#encyption

Ease of use

Organisations must look for products that are easy to use, easy and quick to install. These are obvious requirements that are partly about reducing the time and expertise required to install products in the first place. An important subsequent point is also total cost of ownership. If a product is not easy to install, it is usually a good indicator of a level of complexity that will remain as a long-term business overhead.

Accessible support

Encryption can be a business-critical management asset, as well as a business-enabling technology. It’s therefore important that you're working with an organisation – whether that's a vendor or the vendor’s partner – that can offer good, and accessible technical support.

Proof of encryption

It's a good first step to encrypt business laptops, as organisations will always lose laptops. Encryption turns what would potentially be an information-loss, into just the loss of a physical asset. It protects the organisation’s information and addresses the organisation's liabilities

Extendibility

In the first instance, you may be looking at deploying encryption within an estate of Windows devices. As technology changes and refreshes, it could be the case within a year or two that you have other requirements. You might need to manage encryption on Mac devices, or on smartphones and mobile devices within that same suite of products.

Using product certification and assurance schemes

It's a good step to encrypt devices and be able to prove that you've encrypted them. However, there is an increasing regulatory requirement to demonstrate that you've gone through some process of ensuring that the technology you're adopting represents best practice. For example, GDPR explicitly references ‘state-of-the-art’ technology.

-James Comey, Director of the FBI

The problem is that Comey is simply wrong: the state has never held absolute power over citizens. The 5th Amendment in the United States guarantees a right to avoid testifying against oneself. Our devices are now so personalized with our communciations, thoughts, banking, business, and life that they are functionally a self-testamonial about our lives.

Email encryption certificates need a few special extensions to be recognized as such by email programs. This guide helps you create certificates that are recognized by Mac OS X Mail and iOS Mail.

If you use Mac OS X you can just follow my earlier post about creating a certificate with the OS X Keychain Access tool.

For this guide you need to have openssl installed. OS X has it already installed and most Linux distributions have it as well. On Windows you might want to install openssl via Cygwin.

Create an openssl configuration file. To add the required extensions to your certificate you need to create an openssl configuration file. Create a file called smime.cnf with the following contents:

[smime] keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = critical, emailProtection subjectAltName = email:copy

Generate your key pair:

openssl genrsa -out email.key 2048

Generate a certificate request:

openssl req -new -key email.key -out email.csr \ -subj '/CN=John Appleseed/[email protected]'

Create your self-signed certificate. The -days option sets the validity of the certificate:

openssl x509 -req -days 1500 \ -in email.csr -signkey email.key -out email.crt \ -setalias "[email protected] self-signed S/MIME" \ -extfile smime.cnf -extensions smime

Combine secret key and self-signed certificate into a single PKCS12 file for use with Keychain Access and iOS:

openssl pkcs12 -export \ -in email.crt -inkey email.key -out email.p12 \ -name "[email protected] self-signed S/MIME"

Finally, import it into your keychain so that OS X Mail will be able to use it. Open the file email.p12. Keychain Access will start and ask you for your trust settings: Click "Always Trust".

In Keychain Access double-click the certificate to open it, then open the "Trust" section and set "Secure Email (S/MIME)" to "Always Trust".

With the following command you can check if your certificate is ready for use:

security find-identity -p smime -s [email protected]

If you've never thought about information security then before spending a week googling it then returning to day-to-day Facebook and Gmail is like waking into a nightmare. While both services make laudable efforts to secure their users data (including from their own government) it seems that not even the most benevolent of tech monopolies can guarantee protection from malicious intrusion, be it from a slip-up, attack or indeed sloppy user behavior. As they say, information just wants to be free.

However despite any real experience of herding techniques to speak of I'd say the first step to securing a herd of free-range data is to know roughly how many there are and in which fields they be a' grazin'. In short; a head count of online services that I entrust my data to is in order.

So as it stands now, the services I use that store (or indeed constitute) my personal data, in no particular order are..

Facebook

Tumblr

Google (Mail, Calendar, Contacts, Google+, Youtube, Picasa, Docs, Chrome, Chrome Sync (bookmarks, password etc), Reader

Dropbox

Springpad

Wunderlist

Flickr

Internet banking

A few work email clients/servers (with Imap/pop)

Android Apps: (Gmail, Greader, Gcalendar, Messeging, Call Log)

Seeing this list for the first is both consoling and a worry. On the one hand, like most problems, it looks much smaller and manageable than when it was just swirling around in my head. Running through this list and either securing, swapping or removing each of the 23 services seems pretty straight forward. However I start to worry about fueling rampant complexity when I throw in two more demands beyond security. Firstly (following my week of paranoia-fueled googling) I have a sneaking suspicion that Google will be complicated to secure or swap and near impossible to remove. While others might disagree , I have quickly come to understand Google to be an enterprise that revolves solely around 'utilizing' your personal information. While this will no doubt consume a few blog posts in its own right, for now I can only say that Google certainly appears to challenge my idea of secure data storage and as such I can imagine that following my mission with real zeal might involve saying goodbye to some of the best free online services around. *tear running down cheek*

The second problem I see with this list of services is that changing any of them will be complicated by my mobile lifestyle and choice of operating systems (note the plural). Syncing data between devices is also something that will at the least become a more complicated affair if some or all of the Google services get the chop.

So having surveyed the herd it's probably also a good start to finish by outlining (or should I say theorising) what I would consider to be a secure storage barn or service for mt precious flock given with my current, albeit rather slim, understanding of information security. Of course after reserving the right to sneak in a few edits when I wise-up to gain perceived credibility, I'd say that in general personal data is secure when:

It's backed-up across multiple hardware and location

It's only accessible by only those that the owner wants (both now and in the future) and..

It can be deleted and edited at any time