itself can't keep data properly secured but wants to increase their monitoring and control of the internet. But the seeds are there. I think the move to cloud computing will actually be a boon to increased security (I'll write a followup article on that soon). Even if there isn't yet widespread public understanding of the problems underlying information security, there is awareness now. We've reached a point where people recognize the need and benefits of data security, but there's an educational gap that must be bridged. At the same time, a balance needs to be found with respect to the openness and sharing fostered on sites like facebook and twitter.
I think data encryption will be a big part of the equation. It needs to become the default mode of operation, not the exception. We'll need cooperation from the big players on the web offering hosted services (Google took a step in the right direction recently with their encrypted search). And we'll need a better informed and educated public. But it isn't hard to imagine a near-future where all of our online interactions are through encrypted channels; where every email sent is encrypted as well as every file containing sensitive data; where the data posted on social networks that should only be seen by friends can only be seen by friends. Then all we'll have to do to enjoy a secure and social web is stop writing down our passwords on sticky notes.
Tags
Categories
Archives
Follow us on Twitter!
- Keep Your Information S.A.F.E. with Email Encryption http://t.co/vSLGlUI
- New blog post: Keep Your Information S.A.F.E. with Email Encryption, http://t.co/ZZATb11
- We're hiring! Programmers http://t.co/7y0IyXC and Tech Support/Spam Analyst/Linux Admin http://t.co/0YPfZkC
- New blog post: All "clouds" are not the same, http://bit.ly/k4VL3z
- Epsilon's list of names and email addresses possibly stolen http://ti.me/hlZPRy. Watch out for personalized phishing scams.