File encryption, at its most basic definition, is a secure way to store and share sensitive information.
Last month Amber Rudd, UK Home Secretary made international news by saying that “real people” don’t need encryption, insinuating that encryption is only used by terrorists. She proposed that companies should “voluntarily move away from it” while activists reacted with concern to her remarks.
Is she right? Is encryption only for people conducting shady business?
Let’s take a look at some common technology that currently uses data encryption.
WhatsApp, a smartphone chat application owned by Facebook with 1.3 billion active users, operates under default end-to-end encryption for all its messages. This means that not even law enforcement with a warrant can access the text conversations that people have within the app unless a user voluntarily provides a password.
This type of encryption, E2EE, is a system of communication that prevents eavesdroppers. Jim Killock, executive director of a UK digital liberties group, responded to Rudd’s comment. He stated that everyday users of E2EE might be “people who want privacy from corporations, abusive partners, or employers. Others may simply be worried about confidential information, or be working in countries with a record of human rights abuses.”
In February of 2016 another tech company made international news over an encryption issue. In the United States, phone service provider Apple refused to comply with FBI orders to access the locked iPhone of a California County health inspector who shot and killed police the previous year.
Apple made a statement saying that “backdoor” access into its phones sought by prosecutors “would set a dangerous precedent.” An attorney for the American Civil Liberties Union (ACLU) chimed in, saying the move was “an unprecedented power grab by the government that was a threat to everyone’s security and privacy.”
Is encryption merely a civil liberties issue, or does secure data go beyond personal freedom?
Mark Cuban, an billionaire businessman and investor famous for appearing on the American TV show Shark Tank, said Apple deserves a ‘standing ovation’ for fighting the FBI and refusing to decrypt the iPhone’s files.
Why are top-level businesspeople so outspoken in their support of the ability to freely encrypt data?
Perhaps they are simply familiar with what is at stake.
Encryption in the business world
All companies have business-critical information that the employees use on a daily basis and need to access in order do their jobs. Common business-critical information that should be kept secure includes industry secrets, HR files, financial information, and more.
Business people all around the world are supportive of data security because they need encryption capability, even at the most benign levels of data storage.
VPNs or Virtual Private Networks
In a corporate setting, employees working remotely enforce the use VPNs to access their company’s intranet, including work files kept on a company server. VPNs can also be used to create a virtual network where employees can collaborate without being in the same geographic location.
Remote staff often work from designated co-working spaces or coffee shops that use public Wi-Fi for internet access. For these employees, there is no way to use public Wi-Fi safely without a secure, encrypted VPN service.
Companies use secure VPNs because it does three things:
- Hides the IP address of the user
- Mixes the employee’s traffic with other users
- Encrypts the traffic between the secure VPN server and their employee’s computer
Without encryption of all the data that employees handle, companies would be actively exposing their critical information. The information would be potentially available to hackers and to their industry competition.
This means that in the modern business world, maintaining secure information is not only common for ‘real people’ but actually vital to the market.
Encryption at your fingertips
Information being sent over the internet can be encrypted by VPN. What about within a company?
For example, Human Resources files of staff hiring, complaints, salary details, and promotion history are all confidential records that should not be available to an employee’s coworkers.
In this situation, companies are turning to Data Management Systems to integrate encryption abilities and provide this everyday security.
ECMs have built-in encryption
Alfresco, one of the most popular Enterprise Content Management applications in the world, has developed a content encryption addon, or module that allows common users to encrypt company data stored in its repository.
With 11 million users worldwide and 7 billion documents uploaded to the system, Alfresco systems integrators—the trusted vendors who make up the global Alfresco developer community—have put data security at the top of the priority list.
How does the Alfresco Encryption addon work?
Encryption means translating information into a computer-generated code. With the unique password, a user can undo the code and access the documents. Without the password, nobody can open or read the files.
The Thailand-based software company Skytizens that developed the encryption addon, explains that it allows Alfresco users to encrypt and decrypt in 3 formats. From within the ECM, files can be accessed using multiple commonly-used business applications and can be restricted by system administrators for extra security.
So how do these three types of secure encryption actually function in technical terms?
- PDF encryption internally works with encryption keys of 40, 128, or the modern FIPS certified AES 256-bit algorithm depending on the user’s version of PDF reader. PDF encryption can be used for all PDF files as well as any file that conveniently converts to PDF (.tiff, .jpg etc.). The binary encryption key is derived from a password provided by the user.Up to PDF 1.7 (ISO 32000-1) passwords are restricted to Latin-1 encoding and a length of 32 characters. PDF 1.7 Adobe Extension Level 3 and beyond can use Unicode characters and have a maximum length of 127 bytes in the UTF-8 representation of the password. Since UTF-8 encodes characters with a variable length of 1-4 bytes the allowed number of Unicode characters in the password is less than 127 if it contains non-ASCII characters.This enhanced capacity means that international clients of Alfresco services who do not use the Latin alphabet still have ample room to create a secure password with complex characters. For example, Japanese characters require up to 3 bytes in UTF-8 representation so passwords using this encryption can have up to 42 Japanese characters.
- Microsoft Office encryption works by following the current guidelines for the 2007-2010 version of Microsoft Office and beyond (i.e. file extensions .docx .xlsx, and .pptx), which is a 128-bit key AES protection. Since the 40-bit RC4 key associated with earlier MS Office versions (i.e. 2003 file extensions .doc, .xls, and .ppt) is no longer accepted globally, Alfresco consultants must create a module to encrypt internally using older versions of the MS Office Suite.To ensure security, clients using 2003 and previous versions of MS Office will safely encrypt these files from within Alfresco or via the PDF encryption mentioned above.
- Alfresco Encryption – For any files that fall outside of PDF or MS Office as mentioned above, Alfresco offers its own proprietary encryption. The Alfresco encryption option makes use of the AES (Advanced Encryption Standard) 128/256 specified in the standard FIPS-197. AES is a modern and recommended block cipher which is used in a variety of applications. This means that Alfresco gives users the flexibility to secure all kinds of popular files, no matter what industry they do business in.
Alfresco currently supports everything from MP4 ITunes music files to PSD files from Adobe Photoshop—and everything in between. The Alfresco developer community is constantly expanding the list of supported formats for its users worldwide.
Document Management Systems like Alfresco are built to have a user-friendly interface. For the low-tech end user, there is no need to understand the details of encryption. Users can think of encryption-decryption as a sort of two-way switch on their data files.
Encrypted means inaccessible. Decrypted means accessible. Simple to do, as long as the user has the password to flip the switch. Impossible to do without it.
There is no need for companies to provide their employees technical training or IT knowledge either. Encryption within a DMS like Alfresco happens at the click of the mouse.
Benefits of data encryption
Encryption gives everyday Document Management System users the ability to secure their company content, both on the company server and while sending data over the internet.
DMS systems like Alfresco give companies dynamic control over secure files. Users can interact with the encryption module when they need to, then move on with their normal work.
With encryption modules being built for Document Management Systems as a vital module, the need for encryption in the everyday business world is obvious.
Encryption as an everyday necessity
Whether dealing with online chat applications, information stored in a personal smartphone, or the vast world of business, data security via encryption is a topic that touches nearly every person in the population.
Some say encryption shouldn’t be extended to the ordinary population. Others say we are already using it on a daily basis. Some even claim data encryption is a civil liberty that should be protected under the law.
At the very least, understanding the basic function of encryption and acknowledging its prevalent uses around the world, makes the discussion possible.
For more information on the data encryption capabilities of an open source EMS, contact your local Alfresco developer here.