Did you know that the ‘uncrackable’ 128-bit Advanced Encryption Standard (AES-128) in fact turns out to be crackable? Granted, it would currently take 2 billion years using an enormous number (like a trillion) of computers. But before you heave a sigh of relief on behalf of your organisation’s information, think again. That’s the situation when nobody knows the encryption key you are using. What would the impact be on your business continuity if your key was known by other people who also were prepared to pass that information on to perfect strangers? If you are using services such as encrypted cloud data storage or online password managers, it may be time to find out more.
Let’s take cloud storage first. Google for instance offers auto-encryption that which protects the stored data against unauthorised snooping. Government agencies however can obtain authorisation in certain cases and oblige providers like Google to hand over both the data and the encryption key. Exposure of confidential customer information (which may or may not be justified) can seriously damage an organisation’s reputation and its long term business continuity. For those who don’t want this to happen, one solution is to do your own encryption before uploading your data. Software products like BoxCryptor or Cryptonite do this. Alternatively, some cloud data storage companies like new-comer Tresorit enable encryption of your data on your site and also leave the key with you without ever uploading it into the cloud.
What then of online password managers? Once again, if your encryption key is available either to be hacked or provided in response to an official injunction, your information can be used by anyone who has your key. Potentially, that means access to your email systems, your customer data, your bank accounts and more. A number of online password manager companies have already spotted the problem and deal with it in a similar way to Tresorit above. LastPass’s CEO for instance says ‘We can’t give them what we don’t have’. mSecure, another online password manager, states that not only does it not have access to users’ data, but if users forget their mSecure password, the company is unable to get it back for them. Yet another reason why encryption alone is no guarantee of business continuity.