Not All End-to-end Encryption is Created Equal

You can’t read anything these days that doesn’t refer somehow to COVID-19 and what’s happening with the virus. At the same time, I feel like anything that doesn’t address the virus and its effect on our lives is sort of missing the point, so this is my attempt to straddle the line.

Big shocker for you — lots of people are now working from home. Companies have had to quickly invest in video teleconferencing capability to support their new remote workforce. The immediate solution was to extend the products already in place such as Skype, Slack, and WhatsApp since folks were already familiar with them and they seemed to work fine before.

That lasted for about a week, until Zoom had all of their issues — which made everyone take a step back and wonder if the systems they were using were actually appropriate for the new virtual world we all were living in for a while. The message we got from experts was that we needed something that had end-to-end security (E2E). Great! So what the heck is E2E security, how is it defined, and how do I know if it’s right for my company?

Information security experts knew exactly what they were looking for and could ask a few questions of vendors to figure out which had the security they needed. But for those of us that don’t have a cyber or technical background, we were a little lost.

What is End-to-End Security?

I liken the definition of E2E security to reading the labels on food at the supermarket. There is a difference between what is organic vs. homegrown, non-GMO vs local, etc. All of these are on the packages of food we buy and all are supposed to mean something very specific, but there is very little oversight into the practical usage of these terms by food providers, leaving it up to the consumer to really read the labels and determine what is most important to them. Simply buying something off the shelf because the food producer says it’s healthy is not enough.

It’s the same with E2E security. There are many definitions of E2E encryption (Wikipedia version) which can be found from a number of reputable sources. Most of them will allude to a method of communication where only the communicating users can see messages or be included on a call. Some will use other related terms such as at-rest/in-transit, cryptography, safe from hacks and eavesdropping, or third parties. Figuring out what works best for your business can be very complicated, like trying to figure out which granola is healthier: natural or organic. 

How Can I Tell If a Platform is Truly Secure?

We have seen a great number of new commercial and government inquiries into Wickr since the world was forced to work from home less than two months ago. They are confused about what they need to protect themselves against breaches like we have seen from other communication platforms. I tell them to focus on the outcome they are looking for rather than the buzzword that the vendor is applying.  Typical results of a secure communications platform include:

  • It does not get breached.
  • Prevents anyone not invited to a message or meeting to see or hear the content. 
  • Protects any specific personal information.
  • Maintains the history for only as long as required by law and makes sure only the users can have access to it; doesn’t even allow the provider to have access.
  • Works in any country around the world.
  • Supports big rooms full of people with the same security as individual conversations.
  • Looks like WhatsApp and SMS text, but is as secure as Fort Knox.
  • Did I mention not getting breached?

Focusing on the results and asking the vendors you are considering how they help achieve those results will help you determine whether a solution is right for your company. Let us know if we can help.