This article was originally featured on Help Net Security
It is a mathematical certainty that data is more protected by communication products that provide end-to-end encryption (E2EE).
Yet, many CISOs are required to prioritize regulatory requirements before data protection when considering the corporate use of E2EE communications. Most Fortune 1000 compliance and security teams have the ability to access employee accounts on their enterprise communications platform to monitor activity and investigate bad actors. This access is often required in highly regulated industries and E2EE is perceived as blocking that critical corporate access.
Unfortunately for enterprise security and compliance teams in most companies, unsanctioned communications platforms like WhatsApp are being used outside to conduct sensitive business in contravention of corporate policies. Just recently Morgan Stanley executives were removed from the firm for using WhatsApp.
Employees have come to understand that their IT, compliance and security teams are not the only ones who have special access to their communications. They know that Slack, Microsoft, Google, etc., can also access their data and communications. As such, many have turned to consumer E2EE products because they are not comfortable conducting sensitive business on systems where the service provider is both listening and responsible for security.
Why consumer apps running rampant is bad for business
Taking sensitive business to consumer products is risky. These consumer-grade platforms are not purpose-built for secure and compliant communications. They prioritize engagement and entertainment resulting in an ongoing pattern of security flaws, like person-in-the-middle attacks and remote code execution vulnerabilities. WhatsApp users have borne the brunt of these security vulnerabilities for years.
CISOs have been left to choose between turning a blind eye to employees using consumer E2EE products like WhatsApp or, worse yet, relenting and creating policy exceptions that they hope will placate regulators. Yet this approach is an endorsement of long-term use of non-compliant and insecure consumer products.
End-to-end encryption is more flexible than you think
Corporate security teams have operated under the misconception that E2EE is rigid. That not having a backdoor implies that there is only a one-size-fits-all implementation of the world’s most reliable cryptography. In reality, E2EE is flexible and can be deployed in concert with corporate policies and industry regulations.
CISOs don’t need to choose between compliance and strong encryption. Organizations, regardless of industry, can use E2EE that adheres to regulations, internal policies and integrates with IT workflows. This means that the corporate decision to use E2EE can be focused on protecting data from adversaries, competitors and service providers, instead of a fear of breaking the rules.
Choosing an E2EE-enabled communications platform
When it comes to choosing an E2EE-enabled communications platform, security professionals need to assess vendors’ claims, capabilities and motivations. While some mainstream platforms advertise E2EE, they only encrypt the traffic from endpoint to server. This is called Client-to-Server encryption (C2S). This happened most notably with Zoom earlier this year when they sold their product as E2EE.
Most reasonable security professionals agree this was not a malicious attempt to trick end users, rather a genuine lack of cryptographic understanding and sophistication. The company decided that a green lock symbol would make end users feel good – despite a C2S architecture that was prone to person-in-the-middle attacks.
Providers who are not in the business of securing critical user information will almost certainly make claims they do not understand and ship solutions that “don’t suck” rather than serious security technology.
CISOs who embrace E2EE will benefit from the certainty of math. It’s important to ensure that the service provider is capable of, and committed to, providing true E2EE.
There are three important pillars to a strong E2EE solution:
- Both the cryptographic protocols and results from third-party security reviews are public
- Their servers do not store data; and
- The service provider’s business model isn’t reliant upon access to customer data
This is to say that the CISO’s zero trust security policy should be extended to the service provider. If your Unified Communications service provider can access, mine and analyze your data, then they are an attack surface. We know that this access can lead to unauthorized access. Strong E2EE eliminates the service provider risk with mathematical certainty.
Compliance-ready E2EE is a relatively new phenomenon. But it is more important than ever for CISOs to weigh the risk of giving service providers access to all of their company’s data and the unparalleled benefits of taking control of their data while adhering to corporate compliance requirements.
When it comes to providing no-compromise security for enterprise communications, E2EE is a must-have for organizations, and now implementing it can be done without breaking the rules. Further, when organizations deploy enterprise E2EE with forethought they can pull end users off dangerous products like WhatsApp, We Chat and Telegram by giving their employees the security and privacy they need and deserve.