As part of a defense-in-depth strategy, many
organizations are expanding their usage of
encryption. While encryption can provide
protection from unauthorized access and reduce
the likelihood of data theft, it is very difficult to
implement systems and processes that can provide
reasonable assurance of confidentiality in real-world implementations. In recent years, many
software products have begun offering built-in
encryption capabilities that are more user-friendly
and manageable. When it comes to purpose-built
encrypted communication tools or standards-based
system-to-system encryption, the level of maturity
is usually quite high. But many organizations are
not prepared for the risk and pitfalls of end-user-managed (user-to-user) encryption.
The Call for Encryption
Industrial espionage, nation-state hackers and
organized crime are concerns for even the smallest
organization. This has not, however, slowed the
rate of data capture and sharing among partners,
regulators and customers. Organizations now
regularly share large quantities of proprietary data
and employees’ or customers’ personally identifiable
information. Heightened awareness by the board
and increased regulatory pressure are leading to
increased focus on and funding for data protection.
Most organizations today are comfortable deploying
in-transit encryption. Security teams can easily sell
the need for transport layer security (TLS)-secured
web applications or push for secure protocols,
such as Secure File Transfer Protocol (SFTP) and
Secure Shell (SSH). Unfortunately, there are many
data transfer workflows outside of IT’s control or
that must meet externally imposed requirements.
As a result, critical and high-risk data still travel
through email and attachments. More and more,
users are also making use of both authorized and
unauthorized cloud storage and file-sharing services.
Because it is impossible to identify and control all
of these scenarios, many organizations respond
by deploying end-user-managed encryption tools,
hoping that users will be responsible enough to
integrate encryption into the existing processes (e.g.,
an IT request to encrypt before sending an email).
However, this approach essentially delegates the
security responsibility to uninterested end users who
are looking for the path of least resistance.
Welcome to the Jungle
In theory, encryption is just a matter of applying
some math on bits of data before and after
sending a file or message. However, there is a vast
ecosystem of encryption technologies, algorithms,
configurations, tools and file formats. Complicating
matters, end-user encryption tools are notoriously
unfriendly from the end user’s perspective.
Management and transfer of encryption keys
and/or passwords and ensuring secure storage are
daunting requirements to
place on end users.
Even if the best, most
seamless tools and
training are implemented,
there is still the issue of
compatibility with partners.
If one partner is on a
different platform, deploying
that platform requires
additional investment and
Given that organizations have multiple partners, the
overhead from purchasing and supporting multiple
tools can quickly escalate. Failure to support the
tools that internal users need to make their business
partners happy will result in end users seeking creative
solutions and workarounds.
Do you have
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
article and click on
the Comments link to
share your thoughts.
Eric H. Goldman, CISA, Security+
Is an information security professional with experience in financial
services and manufacturing. He focuses on human factors and human-computer interaction in the realm of information security. He can be
feature feature Encryption in the
Hands of End Users
tools are notoriously
the end user’s