How smart is your data encryption and key management?
Tim Compston, Features Editor of SecurityNewsDesk, sits down with V. Miller Newton, President and CEO, of PKWARE – a leading provider of enterprise level smart encryption – and his colleague Matt Little, Product Development VP, for a round table discussion on what the future holds for data encryption and key management.
When I talk to V. Miller Newton, and Matt Little, it is just days after Milwaukee-headquartered PKWARE officially launched its new Smartcrypt solution which, according to the company, is designed to simplify the complex challenges of data encryption, including key management, and, crucially, help enterprises to combat the rising tide of insider and external threats.
Turning to V. Miller Newton, before we drill down to the issues at hand, he is keen to give me the heads-up on PKWARE and its long-standing encryption credentials: “We have provided encryption and compression software to more than 30,000 enterprise customers and 200 government entities around the world. We also invented the .ZIP file format which is really the company’s claim to fame. If you think about the origin of the company we started out at the data level and that is where we live, breath, eat and sleep security. This is really the basis of what we do today.”
Persistent data security
To put encryption into a wider ‘cybersecurity’ context, Newton says that you really have to kick things off by looking at the evolution of enterprise security: “It started by protecting the perimeter in the form of anti-virus and anti-malware, protecting the network, and then the system, and then the devices, and that is where historically the bulk of the spend on both enterprise and government has been in security.” Newton adds that, in spite of this, we are seeing security breaches at a level unlike any other time in our history: “Our adversaries are still penetrating our systems and they are living on them today.”
His remedy in the contemporary world of the cloud, Internet and mobile devices, is in his words to ‘armour the data at its core’: “This is with persistent security that follows the data every place that it is used, shared, or stored. The days of ‘castle and moat’ security, the days of security at rest, are gone because information moves around the world all the time as do the people who use it,” says Newton. He adds that protecting the perimeter no longer works: “My biggest customers are shutting down their data centres and are moving storage and computing to the cloud – that requires you to think about security differently,” says Newton.
Newton emphasises that even now, unfortunately, encryption tends not only to be very complex but also widely misunderstood: “I am in conversations everyday with CEOs, CIOs, CISOs and the heads of agencies in the government, and they talk about encryption. It is just really misunderstood, meaning that you can talk about encrypting the transport, you can do full disk or whole disk encryption, you can do device encryption, but this is all very different from implementing it [encryption] at the data level.” Putting some figures on the data encryption gap that is out there, Newton estimates that probably less than five percent of critical information worldwide – either public or private – is actually protected. He says however that things are starting to change for the better, albeit slowly.
Detailing some real-world examples, Newton tells me that PKWARE recently secured one of the largest licensing deals in the company’s history with a ‘top ten’ global bank: “That was driven by a significant data breach. The board mandate at the CEO level was to put a strategy and plan in place to protect their critical information.” He says that when he thinks back what is really interesting about this case is the way the ‘encryption conversation’ instead of being at a ‘lunchroom’ or ‘security architect’ level was quickly elevated to the board: “They put in a three-year plan to protect, translate, and encrypt critical information.” Sadly, Newton laments that, in most cases – as here – it still requires a significant security breach – or that of their peers – to drive companies and government agencies to take the necessary action.
Keeping it simple
Moving forward, Newton believes that one answer to this ongoing dilemma is to take the complexity out of encryption, a stance which PKWARE is adopting: “What we have learned in this world of convenience is if you require the end user to change the way that they work, to add a step to secure their information, they are just not going to do it, period.” Newton reckons that instead by integrating encryption into the application workflow itself then ‘this stuff’ can happen behind the scenes: “The end user doesn’t even have to know about it so the user experience is paramount in the encryption process.” Added to this with ‘key management’/’key exchange’ being difficult, ideally, according to Newton, this should also happen without the user having to do anything in the exchange of encryption keys: “The simplicity of the user experience on key management exchange really is our unique approach to encryption,” he concludes.
Information is key
Returning to PKWARE’s new Smartcrypt offering which ties-in with the ‘keeping it simple’ ethos, Matt Little – the company’s VP for Product Development – says that essentially this is a product which allows an organisation or an individual to focus on the information itself: “It acknowledges that the bad guys are inside the network – they have breached some of the other layers of the defences that you have put up – so this is sort of the last layer and it [Smartcrypt] wraps the information-up persistently.” In practical terms, Little explains that this means whether the information is being emailed or put on Dropbox or a USB drive it stays protected: “It [the information] is only accessible to those individuals that hold the keys.”
Little – who also sits on the board of National Cyber Security Alliance – tells me that, despite the fact that PKWARE is very much an enterprise software company there is a strong recognition of the impact the actions of individuals can have here: “People are definitely at the top of the information security process problem. Good education is a critical part of a layered approach and that is why we [PKWARE] wanted to work with the NCSA [the National Cyber Security Alliance]. The NCSA is sort of a content arm of the DHS [Department of Homeland Security] here in the States.” Little emphasises that, ultimately, whatever your role in an organisation, whether that be a ‘knowledge worker’ or the ‘CEO’, the onus is on you to start developing ‘more of a security mind-set.’
The future is end-to-end encryption
Little rounds things off by reiterating the point that with data encryption it all boils down to a couple of key concepts: “End-to-end encryption is very important, it can’t just be at rest or encrypted in transit which is what everybody has been doing for the last 30 years, it has to be end-to-end encrypted.” The good news is that he believes the message is now finally breaking through, especially, for enterprise level concerns: “We saw in 2015 end-to-end encryption solutions starting to be adopted in their strategic projects for the coming year  and beyond.” Contrasting this with what is happening in the consumer space, Little acknowledges that here is still some way to go compared to the enterprise level: “End-to-end encryption is ‘kind of a new concept’. People are only really familiar with it in their client applications like iMessage or WhatsApp but, encouragingly, it is getting there as well.”