Sunday, September 8, 2013

Trust No One

The fundamental fabric of the Internet has been destroyed.

The U.S. National Security Agency (NSA) and intelligence agencies in allied countries have found ways to circumvent the encryption used on the Internet, according to stories published by the New York Times and the Guardian.

According to the reports, NSA and other spy agencies have used a variety of means to defeat encryption, including supercomputers, court orders and behind-the-scenes agreements with technology companies. In an era in which businesses, as well as the average consumer, trust secure networks and technologies for sensitive transactions and private communications online, it is incredibly destructive for the NSA to add flaws to such critical infrastructure. The NSA seems to be operating on the assumption that any vulnerabilities it builds into core Internet technologies can only be exploited by itself and its global partners.

It appears that any possible way that the NSA might have bypassed encryption was almost certainly due to faulty, incomplete or invalid key management processes or simple human error, rather than through the cryptography itself. The new revelations raise major concerns from Internet users over who they can trust. We should assume that all big companies are now in cahoots with the NSA and cannot be trusted. You cannot trust any company that makes any claims of the security of their products. Not one cloud provider, not one software provider, not one hardware manufacturer.

Businesses are acutely sensitive to government information requests because they are also beholden to privacy laws, such as HIPAA and the Gramm-Leach-Bliley Act. So, in highly regulated industries, such as financial services and healthcare, businesses must strike a balance between government oversight and consumer privacy. They feel they cannot comply with local privacy laws and have their data subject to the Patriot Act.

The U.S. Electronic Communications Privacy Act of 1986 came along in the early days of the Internet. The act did not require government investigators to obtain a search warrant for requesting access to emails and messages that are stored in online repositories. In 2001, the Patriot Act further added to the authority of the federal government to search records under its "Library Records" provision, offering a wide range of personal material into which the government could delve.

At Ohanae, we believe that ultimate security and compliance boils down to being able to protect data and logins. Trying to control the device (especially BYOD), in many cases, is neither necessary nor sufficient. At the end of the day, if you have the ability to protect the data and make sure that your data is not leaking, you do not have to touch the rest of the device.

Ohanae® Cloud Privacy Protection is a patent pending technology for securing data and logins without requiring storage of any associated credentials by the user either locally or in the cloud. Users’ data is transparently encrypted in the cloud and locally on their devices, and passwords cannot be guessed, phished, or stolen with Ohanae’s sophisticated endpoint protection mechanism.