Encryption has always been a central concern for the cybersecurity community, but it has taken on added importance following the 2013 revelations of widespread Internet surveillance by world governments and intelligence agencies. In response, many Web properties have since implemented and/or updated encryption technologies with the stated purpose of protecting user privacy and shielding sensitive information.
Encrypted traffic on the rise as organizations become wary of surveillance
Naturally, encrypted Internet traffic has spiked in the months after the leaks exposing the depth of operations such as the U.S. National Security Agency's PRISM program. This May, Canadian broadband management company Sandvine released a study, "Global Internet Phenomena Report" that tracked the recent evolution of Internet usage.
The results showed that Secure Sockets Layer traffic volume had almost doubled in North America since last summer, rising from 2.3 percent to 3.8 of all online activity there. Some of the key findings of this report and similar ones included:
- The shift was even more pronounced in Europe, where encrypted traffic shot up to more than 6 percent, quadrupling from a year ago. In Latin America, use of Internet encryption shot up tenfold – it now secures more than 10 percent of traffic.
- To put these numbers into context, Cisco has predicted that total IP network traffic will increase at a 23 percent compound annual growth rate until 2017. Accordingly, encryption still has plenty of room to grow as overall Internet usage levels continue to surge.
- This trend applies not only to PCs, but also to mobile devices. The same Cisco report estimated that by 2017 half of all IP traffic would originate from non-PC devices such as smartphones, tablets, machine-to-machine modules and TVs. Moreover, encryption is becoming a foundational feature of the Internet of Things.
- Key drivers of the increase in SSL traffic include Google and Yahoo's adoption of HTTPS by default. Last year, Google made encryption standard on all of its core services, including Search, Gmail, YouTube and Google+. Yahoo eventually introduced SSL into Yahoo Mail and also provided the option for Tumblr, a popular social network that is acquired in 2013.
- The Mozilla Firefox and Google Chrome browsers have also implemented encrypted search. Various search engine optimization firms have stated that between 85 percent and 95 percent of their organic keyword data has been lost to encryption, with "not provided" now the leading query in many analytics.
Taken together, these studies indicate tremendous momentum for an encrypted Internet, and more recent developments bear them out. Many client applications that integrate with the widely used Extensible Messaging and Presence Protocol, which at different times has been supported in services such as Google Chat and Facebook, are switching to encrypted server-to-server communications. Google and Zix Corporation also announced message encryption for Google Apps, apparently to court security-minded enterprise clients.
Encryption must also be implemented and understood in cloud computing environments
While encryption has come to the fore across a wide range of consumer and enterprise offerings, it is still strangely rare in the infrastructure that serves as the backbone of many of these services – cloud computing. A study from the Ponemon Institute and Thales e-Security, surveying more than 4,200 businesses and IT personnel around the world, discovering that well under half of users of software-as-a-service and platform-as-a-service encrypt information before sending it to the cloud, with the figure even lower for data at rest.
"We believe these findings are important because they demonstrate the relationship between encryption and the preservation of a strong security posture in the cloud environment," stated the executive summary. "As shown in this research, organizations with a relatively strong security posture are more likely to transfer sensitive or confidential information to the cloud. In addition, they are more likely to encrypt data at rest in the cloud ecosystem."
Why the disparity between the rapid pivot to encryption of Web services and the inconsistent usage of encryption for cloud computing services? One possible explanation centers on the different concepts of who is responsible for data security in each context.
For example, with a service such as Yahoo Mail that is targeted directly at consumers, the end user cannot be expected to implement his or her own encryption key, or even to toggle the option for SSL in the case that encryption were optional. The security burden is squarely on the provider to ensure that encryption is enforced and data is secured. No organization wants to become the next Target and be implicated for overlooking a critical security detail that then precipitated a breach.
Cloud computing has an uncertain security model
With cloud services, the relationship between user and provider is less straightforward. For services such as SaaS, the cloud vendor is usually seen as bearing the most responsibility, according to the subjects of the Ponemon-Thales study. This makes sense since the customer isn't managing any of the technical infrastructure that supports the applications.
But for PaaS and infrastructure-as-a-service users, the picture is different. Both sides partake in the maintenance and optimization of resources, meaning that it may not always be clear who is on the hook for security.
Usually, the best thing that cloud users can do is to be diligent about the service-level agreements that govern their relationships with the provider. ZDNet's Ryan Huang compiled some advice from a security expert who advised customers to:
- Include a clause allowing for third-party auditors verify that proper security mechanisms are in place
- Get specific baselines for system performance and reliability
- Ensure that the vendor's own products are developed, tested and deployed according to secure standards, and that the process is detailed in the SLA
- Enforce strong encryption of communications between properties owned by the company and the vendor
- Carefully govern access to SaaS applications through measures such as requiring users to sign onto the corporate network beforehand
The encryption advice is notable, since cloud users, unlike consumers, cannot assume that the provider has sufficient motive to protect all data. The Internet may be becoming more encrypted, but organizations still have lots of work to do in securing their assets. Solutions such as Trend Micro Endpoint Encryption are critical as data privacy and protection become more important than ever.