And here we are again: Despite all the assurances from the German Ministry of the Interior of the intention to strengthen encryption, once again the attempt is being made to do exactly the opposite. The reason, according to the Minister of the Interior, De Maizière is that “terrorists are sometimes technologically more advanced than the secret services”.
A joke? No, it’s meant in earnest. Terrorists apparently use modern message services for their communication and these are increasingly encrypted in such a way that access to the content is impossible for the secret services. As a result of the end-to-end encryption being used, the operators of the services find themselves unable to provide authorities with access to the data being transferred. Which is good, one could say, because the whole purpose of end-to-end encryption is specifically to protect the communication and data of users so that even the operators of the service cannot access them.
However, the German and French Ministers of the Interior want to change this: In future, short message services should be required to support security services with their investigations. They should in future also be forced, when applicable to decrypt messages. Without weakening encryption, this won’t work.
However, if the encryption were to be so weakened through, for example, the building in of back doors or the storage of duplicate keys that authorities were enabled access to data, this would have unwanted consequences:
- Avowedly technically literate terrorists use other means to communicate securely. The weakening of encryption would therefore miss its target, namely the prosecution of terrorists and the prevention of acts of terror through the tapping of communication.
- The rest of the population can be more easily surveilled – not only by secret services, but also, in particular, the service operators and anyone that – authorized or not – has access to their systems
In all processes that weaken encryption, the question arises as to how unauthorized persons can be prevented from exploiting the weakness for their own purposes. A duplicate key, for example, would need to be stored not only by the respective national authorities, but also by the authorities of all other potentially involved countries. Even with regard to terror prevention this would be problematic – what about, for example, countries that are under suspicion of supporting terrorists? The list of these countries is quite long – and not unified from country to country.
These and other questions cannot be solved and we’ve know that for more than twenty years. In the nineties, the attempt to prohibit strong encryption and only permit weak encryption was in the end abandoned for this very reason.
Why this nonsense is, after decades, dicussed again and again is therefore incomprehensible. Perhaps it’s as a result of a lack of comprehension of the technical basis. It is therefore good news that our secret services are increasing the recruitment of staff with competence in the area of cybersecurity. The need is clear.
The experts at Hornetsecurity lead the way with their views on cloud computing in the B2B environment
Quo Vadis IT? Next to “Industry 4.0” and “Internet of Things”, cloud computing is among the most important trends for the industry and medium sized businesses. While it has suffered a setback as a result of the NSA scandal and the related data security and privacy concerns, the experts from Hornetsecurity remain convinced that the cloud will continue to grow. The Hannover-based company has been relying on the cloud principle for its products since 2004. In the following, Oliver Dehning, the Managing Director of Hornetsecurity discusses seven important arguments with regard to the future of cloud computing.
- Cloud and mobile go hand in hand
Mobile devices are omnipresent these days – and their use will continue to grow. Most apps on these devices need access to backend services. These services must be accessible from the outside, otherwise the mobile access would be cumbersome and cloud services are an ideal solution in this regard. Therefore, mobile computing is a key driver of cloud computing.
- Private cloud is a misconception
Key features of the cloud are lost when it becomes “private”. These include synergies as a result of bundling the needs of many different users, as well as the dynamic cost structure: those who use a service pay for it, and those who do not use a service do not pay. A private cloud must be designed for peak demand. The costs of this infrastructure continue to accumulate, even when it is not fully utilized. Private cloud is therefore, largely consistent with traditional, internally run IT.
- Future of distribution in the cloud: cloud marketplaces and cloud brokers?
Does cloud computing deliver new, effective distribution channels and will this mean a departure from the more established channels? One thing is certain: thanks to consumerization of IT, cloud service providers move closer to the consumer, making it increasingly easy for the consumer to buy and use services without an intermediary. Traditional distributors must adapt to this development, while some of their aggregate functions for providers, customers and systems integrators will continue to be useful such as the bundling of demand and supply and elements such as marketing, sales, training and financing.
This will lead to the emergence of cloud marketplaces and cloud brokers: marketplaces will bundle the offers of various cloud providers with a view to increasing the visibility and findability of the individual services. The added benefit of pure marketplaces is limited, however. Cloud brokers, therefore, go beyond pure marketplaces: they aim to provide joint control functions in addition to acting as an intermediary for market participants. For example, once a user has been created, it could be activated to use multiple cloud services. While this approach is useful and effective, it is problematic in practice, because the individual services currently still differ too much from one another. Cloud brokers can only bundle a few basic functions, as the interface of the cloud provider has to be used in order to access some of the more fundamental functions.
Conclusion: While distribution has moved to the cloud, it is still in its infancy. It remains to be seen whether multi-level distribution channels will be successful in the cloud.
- Growing importance of APIs
Cloud APIs allow the coupling of services from a range of individual providers. While this means that the user may no longer be able to tell which services are being used in the background, it gives providers of cloud solutions the freedom to use modules to put these solutions together. At present, the industry is working to provide standardized cloud APIs. Nevertheless, the activity is still limited to basic services such as storing data. Overall, however, this area of cloud computing has a great potential for the future due to synergy effects that can be achieved.
- IT security needs a new approach
The protection of critical data requires new strategies because the servers are directly accessible via an internet connection and the data can be accessed by anyone. One way is to encrypt the data, another approach is the secure identification of the user, which allows only authorized and authenticated users to access and use the data. At the same time, the responsibility of each individual is increasing: technical measures do not guarantee full protection as they can be always bypassed. Each user is therefore responsible for ensuring that existing security devices are used and not bypassed. Providers must ensure that IT security is built in at all levels and easy to use. The more user-friendly security is the more likely it is that it will be used. When in doubt, ease of use should take precedence over absolute security.
- Data protection rules must be reconsidered
Cloud services are provided across many levels. Many different service providers work together to provide the final service to the user. The individual user can hardly distinguish anymore where the data is processed, transferred or stored. The German Data Protection Act comes from a time when this situation was still inconceivable. For this reason, new rules must be found that meet the current needs.
- The cloud is secondary. We speak about IT.
In the future, cloud computing will be widespread and will not be anything special anymore. If cloud computing is the dominant paradigm in IT, it does not need a special label anymore: we speak about IT – and that is in the cloud.
The survey by Hornetsecurity shows that many employees store corporate data in file-sharing services – without the IT department knowing about it.
From their home office, on the train or during an appointment at the customer: The desire for mobile access to corporate data is certainly not new. What is relatively new is that it can easily be implemented by employees. File sharing and sync services like Dropbox or Google Drive make it easy and employees are familiar with them from their private environment. According to a recent survey by Hornetsecurity, 30% of respondents use online file sharing, of which 40% do so without the knowledge of the company’s IT department. This is confirmed by data from an IDC survey dating from December 2013, according to which about half of the respondents used file-sharing and synchronization solutions without the knowledge of the IT department. Both studies carried out in Germany show that shadow IT has long been a reality.
The uncontrolled storage of company data in file-sharing services is risky. In a Guardian interview from July 2014, for example, Edward Snowden explicitly warned about the use of Dropbox as constituting “a threat to privacy.” The problem for many online file sharing services: Although data is transmitted from and to users in encrypted form, it can be read by service providers, who are even based outside of the EU. Edward Snowden’s revelations clearly demonstrated the resulting possibilities. IDC had already stated the following back in 2012: “Security features of cloud file services are optimized around preventing common security violations in support of sharing and collaborating on public or semiprivate content and not for highly secure content.”
There are also compliance requirements. For example, the storage and processing of personal data outside of the EU legal sphere is problematic from the perspective of many privacy advocates.
Even Edward Snowden has pointed out what a secure service should look like: So-called “zero-knowledge” technology ensures that providers are not given a look at data. This is implemented by ensuring that the keys used for encryption remain exclusively in the hands of the user and the provider is not given access to the keys. From compliance perspective, it is also desirable for German companies that the provider is also a German company and the storage location is in Germany or at least in the EU.
Companies are therefore well advised to not only accept the need for mobile access to corporate data, but to consider such options as an important component in their IT strategy. They should actively seek to provide secure file-sharing services. This is the easiest way to dissuade employees from using unsecure services.
Hornetdrive, the online storage service from Hornetsecurity, takes into account both the security needs of businesses and the service requirements of users. Data stored online is automatically synchronized with the systems of users and is also available there offline. The invitation feature allows data to be shared with others. All transferred files are encrypted before transmission. The key remains in the user’s device – no third parties are given access. Even Hornetsecurity as the operator cannot access data stored online. The files are stored in secured data centers in Germany.