for our 12/13 webinar (1PM ET) with leading cyber attorney Robert Metzger on the risks of not complying with DFARS 7012 & CMMC
Our CMMC whitepaper has helped over 2000 defense contractors jumpstart their compliance journey. Check out our updated version for CMMC 2.0.
In recent years, we’ve become increasingly aware of the hidden costs of the convenience we get from Big Tech.
From Google’s shady data mining practices, to Colonial Pipeline’s infrastructure fail, to peeping toms in our inboxes, it’s clear that it’s up to consumers and businesses to protect ourselves from overreaching Big Tech.
The National Security Agency calls for the defense industrial base (DIB) to use end-to-end encryption to secure data. Other industries, as well as individuals, should follow suit. But what is end-to-end encryption? How does end-to-end encryption (e2ee) differ from other forms of data protection and why is it more secure?
This piece will focus on providing answers to these questions.
Encryption in transit and encryption at rest are standard these days, but they aren’t enough to protect your data. With encryption at rest, your data sits unprotected on servers. Once a hacker infiltrates the server, they can camp out there indefinitely, reading the messages.
End-to-end encryption by contrast provides the gold standard for protecting communication. In an end-to-end encrypted system, the only people who can access the data are the sender and the intended recipient(s) – no one else. Neither hackers nor unwanted third parties can access the encrypted data on the server.
In true end-to-end, encryption occurs at the device level. Messages and files are encrypted before they leave the phone or computer and aren’t decrypted until they reach their destination. Hackers can’t access data on the server because they don’t have the private keys required to decrypt the data. Instead, secret keys are stored on the individual user’s device.
This process, creating a public-private key pair, is known as asymmetric cryptography. Separate cryptographic keys secure and decrypt the message. Public keys are widely disseminated and are used to lock or encrypt a message. Private keys are only known by the owner and are used to unlock or decrypt the message.
In end-to-end encryption, the system creates public and private cryptographic keys for each person who joins.
Let’s say Alice and Bob create accounts on the system. The end-to-end encrypted system provides each with a public-private key pair, whereby their public keys are stored on the server and their private keys are stored on their device.
Alice wants to send Bob an encrypted message. She uses Bob’s public key to encrypt her message to him. Then, when Bob receives the message, he uses his private key on his device to decrypt the message from Alice.
When Bob wants to reply, he simply repeats the process, encrypting his message to Alice using Alice’s public key.
Security is a chain that is only as strong as the weakest link. Bad guys will attack the weakest parts of your system because they are the parts most easily broken. Given that data is most vulnerable when stored on a server, hackers’ techniques are focused on gaining access to servers.
The Department of Homeland Security writes:
Given that attackers will go after low hanging fruit like where the data is stored, a solution that does not protect stored data will leave information extremely vulnerable.
When practitioners use end-to-end encryption however, the data is always encrypted on the server. Even if a hacker were to access it, all they would see is jibberish.
The DHS sums it up:
Attacking the data while encrypted is just too much work [for attackers].
You don’t want someone camped out in your network, reading your messages. E2EE keeps your data secure. This not only protects your data from hackers, but also protects your privacy from Big Tech.
Service providers like Google (Gmail), Yahoo, or Microsoft hold copies to the decryption keys. This means these providers can read users’ email and files. Google has used this access to profit off of users’ private communications via targeted ads.
By contrast, in well-constructed end-to-end encrypted systems system providers never have access to the decryption keys.
The NSA recently issued guidelines for using collaboration services. The NSA’s number one recommendation is that collaboration services employ e2ee. The NSA notes that by following the guidelines it defines, users can reduce their risk exposure and become harder targets for bad actors.
The U.S. State Department, too, recognizes the strength of end-to-end encryption. Their ITAR Carve out for Encrypted Technical data establishes that defense companies can now share unclassified technical data outside the U.S. with authorized persons, as long as the data is properly secured with end-to-end encryption. End-to-end encrypted data is not considered an export and an export license is not required.
The NSA’s and State Department’s statements acknowledge that e2ee provides a significant advantage to users over traditional forms of encryption. This is the future of cybersecurity and it’s available now.
At PreVeil, end-to-end encryption is at the core of how we protect users’ email and files. Today, hundreds of defense companies and small businesses rely on PreVeil to protect their customers’ most sensitive data.
Learn more about how PreVeil uses end-to-end encryption to protect your data. Download our architectural whitepaper today.