End-to-end encryption : how to use the Cloud while remaining sovereign
Popularized in 2013 following the revelations of E. Snowden, end-to-end encryption today suffers from sometimes incomplete definitions. Doctolib, Zoom... The recent news allows us to take stock of the interest in adopting end-to-end encryption and to highlight its usefulness in securing uses in the Cloud.
Recent events have put end-to-end encryption on the front of the stage: Zoom has bought Keybase to offer end-to-end encryption, Doctolib now uses this same technology on medical data, Les Assises de la Sécurité places Olvid and Seald in the finals of their Innovation Award. Coming from leaders in their category, these actions and positioning are no longer weak signals, but rather the sign of a paradigm shift. This is therefore an opportunity to shed light on what distinguishes popularized encryption from end-to-end encryption, and to look at the sovereignty promised by this technology when applied to the power of the Cloud.
"Everything is encrypted in here"
While most services offer some form of encryption, they are not necessarily "secure". To get to the heart of the matter, it is essential to question authorization management: who can manage or access decryption keys? The broader or more indeterminate the answer, the less precise is the security.
The promise "everything is encrypted in here" is therefore often abused. Don't be fooled by the Cloud hosts themselves, not all encryption is end-to-end encryption. Many providers play this blur and claim that "it's encrypted" with no explanation whatsoever.
Nowadays, everything uses encryption, but that doesn't protect against all threats: the article you are reading now, for example, is made accessible through an encrypted connection, but anyone can read it (and that's perfectly normal).
So, what is true end-to-end encryption?
End-to-end encryption integrates a strong and decisive notion of decryption authorization management. Concretely, it makes it possible to protect a message (text or file), based on encryption algorithms, addressed by person A to person B. This process ensures that no intermediary (host, service provider, government, etc.) can read or decrypt the content.
This is nothing new...
Since 2013 and Edward Snowden's revelations about mass espionage by the United States, end-to-end encryption is gradually being deployed in consumer messaging applications: Signal and Telegram in 2014, WhatsApp in 2016, etc.
However, its adoption in the professional world was more timid until recently, even though tools are available (S/MIME or PGP for example).
For our part, we created Seald in this same dynamic, shortly after WhatsApp was launched.
... but the Covid-19 accelerates the adoption of uses
The Covid-19 crisis has only reinforced the urgent need for companies to become fully digital. Allowing the maintenance of activity in degraded conditions, remotely, the adoption of work solutions hosted in the Cloud, has become a question of survival.
Meanwhile, the debate over data sovereignty, the application of DPMR, the fear of the Cloud Act, the vendetta against GAFA, etc. is gaining momentum. Some are even talking about building a sovereign Cloud! Yet it is a battle that many in Europe would say is lost in advance. AWS, Azure, Google Cloud or even Office 365 and GSuite have become commodities, unbeatable in terms of price, used at all levels, in all types of organizations. If using them means putting the sovereignty of one's data at risk, not doing so creates a colossal handicap.
Reconciling the irreconcilable: combining Cloud and end-to-end encryption
Under these circumstances, end-to-end encryption has major advantages. It allows us to continue to use the best Cloud provider in complete security, whether it is American, Chinese or European. If the data that this Cloud hosts is end-to-end encrypted with technology like Seald's, there is no risk of losing sovereignty over the data.
The host has no authorization and therefore has no access to the understanding of the content! Backed by an end-to-end encryption solution, there is no longer any scruples about storing critical data on AWS or Azure in a shared cloud.
Known for its position on data sovereignty, the United States is validating the relevance of such a solution when, this month, the Senate sees an umpteenth attempt to ban end-to-end encryption with the Lawful Access to Encrypted Data Act...
If you want to learn more about how to protect your data in your cloud hosted services, contact us!
How do I set up end-to-end encryption?
The challenge of implementing end-to-end encryption is twofold: it has to be perfectly robust, and completely transparent to end users. Reconciling these two areas of expertise is a difficult task, and that's where we at Seald come in: providing end-to-end protection that is completely transparent to users and tailored to your business workflows.
The first steps in such a project are to answer these three questions:
- What are the elements you want to protect? Knowing that any end-to-end encrypted element will no longer be able to be the subject of backend operations or research on these elements.
- Who will need to have access to it? Knowing that it is necessary to provide backup access by an administrator to retrieve keys in the event of loss or compromise of keys.
- On which terminals, servers or applications are these elements written and read? They should be encrypted as soon as possible and decrypted as late as possible. Determining where the elements come from and how far they go is critical for the broadest possible protection.
Once these issues have been scanned, the technical work can begin:
- choosing robust cryptographic primitives - Seald uses algorithms recommended by ANSSI's RGS;
- set up key management for each recipient - Seald provides turn-"key" mechanisms;
- integrate encryption, decryption and authentication for each operation in each terminal, server and application - Seald offers development kits that can be integrated into any system, including AD / LDAP;
- implement recovery mechanisms to prevent data loss - Seald offers an easy-to-use backup key mechanism that supports end-to-end encryption;
To save you from having to do all these steps yourself, Seald can support you with turnkey or customized end-to-end encryption solutions in your applications and workflows.