Best practices for using military grade security
Governments and militaries around the world have long recognised that their lines of communications were often their weakest links and required some of the strongest protections. Today there needs to be a greater appreciation that other entities are no different, with concerns over hackers, competitors or foreign governments intercepting and reading their organisation’s communications.
Protecting data is paramount to the success of nations and enterprises; and therefore by association, entire economies. Particularly with the rise of BYOD working practices, there are more unofficial endpoints with access to crucial data, expanding the attack surface for all types of entities.
Whether looking to build hacker-proof communications systems, abide by government mandated encryption and compliance requirements or ensuring that disgruntled employees cannot leave with sensitive data on mobile devices, organisations have been searching for the silver bullet solution to their communications security.
The unfortunate reality is that nothing is 100% secure. Even with a near perfect design, proper implementation and deployment, communications security still includes people – often the most important component of any system but also its weakest link.
Building a state-of-the-art, end-to-end secure communications system is complex. It requires international levels of expertise in cyber security, cryptography, engineering, architecture, mobile operating systems design and kernel programming, design of mobile devices and secure hardware components, product and project managers, UI/UX experts, QA and hacking experts, test and validation experts, security code reviewers, secure cloud infrastructure experts, computer network defence experts, experts in managing the network and the secure operating centre, as well as experts in governance, risk and compliance.
Should you have the aforementioned expertise, there are also significant financial and time requirements to achieve truly secure communications. Highly secured governmental entities have taught us that all truly secure communications systems are based on six key dimensions (6D).
The initial dimension is the trusted devices themselves. This includes trusted hardware, a secure operation system and secure apps that cannot be hacked or manipulated.
BYOD unfortunately renders this most basic dimension useless. While employees are happy with the freedom to choose their device and applications and many employers appreciate the infrastructure savings, untrusted devices can quickly become a Trojan Horse for outside attacks.
The second dimension is trusted and verified users. Through a trusted user directory, audio/visual user verification and key signature verification techniques you can ensure that the right people are using your communications system.
The third dimension is the end-to-end encrypted communications. This consists of data encryption in transit and at rest, key exchange mechanisms and perfect/future forward secrecy as well as other important security features.
Building a system of secure ephemeral, but compliant communications is key and it represents the fourth dimension. Limiting the time any communications can be accessed limits the possibility of spying or unauthorised access. Secure communications systems should also have the ability to recall data and messages, while remaining compliant with business and regulatory requirements.
Security controls for data and communications makes up the fifth dimension. These controls may include geo-fencing, which limits access to anyone within a physical boundary; device-bound data and messages, which limits access to specific devices; or action based security controls like preventing screenshots, forwarding or copying of communications or accessing data not intended for its own use, etc.
Finally, all of an organisation’s communications must rely on a secure cloud. This includes the cloud itself, data within it, managed cloud services and testing from the outside to ensure security.
Many private companies may be wondering whether they need the highest level of secure communications, along the lines of military and governments. The reality today is there are three types of companies: those that have been breached, those that don’t know they’ve been breached and those that will be breached. It’s not a matter of “if” but “when.” Any organisation is a potential target if the attackers think they can monetise data or make money by holding an organisation’s data for ransom, often being able to access data due to unsecure communications or weak cloud security and/or network security controls.
Governments and military have already identified that data is the lifeline of operations, and other entities ought to take heed. Without data, there is no business to speak of. Data is king!