Is your email secure? Or, put another way, if you were Hillary Clinton, would you be comfortable defending your email security at a Congressional hearing?
Of course, the first thing you would probably say is that you have a secure, encrypted email. Let’s say that you have a lock. You give a key to one individual so that only they can open your lock. This would be equivalent of an encrypted connection.
Here is the problem. Mathematicians have developed a computational engine that can generate a lot of keys. Those keys can be tested in a lock, and at some point it is known what keys work with a particular lock. The really unfortunate part about all this is that there are many similar locks, so with the generated key or set of keys, one can know which key will open a specific lock. And there goes your email security.
Are these computational engines expensive? You bet. But there is an economy-of-scale problem here and their use is not necessarily limited to nation states. Large companies such as Apple, Google, Amazon, and Facebook have plenty of money and spare computing resources to carry out cryptanalysis if so inclined. It is very likely that this type of service is now available on a pay-as-you-go basis (or will be soon) – making it available to anyone who can afford said service. Can you spend your way out of this problem? Sure; if you can take a huge performance hit. For example, moving a typical dedicated mail server from 1024-bit to 2048-bit security reduces transaction volume by a factor of 5. And going to 4096-bit is exponentially worse. The problem here is not so much one of encryption level, type, or mathematics, but of TRUST. Most experts believe that 2048-bit security is adequate… until it’s not.
According to computer security professor Alex Halderman, this changes the game for everyone. “Vulnerability on this scale is on this scale is indiscriminate – it impacts everybody’s security, including American citizens and companies – but we hope that a clearer technical understanding of the cryptanalytic machinery behind this surveillance will be an important step towards better security for everyone.”
So, who do you trust to make these sorts of email security decisions for your company’s future?
Have you performed an adequate risk assessment and utilized those findings in developing a strategic plan that can be economically implemented and followed? Is your staff capable of making unbiased and non-vendor-led decisions that may or may not have an impact on their career? No really, who is making these decisions for you? Let’s hope it’s not Hillary’s IT guy, who just pleaded the fifth.
Find out more about developing a road-map, and how to select a firm to do this analysis, in the next part in this series.