Skip to main content
banner image
venafi logo

NSA Suggests End-to-End Encryption for Teleworkers [Encryption Digest 42]

NSA Suggests End-to-End Encryption for Teleworkers [Encryption Digest 42]

end-to-end encryption and the NSA
May 29, 2020 | Katrina Dobieski


The remote workforce has been collectively scrutinized where security is concerned, and in many ways has come up lacking. While that may come as no surprise, suggested changes are sweeping in their potential scope. The FBI suggested moving beyond traditional user identification methods like MFA, and one alternative to strengthen security for remote workers is certificate-based authentication. The NSA, in turn, came out with a decisive guideline concerning the types of telework platforms government agencies should be using. In four words, it was end-to-end encryption. Even as the debate over encryption remains unsettled, Five Eyes hasn’t backed down in their demand for backdoors—the necessity of the times has proven the utility of encryption.



 

NSA Suggests End-to End Encryption for Teleworkers

What happens when work-from-home government employees use their own devices? The NSA issues guidelines for how those devices should be used.
 

“The primary audience for this guidance are U.S. Government employees and military service members engaging in telework, especially telework employing personally owned devices such as smartphones and home computers,” reads the NSA memo.
 

Government WHF
With so many first-time work-from-homers, it’s hard to tell what level of security is being used across the board. It may be safe to assume that whatever privacy and security protocols came out of the box are all that are in use on many teleconferencing calls. And it may, according to the NSA, be safe to assume that’s often not enough.

 

NSA Guidelines
According to the guidelines, teleconferencing apps in use by government workers should meet this criterion:

 

  • End-to-end encryption
  • Use well known encryption standards (RSA, Diffie-Hellman, etc.)
  • Multi-factor authentication
  • Visibility over who connects to sessions
  • Prevents data share with third parties
  • Ability to delete data from repositories as needed
  • Open source code (Only Signal and Wikr were open source, according to the NSA’s rundown)
  • Certified by a nationally recognized security organization
  • Not under country laws/jurisdiction contrary to USG privacy policy


They've included a chart comparing a host of popular videoconferencing options and measuring them against the above metrics.
 

Privacy and data security are no longer niche selling features but have become a premium in the stay-at-home environment. With schools, churches and businesses choosing between an array of online communication tools, it’s a buyer’s market and security is a key selling point. The NSA’s guidelines are more than good practice. They allow people to hold vendors to account for their security practices and pit their practices against an objective metric—something arguably needed in the world of consumer tech.
 

Related Posts:

 

Is it Time to Move from Passwords to PKIs?

Multi-factor authentication is so ten minutes ago (at least according to some). With this being a common practice for many work-from-homers, what will it take to implement the solution?
 

In the mad rush to get everyone online and working (from anywhere, mostly home), we may have neglected to do our due diligence with security, to put it lightly. According to conservative reports, cyberattacks have increased by 33%. According to others, it was 500%. Either way, while we may have been neglecting the finer points of endpoint security, cybercriminals were ahead of the game.
 

Should we make it harder to play?
 

Moving away from consumer passwords and MFA

Black hats have had it easy when it comes to poaching user accounts. While the big payoff is in corporate breaches, the systems are a little harder to haggle than user accounts. Cryptographic keys and encrypted databases present a sharper challenge than usernames and passwords, especially when so many of those human identities are redundant and poorly executed.


Knowing the disparity between consumer security methods and current hacking abilities, the FBI has even suggested moving away from traditional MFA because it’s easier for cybercriminals to attack. How can we reimagine authentication? Encrypted protocols, for one, are mathematically based and are more difficult to crack. So, identifying users with digital certificates (and employing a strong personal PKI) can serve as a potential alternative.
 

Instead of passwords which can be misused or forgotten, stolen or hacked, digital certificates (already in use to identify machines) can be used to identify humans, as well as replace passwords on multiple use cases—WiFi logins, VPN access and DaaS (desktop as a service). The upside to moving to a fully digital PKI for private use is that in an exchange, the private key stays with the user and can stay on the device (making logins more seamless). You can’t reuse a private key, so the risk of hack-by-reuse goes way down.


Challenges of running a fully digital PKI for your remote workers

However, inherent in any new opportunity are a batch of new struggles. It’s one thing to have digital certificates – it's another thing to protect them.

 

To make sure your digital certificates are protecting optimally, they need to be issued from valid CAs (do your research), organized and kept up (full visibility) and renewed at regular intervals (automation, anyone?) among other things. It’s like having a dog – shots, vets, walks. You’ve got to earn it.
 

Switching all your employees from passwords and MFA logins to encrypted certificate-based credentials is a decisive move. But, when considering the average cost of a data breach, doing a full PKI overhaul for all your remote workers might be worth it. Cyber attackers have to stay at home, too—and we all know what they’ve been doing.



 

Related Posts:

 

Like this blog? We think you will love this.
solarwinds-lawsuit-cios-cisos-concerned-unprotected-code-signing
Featured Blog

CIOs in Hot Seat: SolarWinds Sued by Investors for Supply Chain Attack

SolarWinds lawsuit claims company officia

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more