Encryption is not a buzzword. If the past week has shown us anything, it’s that encryption is working. It’s a powerful tool that can enhance security and trust in your brand. With tangible results and benefits like that, its impact is long-term and everyone wins.
Here are my four predictions for 2017:
1. ENCRYPTION WILL GO MORE MAINSTREAM
The deployment of encryption will only accelerate. This trend will be most visible in the browser where https will replace http for most high-traffic sites. This will be driven by the move to http2 which in practice will not support unencrypted traffic as well as initiatives by Google to push sites to use encryption. Large media organizations such as The Guardian and The New York Times are leading the way and have switched to https only. The benefits of encryption are more privacy for your visitors, as well as preventing the increasingly common practice of content injection.
We also expect this trend to accelerate in consumer and IoT products where the perceived risk of hackers and state-sponsored attacks is growing. These categories are moving beyond transport level encryption. WhatsApp, iMessage, and others have deployed end-to-end encryption to more then a billion consumers. In the IoT space, suppliers are starting to offer end-to-end encrypted solutions ready for integration into everything, from light bulbs to cars.
2. THE ENTERPRISE WILL DEPLOY END-TO-END ENCRYPTION
Currently, enterprise software lags behind the consumer space in the deployment of end-to-end encryption. Popular tools don’t use end-to-end encryption. This leaves companies at risk to data snooping and massive hacks. I believe that the value of securing data will become more evident as more high-profile hacks and leaks, such as the DNC hack, are revealed in 2017.
End-to-end encryption means that the only parties with access to your data are the ones with the keys. If done properly this can remove all of the back-end infrastructure from the trusted compute base. This is a critical step to reducing leaks. This is especially true for cloud solutions where it is often unknown who has access to customer data: Your SaaS provider? Their providers? Their hosting service?
3. KEY MANAGEMENT WILL REMAIN A CHALLENGE
Encryption is, unsurprisingly, no silver bullet. The greatest challenge when deploying an encryption system is key management. How do you distribute and protect keys? We have seen examples of key management failures from the infamous Comodo hack, to the use of stolen code signing certificates.
In you own origination it is important to protect your keys, especially if they are used to authenticate your software or services to the public.
THE BEST PRACTICES HERE ARE:
- Use Certificate Transparency for your public https certificates.
- Consider using hardware encryption modules such as TPM for servers, and FIDO for clients.
- Code signing keys should be stored and used on air gapped machines whenever possible.
More best practices can be found here.
4. THE CONVERSATION WILL MOVE FROM PRIVACY TO TRUST
Historically, cryptography has been thought of as an enabling tool for privacy. I believe the narrative is moving to one of trust. When Apple shipped encryption by default for iOS, and WhatsApp turned on end-to-end encryption, it was not because their support queues were filled with requests for more privacy. They shipped these features to create trust for their brand. Encryption allows you to tell your users: You can trust us; hackers can’t take your data from us, our support staff can’t see records, only you have the access to your account.
ENCRYPTION ALLOWS YOU TO TELL YOUR USERS: YOU CAN TRUST US; HACKERS CAN’T TAKE YOUR DATA FROM US, OUR SUPPORT STAFF CAN’T SEE RECORDS, ONLY YOU HAVE THE ACCESS TO YOUR ACCOUNT.
This is important not just for consumer applications. If you use a SaaS product that uses end-to-end encryption, you know you can trust them. Even inside an organization, encryption can be deployed so that you know who needs to be trusted and who does not. Why should you have to trust your IT department with all of your company’s IP?
In 2017, cryptography is a tool you should consider to enhance security and trust in your brand.