Microsoft's Tighter Encryption: Why Others Should Follow Its Lead

By Wayne Rash  |  Posted 2013-11-29

Microsoft's Tighter Encryption: Why Others Should Follow Its Lead

The revelations in The Washington Post that Microsoft was working to encrypt all the traffic the company moves around the world because of National Security Agency (NSA) spying should only be a surprise because it wasn't already being done.

Chances are (although we can't prove this) that anything Microsoft or any other large company with sensitive information moves across the public Internet is already encrypted. However, these same large companies also have massive private network connections that connect their data centers around the world.

These networks and the global data centers they connect exist for a variety of reasons. Large companies have lots of offices that need access to data. These companies need to have secure links to disaster-recovery sites, or they need real-time mirroring to ensure data integrity.

Whatever the reason, these sites are connected using fiber-optic cables that are usually provided by a third-party. Those third parties may include major carriers such as Verizon, or data communications companies such as Level 3.

Until recently, most of this traffic has been passed as unencrypted data. Most personally identifiable information such as health records or credit card numbers would have been encrypted in any case, but the vast majority of corporate data is stuff like boring old email, calendar entries or PowerPoint slides. Of course, the email and calendar metadata are exactly what the NSA and other intelligence services want. I doubt that even the NSA is willing to sit though terabytes of PowerPoint presentations.

But that doesn't mean somebody else isn't. Emails, calendar entries and, yes, PowerPoint slides are the types of data that cyber-criminals, competitors or even foreign intelligence services are trolling for. Even though the NSA almost certainly doesn't care about Microsoft's marketing plans, the Chinese military almost certainly does. And there's the problem.

These are the reasons Microsoft is right to find a way to encrypt all traffic that travels outside the company, just as Google and Yahoo are now working to do. This is also why you should make sure that data that travels outside your company is also encrypted. It's not just the NSA that's interested in your data—it's everybody, and some people are a lot more interested than the folks in the Puzzle Palace.

But you're probably asking yourself if is it realistic to think that someone can tap into your company's fiber connection between data centers? The answer is, yes. All a cyber-criminal needs to do is bribe a data center employee to siphon off your traffic to another port, and to send the contents of that traffic stream to that someone else. Hackers from China can do the same thing, or they can simply tap the fiber-optic cable and get a copy of everything that passes over it.

Microsoft's Tighter Encryption: Why Others Should Follow Its Lead

And, yes, tapping into a fiber-optic data cable is entirely possible, and it's done regularly by foreign intelligence services. The U.S. military has routinely been deploying submarines to install fiber-optic cable taps on undersea communications cables, and it's a sure bet that other governments are doing this, as well.

Perhaps you think that your data isn't valuable enough to be worth the cost of deploying a submarine, and perhaps you're right. But if your data is there along with the data from the intended target, it'll still get swept up.

Fortunately, there are steps you can take to at least make it inconvenient to entities who may want to steal your company's most critical data. The first is to make sure that some encryption is always in use when your information is moved around the company and over the Internet. At the very least, make sure that Secure Sockets Layer (SSL) encryption is enabled for any data transfer.

Second, for those times when you need to move data outside the company, use a service that encrypts your data before it leaves your site, encrypts it en route, and keeps it encrypted when it arrives at its destination.

Finally, if you routinely transfer data over a fiber link, whether it's to another data center of yours or to a third-party hosting service for disaster recovery, storage or backup, use an encryption appliance before the data travels outside your building. Encryption appliances are available from a variety of vendors, including Cisco, Certes Networks, Symantec and others.

Does this mean that you shouldn't worry about the NSA? No, but if the U.S. government wants access to your data, then your network providers are compelled to hand it over.

On the other hand, your network provider isn't compelled to hand over data to cyber-criminals and probably not to the Chinese military (unless your networks travel to China). However, those entities are at least as interested in getting your secrets as the NSA is, and there's no point in making the process easy.

Rocket Fuel