Some of the more fascinating aspects of recent global security developments, including but not limited to GDPR, are the advances in encrypted communications that are now being introduced to the enterprise market. While encryption has long been used by militaries and governments to facilitate secret communication there are now more and more requirements for encrypting data, both at rest and in transit, at all levels of commerce. These requirements extend beyond protecting strictly financial information.
Email is no longer king. It is thought that 2018 will be the first year that more business communications will take place over text messaging, chat, and Over The Top (OTT) instant messaging services than via email. These new business communication methodologies bring with them increased vulnerabilities for protected data and additional challenges for data protection professionals. Boardroom discussions about how best to communicate with employees will invariably end with some form of “use email for wide distribution of general information, but if it is critical or if you want someone to act quickly, message them.”
We wanted to find out more relative to the why, where, and when of secure business messaging so we talked with Aaron Turner, CEO at Hotshot Technologies, to learn what is currently going on with high-performance team messaging systems. Hotshot was founded to deliver a messaging and collaboration system that is easy to use and eliminates labor law and information handling compliance risks. Among other protections, Hotshot enables organizations to have “Data Protection by Design and by Default,” which is the stated objective of GDPR Article 25. As delightful as he is knowledgeable, Aaron gave us his insights into where this segment of security is headed.
Why Encrypted Messaging
The movement away from email and toward messaging as the primary business communication tool subjects data in transit to tremendous vulnerabilities. Aaron told us, “The reality of enterprise communication is that people are getting less and less engaged with email. With some of our pilot customers, their lower level employees, for example in retail, log into email twice a month and that’s just to get their pay stub. They don’t interact with email at all. Additionally, consider the fact that email has security problems. It’s the number one vector for people to introduced malware into organizations. It’s the number one vector for people to steal credentials. There are all these reasons why email is really bad, both from a lack of engagement as well as the vulnerability perspective.” Messaging is fast, convenient for a mobile workforce, and is rarely ignored. The potential for data intercept must, however, be addressed.
He explained that during the inception of Hotshot, “I wanted to focus on high integrity communications regardless of what device and what network you’re on. I saw the need, with things like GDPR, for cross-border data controls and given the fact that people want to be more and more private as far as their work-time versus personal-time, also for implementing something that offered both location and time-based encryption to protect that data.”
Location-Based Encryption is a Thing
“We have the ability to enforce rules related to a specific location without relying on IP address detection and that sort of thing,” Aaron explained when asked how and why location-based encryption is even a thing.
As a hypothetical, to illustrate just how widespread the need for location-based encrypted messaging is, Aaron said, “So let’s say you’re delivering pizzas in France and you text message your pizza delivery driver the name and address of your customer. That’s now GDPR protected information. Now your driver decides to take their device on vacation in Morocco. You now have a reportable event. We overlay policy settings that say if your device is outside of the approved location then the encryption keys are effectively suspended. That means you’re no longer able to access the information in our application and you’ll no longer receive notifications, send messages, etc.”
In the U.S., location-based encryption could also be combined with time-based rules to protect employers from liabilities related to requiring employees to work after hours away from their work site.
Time-Based Encryption for Labor Law Compliance
“Time-based encryption is more about labor law compliance. In the western United States, there’s a large network of wireless communication resellers. They were sued for over $2,000,000 by their hourly wage employees for managers texting them after hours and requiring them to read those messages after hours. They were looking for a time-based control to limit their liability in those cases. We were able to solve their problem by implementing time restrictions for labor law compliance and location-based restrictions for GDPR compliance.”
He went on, “In the United States, we’ve tracked about $100,000,000 in judgments against companies for off-the-clock compensation claims. This is a growing problem for U.S. companies. It started on the west coast and has been progressing eastward. Last year the New York City Council proposed an ordinance that would affect all companies that have business in New York City. Under this ordinance, they would be required to allow their employees to opt out of communications and notifications after hours. I think we will see more of these progressive labor time restrictions, we already have the precedent on the west coast.”
About That Encryption
We wanted to know more about how safe Hotshot’s encryption algorithms are and have they been tested. Aaron told us, “We use end-to-end elliptic-curve cryptography (ECC). It’s the same algorithm that Bitcoin uses and therefore as long as Bitcoin is worth more than zero then the Bitcoin algorithm is good. If Bitcoin’s encryption ever fails that means we need to change our algorithms. It’s sort of a canary in a coal mine situation. We’re using some of the best elliptic-curve cryptography we can get to encrypt every single message from point to point. It is never exposed on any backend server. It’s never available to any interceptor. The organization that generates those keys owns those keys, so we as an operator, have no insight into that information.”
Aaron says that if you drew a Venn diagram, “basically we think we sit in the middle of three circles. One circle is high-performance collaboration. The second is high-security collaboration. And then the third circle is MDM, or your policy enforcement on information. We sit in the middle of those three and we think that we’re going to disrupt all three of those markets. That’s one of the reasons why the government of Luxembourg chose us to be part of their Technoport incubator program. They think that we provide the best path forward for the ability to allow enterprises to achieve their data protection goals without a significant investment in new servers and infrastructure.”
Requirements for data protection are growing evermore restrictive and business communication is rapidly moving toward messaging over email. Every business needs to take a serious look at how they are addressing these two trends.
By: Steven Bowcut, CPP, PSP, Brilliance Security Magazine Editor-in-Chief