Homegrown Crypto Isn’t Worth the Security Risks

Encrypting data

In a business landscape where the speed and efficiency of collaboration are often the keys to success, 90% of organizations are undergoing digital transformations and moving to cloud—or hybrid—environments. However, the increased complexity of these new environments leaves many organizations with a significant gap when it comes to securing data in the cloud. In fact, 57% of organizations report that cloud security is a boardroom-level discussion.

With 83% of organizations expected to manage their workloads in the cloud this year, security—specifically, whether sensitive data is protected with the appropriate level of encryption—is a top concern. Yet, there is one significant market trend that places security at risk: A 2019 survey conducted by ESG revealed that 53% of organizations are facing a cybersecurity skills shortage, to the tune of 2.93 million unfilled cybersecurity positions around the world.

Impact of Multi-Cloud Environments on the Security Skills Gap

Moving to the cloud introduces new requirements for network administration and management expertise, and security teams aren’t the only ones with a skills gap. IT departments are experiencing similar challenges. When it comes to managing cloud networks, nearly a third of organizations struggle with hiring individuals experienced in managing hybrid infrastructures, 41% of organizations struggle with filling DevOps roles and 37% have open roles for individuals skilled in container administration. Therefore, it’s no surprise that finding a security professional with cloud management skills is hard to come by and as a result, cloud security can often fall to the wayside.

To bridge the skills gap, executives expect DevSecOps to know and do it all which introduces another gap, this time in perception.

Don’t Expect Developers to Build Their Own Crypto

Expecting developers to successfully roll their own crypto simply isn’t realistic. What’s more, executives are starting to feel that they’re investing in these hot new technologies but aren’t reaping the expected business benefits. This disconnect is bad for security, and ultimately bad for business. 

Take, for example, Telegram, a popular messaging app, that is often criticized for its homegrown crypto. In 2015, two researchers audited Telegram and found that the app uses “a unique custom data protocol” and as a result, is not secure because it was “possible to turn any ciphertext into a different ciphertext that decrypts the same message.”

Custom encryption schemes may be perceived as innovative when in reality all they are is a risk to your organization’s security. And when there are more secure and efficient encryption options available to you that have been diligently studied and debated, why take on the unnecessary risk?

Crypto is Best Left to the Security Practitioners

Developers have lots of options for encryption but when it comes to privacy and sharing data securely in the cloud their options are more limited and essentially boil down to three options: Relying on their cloud provider, turning to a security solution provider, or building it themself. With all of these options, there are downsides, including:

  • Vendor lock-in.
  • Lacks advanced access controls.
  • No granular visibility for audit logs.
  • Without end-to-end encryption, sensitive data may still be visible to third-parties.
  • Requires cryptography and key management expertise.
  • Poor user experience and as a potential result, low adoption.

All this to say, if you’re thinking about building your own encryption scheme for a custom in-house application—or even to make a bold statement—don’t do it. Leave it to the professionals. Security talent is hard to find and homegrown crypto is even harder to execute. Even when executed, you have to continually invest in the specialized expertise to maintain that new custom solution forever.  

Organizations with a need to secure data within custom applications can rely on Virtru for key management infrastructure used by over 5,000 customers and out-of-the-box control and end-user features. To learn more about protecting your application data with Virtru, visit the Virtru Developer Hub for a free trial or read up on the latest use cases over on the Virtru Technology Blog.

Subscribe to Our Newsletter

Connect With Us


Dive Deeper