Data encryption could help enterprises protect their sensitive information against mass surveillance by governments, as well as guard against unauthorized access by ill-intended third parties, but the correct implementation and use of data encryption technologies is not an easy task, according to security experts.
Encryption could limit the ability of law enforcement and intelligence agencies to access data without the knowledge of its owner as it travels over the public Internet or by forcing third-party service providers like hosting or cloud vendors to hand it over under a gag order. However, in order for this to work the data needs to be encrypted at all times, while in transit, while in use and while at rest on servers.
The recent media reports about the electronic surveillance programs run by the U.S. National Security Agency (NSA) have raised privacy concerns among Internet users, civil rights activists and politicians not only in the U.S., but also in Europe, Australia and elsewhere.
While there are still unanswered questions about the methods used by the NSA to collect data as part of its recently exposed PRISM program, the information leaked to the media suggests that electronic communications have been gathered en masse for years from Microsoft, Yahoo, Google, AOL, Facebook, PalTalk, Skype, Apple, and YouTube.
Some of these companies have already denied that the NSA has direct access to their servers or that they were even aware of this surveillance program before it was mentioned in the press. However, the possibility of the NSA having access, directly or indirectly, to the data stored on servers that belong to U.S. service providers is bound to raise data security concerns within organizations that moved or are considering moving their systems and applications into the cloud.
In general, encryption technologies can be used to limit the scope of data collection by government agencies, according to security experts. Even if governments do have the legal avenues to force companies to decrypt and provide access to their data by using national security orders, subpoenas, or other methods, at the very least the use of encryption can allow companies to know when their data is being targeted, they said.
"While all reputable companies will want to comply with the laws of the states in which they do business, encryption can give them full visibility into what is being monitored so that they can be a willing and active partner in government investigations," said Mark Bower, vice president of product management at data protection vendor Voltage Security, via email. "Encryption can mean the difference between full visibility into lawful intercepts, and learning about their data being intercepted by the next big leak in the media."
Encryption is likely to be most effective against upstream data collection efforts, said Matthew Green, a cryptographer and research professor at the Johns Hopkins University Information Security Institute in Baltimore, via email.
The challenge is what kind of encryption to use, Green said. SSL is the most common way to protect data transmitted over the wire, and the protocol is actually fairly strong, but SSL keys are relatively small and it's not outside the realm of possibility that an organization like the NSA could obtain these keys at some point, he said.