Internet privacy could thwart data security, warns expert
Steps to improve online privacy could thwart data security, warns security expert Hugh Thompson
Firms need to ensure the use of encryption to increase online privacy does not impair their visibility of network traffic, says Hugh Thompson, chief security strategist at Blue Coat.
His warning comes a few days after a coalition of privacy groups, technology firms and internet sites launched a campaign to "reset the net" by encouraging the use of encryption for all online data exchanges.
The group is encouraging the use of proven security such as SSL encryption (HTTPS), HTTP Strict Transport Security (HSTS) and Perfect Forward Secrecy (PFS) to block state surveillance.
In the post-Snowden era, a growing number of the most popular websites are moving to HTTPS in the name of privacy, but this has security implications for business, said Thompson.
“Greater user of HTTPS is a great thing because it helps secure the transaction between websites and end users.
“But at the same time, organisations need to recognise that this will enable bad guys push down malicious files or binaries to a machine where no security scanning is done,” he said.
According to Thompson, this is a big deal for many companies because it means they are blind to traffic coming from HTTPS-enabled websites directly to devices connected to the corporate network.
“Companies are less able to see what is coming into their networks through the tunnel created by SSL, which means all the investments they have made in scanning technologies is less effective,” he said.
The problem is that many of these technologies sit on the network and are consequently unable to see files coming down through encrypted pipes.
“This is a place that attackers have naturally migrated to,” said Thompson.
Businesses waking up to this problem are looking to security suppliers. They want be able to manage that traffic and scan it for malicious content and sensitive data such as credit card numbers.
“Organisations are not interested in healthcare and banking transactions, but if it is someone downloading a file from Gmail, they want to be scan it to ensure there is no malware threat,” said Thompson.
Businesses need to be mindful of this potential threat, he said, and have a strategy to manage encrypted traffic that allows people the privacy they want, but also ensures no harm is done in terms of security.
More on privacy
- Privacy alliance calls for internet ‘reset’
- Is privacy undermining trade in digital services?
- Addressing security and privacy on the industrial internet
- Yahoo encrypts users' data to boost security and privacy after NSA revelations