Have you ever been reluctant to say something on the phone that you might say in person? If so, that’s a reasonable instinct. Communications are less secure today than they’ve ever been. This is especially true for consumer communications, and surprisingly, for many enterprise communications.
It’s important to understand that conversations now span across multiple modalities. It’s common to respond to an email or text message with a phone call or video (or vice versa), which leaves a trail of metadata at the least, and possibly much more.
We also tend to spread our conversations across multiple providers, creating a weakest link situation. For example, email, SMS, and social networks might be from three different providers with different security practices and associated third parties. We generally assume our conversations to be private, but few providers make any commitment to privacy or confidentiality.
Twitter had
a major hack last month that could have been much worse than it was. With access to 45 high-profile accounts, the hackers attempted to convince people into sending them Bitcoin, leveraging the accounts' reputation to make it seem more convincing. And in 2013, hackers got out a single tweet (Obama injured) on the Associated Press Twitter account, and it caused the Dow to plunge more than 140 points. Reuters estimated that the subsequent sell-off erased $130B within the S&P 500. Imagine what could have happened if 45 trusted, popular accounts corroborated on a market-impacting falsehood?
The Twitter hack raised a lot of concerns about internal processes — at Twitter and elsewhere. In this case, the hackers used a superuser (god-mode) administrative feature. We have since learned that many employees had access to this capability.
Security and control are the Achilles’ Heel of cloud communications and the reason that might cause premises-based solutions to return. Of course, premises-based solutions aren’t necessarily more secure, but they give administrators more control. There’s a strong case that cloud providers are better at security, but that’s an assumption that’s increasingly hard to trust.
Outsourcing security to providers applies to both the software applications and the physical access to data centers. Over the past 20 years, data centers have become fortresses with strict entry policies and procedures. As the data center workloads moved to the cloud, so did these best practices — at least we think so. It’s hard to get details. The first rule of cloud security is no one talks about cloud security.
Outsourcing security to a cloud provider doesn’t free the enterprise of the security burden. Scrutiny of both the application and the infrastructure remain key IT responsibilities. There are also ways to limit the access that providers have to enterprise conversations. The most obvious is key management, which can restrict or completely prevent a provider from accessing encrypted enterprise data.
The problem with restricting the provider’s access to data is they often use it to deliver valuable services. In messaging, for example, advanced search and discoverability are often features the provider accomplishes with server-side access. An enterprise key management (EKM) server can give the provider gated access to content. This is an option with Cisco Webex and Slack.
Another option is to use zero-trust applications. This means providers, and their superusers, don’t have or require any access to user content. It is more complex (or impossible to deliver a variety of cloud-centric enhancements such as transcription or advanced content discovery services.
Twitter’s hack was a monumental “fail whale” and wasn’t even their first offense (
2019 and
2017). However, Twitter isn’t alone in failing to protect conversational data. Last month, a European provider
EncroChat, which touted secure communications, was hacked by law enforcement, resulting in many of its customers being arrested.
After years of digital transformation, our conversations are no longer ephemeral. They are frequently transcribed, indexed, searched, and stored on servers. This is increasingly true across voice, messaging, and meetings. It’s a relatively new phase in the history of communications, but as a result, we need to better understand the vulnerabilities we have created.
The evolution has been slow, but the pendulum is now swinging back toward privacy — in both consumer and business communications. We have reached an inflection point after so many hacks and ransom attacks. Laws like the GDPR and California’s data privacy legislation have passed, and
the president has even floated the idea of pardoning Edward Snowden.
Security isn’t something that can be fully delegated to the security team either. We are way past the days of sending viruses in email attachments. The Twitter hack, and many others, are the results of social vulnerabilities. Attackers compile dossiers on employees using public profiles on LinkedIn, recruiting sites, background check services, and open-source research. They then use various tricks to get employees to reveal or capture sensitive information such as a password. The attackers have become much more sophisticated, and it requires user education as well as practices such as one-time passwords or limiting access to managed devices.
For some solutions to improve conversational security, check out
Journey,
AGAT Software,
Theta Lake, and
Wire, which were featured in The Innovation Showcase at Enterprise Connect this year.
Dave Michels is a contributing editor and Analyst at TalkingPointz.
