Security

When Encryption isn’t ‘Safe’ Enough

Safety is more than just  encryption turned onBeing on the hook for free services to friends and family members is a well-known risk for many professionals. Doctors get called in the middle of the night to see sick nieces and nephews, attorneys advise their siblings on traffic violations and airline employees are hunted down by everyone for those free standby certificates. But as a technology professional, I can say that we have it arguably worse than anyone else; “Can you set up my Wi-Fi?”,  “Do I have enough encryption?” And if you think that the barrage of requests is not bad enough, you haven’t heard the complaints! “That phone broke within three months!”, “I dropped my router while dusting and now my WiFi is out!”.  

It’s ok folks… we help you out of love and also to avoid awkwardness at Thanksgiving dinner.  

You may imagine that I was not surprised when I was faced with yet another complaint from my friend Matt on a Sunday morning, over sangrias: “You told me WhatsApp was safe. But I keep reading in the news about messages getting exposed? Recently, a politician had to resign over leaked messages! So – is it safe? Or is it not?”.  

It’s a fair question. There is a lot of confusion around this subject and encryption in general.  

If you lock your front door, and you believe that your lock is secure, you would expect to come back and find your belongings where you left them. And if a communication solution is secure, you would expect your communications to be secure and for messages not to be subject of a leak. However, Matt was misquoting me in his complaint.  

I never said that “WhatsApp is safe”.  

What I said – specifically – is that WhatsApp’s end-to-end encryption scheme is excellent, and that users who take full advantage of it (including the rarely-used but incredibly important security code verification option) can expect adequate protection against eavesdropping. This does not however mean that the security is complete. 

Encryption in transit is important and should be part of any information security plan. But encryption in transit alone is far from enough:  If right next to your locked front door, you leave a window open wide, or if you unknowingly invite a thief for dinner, you shouldn’t be too surprised to discover that some of your belongings have grown legs and left your residence. The lock on your front door will not save you. And in this instance nor will WhatsApp’s encryption. 

Many incidents in the news, including the one that Matt was referring to, are not stories of eavesdropping and unauthorized data theft, but rather incidents of confidential information leaked by the intended recipients or another authorized person. The leaked information was accessed appropriately and with permission – it was the specific use of the information however that was not authorized. 

Information misuse by authorized users is a real problem, and encryption in transit does absolutely nothing to mitigate it. There are, however, a few other strategies that may help, all centered around controlling the content. Here are a few examples: 

  1. Containment: Keep confidential information contained within authorized networks, denying users the ability to share, forward or copy information outside of system boundaries. 
  1. Expiry: Limit the amount of time that information lingers within users control and avoid “information hoarding” by implementing content expiration time limits based on corporate policies. These remove data footprints from all remote devices, leaving only a copy in the corporate system of record if compliance is required. 
  1. Compliance: A single copy of any communication should be archived into a secure, client designated location for access, legal, compliance and reporting requirements. 
  1. Separation and reduction: When complete access is not required, grant access to only parts of the confidential document. 

To find out more about how controlling your content helps strengthen your security profile in addition to encryption, contact Vaporstream.  For more information on our multi-layered security model visit www.vaporstream.com\security. 


Contributor: Avi Elkoni