Avoid government, hacker snooping by owning encryption key management: lawyer

Improving interoperability between encryption key management solutions will facilitate the use of encryption to improve governance – and prevent government intervention and hacker theft of sensitive data, a Brisbane-based intellectual property lawyer has argued in addressing a global security conference in the US.

“People are looking at security from the wrong perspective,” Hayden Delaney – an intellectual property lawyer with Brisbane-based firm HopgoodGanim who was chosen as the Australian Computer Society Queensland's 'Young ICT Professional of the Year' in 2010 – told CSO Australia in the lead up to his presentation at the RSA Conference in San Francisco alongside RSA chief security architect Robert Griffin.

“They are getting bogged down in technical details like 'is the encryption algorithm strong enough?',” he explained. “Instead of thinking about that and where their data is geographically located, the much more fundamental question people need to be asking is 'where are the encryption keys held and where are they managed?'”

Given the recent surge in concern around the government's new metadata-retention program and a broader sense that storing data in the cloud compromises data protection, Delaney focused on the growing role encryption key-management solutions to close these holes and make data inaccessible even to software vendors and cloud providers.

“The question isn't about whether the data should be encrypted or not,” Delaney said. “We all know by now that if the data is sensitive, then encryption is a very good way to insulate it from those risks.”

While encryption had gained mindshare for some time, however, the use of specialised software for managing those encryption keys was still in relatively early days as would-be adopters sat back waiting for clear winners from a variety of options.

However, vendor convergence around the KMIP (Key Management Interoperability Protocol) standard had helped fix this by providing a single compliance target that would ensure data didn't become inaccessible due to use of incompatible standards.

The real question in building airtight data security, Delaney said, is “the extent to which you can deploy solutions using an interoperable management solution.”

“That enables the customer to mitigate security matters, and it's something that, from my perspective as a lawyer, makes life easier. It's something that CSOs and CIOs need to be aware of, and something that lawyers need to properly understand.”

Read more: Security Watch: SecurEnvoy partners with Connector Systems in new distro deal

Although vendors have typically built their own key-management environments to ensure they performed as necessary, growing interoperability between various solutions was allowing those vendors to push the responsibility for decrypting data away from their data centres and back to the entities responsible for the data itself.

This, in turn, would tighten controls over data and ease broad fears that vendors might be pressured by government forces into building back doors into their encryption technologies.

Such anonymity has been a key feature of the 'Zero Knowledge' approach championed by vendor SpiderOak, which saw customer enquiries surge after the NSA's PRISM program was revealed. SpiderOak's encryption architecture, based on an open-sourced framework called Crypton, prevents it from ever being able to access customers' cloud data.

Discussions about the role of encryption have hit the mainstream recently as UK, US and Australian authorities push for legal access to encrypted communications and users – and even government ministers – begin switching to more-secure, encrypted alternatives.

The ability to apply robust encryption to all enterprise data is likely to embolden organisations that have previously felt key management was one step too far for its security staff –and will, Delany believes, help align the objectives of company lawyers with the capabilities of technology staff and the interests of the vendors supplying them.

“Vendors don't want to hold the keys because that involves huge risk,” Delaney said. “It makes the cloud very susceptible to things like requests by foreign or local governments to access data stored on their infrastructure.”

“If the encryption key management solution is implemented in the environment and pushed down to the customer level, it doesn't really matter: if the government approached them, all they could hand over would be encrypted data. It's an engineering solution to a legal problem.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags dataencryption keygovernmentKMIT (Key Management Interoperability Protocol)hackerenterprise dataCSO AustralialawyerRSA Conferencemanagementglobal security conferenceHopgoodGanimdecrypting dataaustralian computer society

More about Australian Computer SocietyCSOEnex TestLabGriffinHopgoodGanimNSARSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place