Coming to grips with encryption

"Rich Baldry is a talented chap. He’s not only a product manager based in our Vancouver offices, but he can also play the tuba and walk at the same time. Now he can add another skill to his repertoire, as he joins us as a guest blogger. Over to you Rich.."

Rich Baldry
I’ve been around at Sophos since we were in the encryption business for the first time.

In those days, our tradeshow booths would showcase encryption products alongside the revolutionary network-based anti-virus products that we sold at the time. I remember having many long and enthusiastic conversations with IT managers and security officers about the benefits and importance of encryption. Unfortunately I can remember very few of them ever turning into sales.

The problem is that encryption is one of those ideas that promises fantastic results – prevent your data falling into the wrong hands – but the organizational costs to realise those results are just too great.

Encrypting a block of data is easy, but doing it with the right key, in a way that defeats analytical attacks, without exposing the keys to compromise, in transit and at rest, then ensuring that it is decryptable at the right time, by the right person, and viewed only by that person is much much harder.

At Sophos Vancouver we are in the process of rolling out BlackBerries within the product management and engineering teams. This handy device ensures that my private life is never uninterruptable and that I can learn instantly about problems with the office air conditioning while home sick with the flu.

BlackBerries have pretty strong encryption, so I can carry all of this information around with me, with confidence that it is encrypted and safe from prying eyes if I left it on the bus. But this can only be achieved by forcing the device to lock itself after a couple of minutes of inactivity.

The big drawback, apart from having to continually re-enter my password, is that when someone calls me on my BlackBerry I can only see their phone number. This is because while the phone is locked, the address book data is encrypted too.

I can understand why this happens, because I’ve lived on the fringes of the world of cryptography for 15 years, but I can also see why many other BlackBerry users, including some of my colleagues, find it stupid and unhelpful. If it wasn’t for the BlackBerry’s corporate policy enforcement capabilities they would probably just forego the tiresome password protection altogether.

Blackberry and coffee

The importance of encryption was brought home to me by an article I read in the Toronto Globe and Mail the other day.

It reported on a recent spate of cases where IT staff allegedly enabled insider trading in their employer’s stock based on privileged information gleaned by reading emails in transit between executives. When we think about email encryption, it is usually in the context of messages sent outside the organization, where the logistics of key management become really complex, but these incidents could have been solved with some pretty simple measures inside the organization.

The same sort of thing could so easily happen if an executive left an unprotected BlackBerry on his desk for a few minutes.

The fact is, that if we are to go on safely enjoying the benefits of the continuing digital revolution, we are going to have to come to grips with encryption.

Vendors like Sophos need to work hard to eliminate unnecessary inconvenience and make deployment easier, and great strides have indeed been made by our friends at Utimaco since Sophos first entered the market in the late 1980s.

But we also need to help users understand the things we can’t magic away, and to understand the protection they provide.

* Image source: Håkan Dahlström’s Flickr photostream (Creative Commons 2.0)