The group discussed encryption from a local and global perspective, and the pros and cons of its use. As a whole, they agreed that information security really “shot itself in the foot” by inventing encryption. From the outside it may look wholly beneficial, but once implemented in a workspace security teams can no longer see their sensitive data moving—they do not see it entering or leaving their systems, which makes their job that much harder. This led the group to discuss single-key encryption, where a “god key” is utilized—somewhat related to the conflict between the government and Apple recently. The point the group made is that security teams generally don’t trust government practices because of how they handle their security in their own realm, in a separate space from the rest of the industry. It is hard to work with them when they are so separated.
Next, the group decided that teams must really know their data. Before you can secure it, before you can decide on encrypting it, before you know how to decrypt it, you must know what kind of data you are working with. Teams must know their sources, the level of sensitivity in their data, where points in data can cross as it travels, and so on. For example, if two pieces of data overlap or “cross streams,” does that create a conflict in what your encryption keys can unlock? This led to a discussion on encryption key management, which is not an easy task for any security team and must be managed constantly. Who gets the keys, what will they unlock, how are keys shared—it is a tricky business. For instance, what happens to those keys when someone who had access to them leaves the company? All of these questions must be asked, discussed, and answered each and every day. Encryption is a double-edged sword in security—though it can be helpful, it can also create a lot of additional challenges for security teams that they must learn to handle.