Over the last few months there has been tremendous speculation in the media surrounding leaks from the National Security Agency. The ongoing worldwide commentary, including in Canada, has shined a light on how thoroughly governments collect information from their citizens and generated a debate about personal privacy.
A government’s intelligence-gathering apparatus is a closely guarded secret that impacts national security. Every country runs security programs to ensure the safety of the state and its citizens, and to preserve the integrity of its government as a whole. Recent reports have provided all sorts of conjecture as to the cooperation between government agencies and technology vendors, with allegations of “backdoors” that undermine the security of their product offerings.
More recently, malware has become a tool of international cyber-crime and a threat to everyone running applications on mobile devices with an open development platform. From consumer applications designed to misappropriate personal information and steal identity, to state-sponsored initiatives used to gain access to government secrets, the threat is real and growing.
Additionally, the bring-your-own-device (BYOD) trend has become prevalent in some government agencies and the security implications that come with it are an increasing concern. To thwart the security risks of BYOD, it is reported that the Russian government even went as far as using typewriters as a measure to leak-proof sensitive classified documents. For many industries embracing the BYOD trend, they have run against some tough challenges, especially regulated industries that require stringent security and privacy standards.
So what can be done in a government world that seeks greater mobility?
For mobile security, the primary objective is to protect the confidentiality and integrity of a transaction between end points. For smartphone users, this is between your device and the services running behind your company’s firewall. An integrated approach, including data encryption between these end points, is the best defense.
Encrypting data before it leaves the enterprise and decrypting it after it has been delivered is essential. Strong encryption like AES-256 works to protect the integrity of the data at all points outside your control – which any network engineer or security professional will tell you is hostile and untrustworthy territory.
One of the biggest challenges to the effectiveness of a modern encryption system is entropy. Entropy is the gathering and creation of random data. In a very simplified view, you could consider the effectiveness of a system as the difference between picking a number between 1 and 10 versus picking a number between 1 and 1,000,000,000,000. While the problems are essentially the same, the level of difficulty and complexity is substantially different.
In the context of the BlackBerry solution, we use multiple sources of entropy to create dynamic and changing keys that ensure mobile data is encrypted and unreadable, until it is safely delivered and decrypted at its destination. These keys change for every packet of data that is sent. So when you receive a one megabyte presentation on your device, that actually represents 500 individual packets (or transactions) – each encrypted with a unique key.
Most government agencies and affiliated contractors in Canada are required to adhere to strict data security regulations, and one of the principal security standards for government agencies in both Canada and the U.S is FIPS 140-2 or Federal Information Processing Standard certification.
FIPS 140-2 is an industry standard developed jointly by the U.S. and Canadian governments to provide a common certification for the security of encryption modules in technology products. Typically any technology that uses cryptography to access government resources or store government data requires FIPS validation. Cryptography, with its algorithms to encrypt data, is the foundation that secures networks, VPNs and on-device secure containers. However, the FIPS validation process is a stringent one, which requires a technology vendor to use cryptographic modules of an elevated standard.
There is no turning back the clock on the reality that our most precious information has now gone mobile. That trend will only accelerate. So when it comes to classified communications on a robust and secure mobile infrastructure, the security has to be built in, end-to-end and at every layer. The hardware, software and the network itself all need to be secure in order to protect data where it is most vulnerable.
Demand solutions without “backdoors” or compromise. Trust, but verify; hold your partners accountable to be transparent and prove that they are protecting your information.