Overcoming Obstacles:Encryption for Everyone!

Mechthild Stöwer

Head of Department Security Management

Fraunhofer Institute for Secure Information Technology

„Digital World“ is ubiquitous

New technologies and services produce and share mass of data.

Confidentiality in fokus

Companies‘ know-how is at risk:

• 51% of all companies are affected 1

• 51 bn damage 1

SMEs are in focus 2.

Privacy violations cause reputational losses and data protection laws breaches.

1 Study bitkom 7/20152 Corporate Trust: Study Industriespionage, 2014

Measures to protect confidentiality

• Up-to-date malware protection

• Implementation of firewall systems

• Data leakage prevention systems

• Appropriate access rights according to the need-to-know principle

• Monitoring of access rights

• Awareness programs

Encryption is the key measure

Data-in-Transit• E-Mail communication

• Instant messaging

• Voice communication

• Network access

• Collaboration platforms

Data-at-rest• Storage devices

• Container, folders

• Files

… but rarely used!

Results form a study from 2014 1:

• Only 14 % of all professional users encrypt E-Mails

• 65 % of all users do not have any technical support for encryption

• Even there where infrastructure is available only 20 % of users encrypt E-Mails

1 Study from the German organisation Bitkom - http://www.heise.de/ix/meldung/Befragung-Stand-der-E-Mail-Verschluesselung-ist-desastroes-2243124.html

State-of-the-art in SME

• Encryption is used basing on personal risk estimation

• No company wide policy is in use

• Different solutions are in place: inefficient administrative effort

• No recovery and emergency procedures: risk of loss of keys and encrypted data

• No key management: availability and confidentiality risks

• No mechanisms for process improvement

Best practice approach for SME

• Evaluation of information protection requirements

• Threat analysis

• Implementation of appropriate encryption solutions for storage and transfer of information

Example: small trading company

Source: KMU Diamant Consulting AG

• Small trading company managedby the two owners

• Two employees

• IT-infrastructure: 3 networkedPCs, one of them is a laptop

• Internet access, E-Mail in use, office applications, solution forinventory management

Step 1: Protection requirements

Information Evaluation

Personal information:

Employees’ data

Salaries

Absence from work

Highly sensitive information

High protection requirements

Customers’ related data Highly sensitive information

High protection requirements

Calculations Highly sensitive information

High protection requirements

Inventory information Low protection requirements

Product information, catalogues Low protection requirements

……

Step 2: Threat analysis

• Confidentiality violations when mobile storage devices or laptops get lost.

• Loss of know-how by unauthorized access at critical company’s, e.g.by unsatisfied employees who transfer them to new employers.

• Data protection law breaches by unauthorized access.

• Unauthorized access to E-Mails with confidential information.

Step 3: Encryption solution

Data-in-transit

• Confidential personal information transferred by E-Mail are encrypted.

• Offers for clients are encrypted.

Data-at-rest

• Storage devices at laptops are encrypted.

• Use of hardware-based USB sticks

• Sensitive information stored at PCs are saved at encrypted containers.

Guide for SME for use of encryption

https://www.sit.fraunhofer.de/reports

For the German speaking audience:

Main obstacles for use of encryption

• The concept of asymmetric encryption is not easy to understand.

• There is no accessible infrastructure to disseminate keys.

• User handle a variety of applications. They are not experienced to configure encryption solutions.

• The usability of solutions is unsatisfying.

• Lack of availability for keys and certificates.

Project „Ecryption for Everyone“

1. Solution Free certificates for all citizens

High quality identity check whencreating certificates (eID)

Automatic installation forapplication

2. Target group Citizens, SMEs, freelancer

Usability is first priority!

Project „Ecryption for Everyone“

E4E - Functions

• Verification of identity (eID, identity procedure supported by Deutsche Post, ID-Passport)

• Wizard supported handling

• Certificates are automatically integrated in E-Mail clients and browsers

• Private key remains with the user

• Easy ex- and import of certificates for other devices

CA-Network RA-Network WWW

CA-Server RA-Server

OCSP ResponderLDAP-Server

E4E-Software

eID-Provider

eID-Server

Utimaco HSM

E4E - Architecture

E4E – overcoming obstacles

Q. Availability of keys and certificatesmissing infrastructure for key distribution

A. Free certificates from an independent organization without commercial interests, publication of certificates, implementation of application

Q. Configuration of application in a correct and secure way

A. Automatic installation of certificats

Q. Missing support for the comprehensive process

A. Support of user during the whole life span of certificate

Q. Lack of usability of encryption applications

A. Application is easy to use, support by wizards

Tatjana RubinsteinMechthild Stöwer

Fraunhofer-Institut für Sichere Informationstechnologie SIT

www.sit.fraunhofer.de

Institutszentrum Schloss BirlinghovenD 54754 St. Augustin

E-Mail: mechthild.stoewer@sit.fraunhofer.de