In the wake of several high-profile data breaches — from the Target fiasco last year to the recent Sony Pictures hack — the status quo for data security and privacy looks a little grim. How can businesses keep sensitive data safe when hackers keep getting savvier? According to the advisory boards that influence the structure of the Internet, one answer lies in data encryption.
In November, the Internet Architecture Board (IAB), a committee that oversees Internet development and engineering, released a statement recommending that data encryption become the ‘norm’ for Internet communications. Since the IAB’s call for more encryption, other bodies that oversee the Internet, including the Internet Society, have released statements cosigning the recommendation.
Citing an increase in both the number and the sophistication of cyber crimes, as well as a need to “restore the trust users must have in the Internet,” the IAB urged protocol designers to build data encryption into the fabric of the Internet itself, developers to build encryption into their applications and firewall administrators to permit encrypted traffic on their networks.
To understand how developers, engineers and administrators can accomplish what the IAB’s asking for, it’s important to know how data encryption works — including what it does to protect data and how it is incorporated into digital communication, from email to cloud storage and applications.
Data Encryption: The Basics
Data encryption involves two basic components: a cipher, or the code you use to scramble data into unreadable gibberish, and a key, which converts that gibberish back into usable data. This adds an extra layer of security to your data — if a hacker gains access to your password, they can easily log into that account. If a hacker gains access to your encrypted password, they’d need the encryption key to use it.
One form of data encryption you may be familiar with is Transport Layer Security (TLS), the successor to Secure Sockets Layer (SSL). When you look at the address bar in your browser and see “https” instead of “http” (take a look next time you’re checking out on Amazon or paying your credit card bill), it signifies an encrypted connection through TLS.
TLS works by using digital certificates — pieces of code that signal a web server is trusted by a certificate authority. When your browser establishes the secure connection, it checks to see that the server is trusted and the certificate is valid, then uses a public key cipher to encrypt the data. The data is decrypted at the host server for the site you’re accessing. After the end of the encrypted session, both servers discard the key.
TLS is one example of how data encryption is built into the way the Internet operates, but it is only a piece of the puzzle. TLS operates opportunistically – if two servers can both communicate using the protocol, then they use it. But a typical email may hit dozens of servers, many of which do not support TLS. As a result, data may sit on these servers in the clear, and is therefore exposed.
Client-side encryption enables protection from the outgoing user’s device all the way to the device on the other side of the conversation. In email, client-side encryption examples include PGP, S/MIME, and Virtru.
Is Encryption Catching On?
In the past year, services like Google Cloud storage, SkyDrive, Dropbox and iCloud have offered encryption as part of their cloud storage services. WhatsApp has introduced encryption for its messaging service on Android phones, and is planning to roll out a similar update for iOS.
One area that still needs work is email. None of the most popular email services, like Yahoo and Outlook Mail, include client-side data encryption as a built-in option to secure sensitive data (while Microsoft has added TLS encryption to Outlook.com, it doesn’t work unless the receiving email service also supports TLS).
To encrypt your email, your best bet is to look at third-party applications that integrate with the email service you’re already using. By requiring email recipients to verify their identities before decrypting an email, Virtru provides true client-side data encryption for email messages and file attachments. Installing a simple browser extension lets users client-side encrypt Gmail or messages sent from Google Apps for Work (now known as G Suite). Virtru also lets users encrypt email sent from virtually all other email providers. Get a closer look at platforms Virtru currently supports here.
Encryption: Coming Soon to an Internet Near You?
IAB’s goal of a completely encryption-friendly Internet is still far off, both for technological and political reasons (agencies are uneasy about encryption without back doors for intelligence gathering). However, it’s clear that the demand for data encryption, both from Internet advisory boards and from privacy-minded consumers, is compelling developers to make their products more secure. In the meantime, stay in line with best security practices, use encryption wherever possible and be mindful of your data. A universally encrypted Internet may mean a more secure Internet, but we need to do much more work to get there. Until then, privacy conscious individuals and businesses will need to take matters in to their own hands.