Important News:SafeLogic's CryptoComply Achieves FIPS 140-3 Validation for 28 OEs and Receives Certificate #4781! Read the blog post!
The SafeLogic Blog
What Gets Me Up in the Morning?
June 12, 2013 •Ray Potter
I'm nervous... but I'm also inspired.
I'm nervous because there is a widespread lack of understanding of the basics of encryption, and I'm seeing improper and even insecure implementations of encryption. These create vulnerabilities and potentially lead to the compromise of data and break of privacy.
You've likely seen the wave of press on PRISM (here's a good primer). I'm not going to debate the privacy or ethical implications of this program. That's not my place. But it's very serious stuff. You need to stay aware of it, as it has implications for all of us, and it deals with your data (well, maybe yours, depending upon the EULA with participating companies).
In related news, Ars Technica released a report that Skype messages appear to not be encrypted end-to-end. The messages are apparently decrypted at the server, then re-encrypted for transmission back down to the peer. Now, I haven't seen any claims from Microsoft for "end-to-end" encryption, and presumably they're filtering for spam, malicious links, etc., but now your chats, links, files, and everything else are being stored on a server somewhere outside your control. Someone you don't know and someone you shouldn't trust has access.
The Skype issue doesn't bother me so much. I don't have extremely sensitive chats over Skype. I pick up the phone for that. Oh, wait... that's no good either? Sigh.
Security is such a complicated field. End users feel good when their solution provider says, "Trust us, it's secure!" (SnapChat, anyone?) The public sees the little padlock icon and they feel assured. But have you ever hit a $9 combination lock with a sledgehammer? I recommend you try that experiment before you trust one.
So what's under the hood of these "secure" solutions? Is it a rock-solid cryptographic library that's been tested and validated to strict standards? And perhaps more importantly, is it implemented properly?
Here's the fun part. Instead of getting discouraged, aggravated, or just plain scared, I'm inspired by these questions. We're working hard to change all that and provide answers. These problems can be solved by using strong encryption the right way. We are giving users and developers the capability to protect their data with validated encryption and to control their cryptography. We are working with leaders in the mobility and cloud spaces to make this happen. We are seeing customers rip out home-grown encryption and replace it with verified, validated libraries. We are seeing teams re-architect products specifically with security and encryption in mind.
At the end of the day, we're helping protect data. User data, corporate data, financial data, healthcare data. That, my friends, is inspiring.
Ray Potter
Ray Potter is the Founder of SafeLogic, which was spun off from his previous venture, the Apex Assurance Group consulting firm. He brings over 20 years of security and compliance experience, including leading teams at Cisco and Ernst & Young, to the operations team at SafeLogic. Ray loves playing guitar and flying airplanes.
Popular Posts
Search for posts
Tags
- FIPS 140 (111)
- FIPS validation (85)
- Encryption (70)
- cryptography (68)
- NIST (62)
- CryptoComply (60)
- SafeLogic (58)
- Industry News (54)
- cryptographic module (51)
- Conversations (49)
- CMVP (48)
- RapidCert (46)
- compliance (41)
- Ray Potter (33)
- SafeLogic News (33)
- Event (27)
- federal (27)
- CAVP (23)
- Cybersecurity (23)
- FIPS 140-3 (18)
- OpenSSL (16)
- government (14)
- FedRAMP (13)
- CryptoCompact (12)
- Cryptology (12)
- DoD (12)
- RSA (12)
- healthcare (12)
- partners (12)
- NSA (11)
- post-quantum cryptography (11)
- Cloud (9)
- PQC (9)
- security (9)
- CMMC (8)
- Suite B (8)
- testing (8)
- whitepaper (8)
- Approved Products List (APL) (6)
- HITECH (6)
- ICMC (6)
- lab (6)
- CEO (5)
- NIST 800-171 (5)
- NIST 800-53 (5)
- OpenSSL 3.0 (5)
- iOS (5)
- procurement (5)
- C3PAO (4)
- Common Criteria (4)
- HITECH Act (4)
- deadline (4)
- encrypt (4)
- innovation (4)
- procure (4)
- public sector (4)
- Air Force (3)
- BSAFE (3)
- DFARS (3)
- HIPAA Safe Harbor (3)
- HITECH Safe Harbor (3)
- OpenSSL 1.1.1 (3)
- OpenSSL 3.x (3)
- POA&M (3)
- TLS 1.3 (3)
- magazine (3)
- queue (3)
- transition (3)
- 3PAO (2)
- ACVP (2)
- BAA (2)
- CIO (2)
- CSP (2)
- Cyber Defense Magazine (2)
- Defense Industrial Base (2)
- HIPAA security controls (2)
- Historical Status (2)
- MFA (2)
- OpenSSL 1.0.2 (2)
- SPRS (2)
- StateRAMP (2)
- entropy (2)
- excellence (2)
- finance (2)
- founder (2)
- gold (2)
- leader (2)
- maturity (2)
- overlap (2)
- pilot (2)
- rsa conference (2)
- solution (2)
- sponsors (2)
- sunset (2)
- vendor (2)
- year (2)
- Active Status (1)
- Alliance for Digital Innovation (1)
- Android (1)
- CIO Prime Views (1)
- DHS (1)
- DIU (1)
- DIUx (1)
- DOJ (1)
- DoDIN APL (1)
- Entropy Source Validation (1)
- FCA (1)
- FIPS Compliance (1)
- FISMA (1)
- GSA (1)
- HITRUST (1)
- Matt Cornelius (1)
- Matthew Cornelius (1)
- Maturity Model (1)
- NCCoE (1)
- OMB (1)
- SLED (1)
- SP800-131A (1)
- SP800-90A (1)
- TLS 1.1 (1)
- background (1)
- best (1)
- co-founder (1)
- codies (1)
- congress (1)
- cybertech (1)
- education (1)
- elliptic curve cryptography (1)
- extended (1)
- faq (1)
- fintech (1)
- fiscal (1)
- fiscal year (1)
- fraud (1)
- globee (1)
- hill (1)
- interview (1)
- kratos (1)
- libgcrypt (1)
- national cybersecurity strategy (1)
- opportunities (1)
- parallel (1)
- profile (1)
- public (1)
- representatives (1)
- reseller (1)
- senate (1)
- senators (1)
- simplify (1)
- state (1)
- stealth mode (1)
- story (1)
- terminology (1)
- trophy (1)
- whistleblower (1)
- whistleblowing (1)