As intelligence services worldwide

As intelligence services worldwide debate the value of consumer- and enterprise-controlled encryption that do not contain backdoors for spies, vendors are introducing a plethora of encryption offerings designed to pique corporate interests. Intralinks and Box this week released new offerings for customers who prefer to maintain their own encryption keys while still taking advantage of the vendors' Software-as-a-Service capabilities, while companies such as Red Folder and Spider Oak are positioning themselves as the secure, on-line vaults.

Intralinks director of strategy Todd Partridge said the company is expanding its SaaS Customer Managed Keys (CMK) encryption technology that the company unveiled this past fall. It allows users to create custom encryption keys for each of their data stores rather than simply having one CMK for all of its data. This capability will allow users to turn and off access to specific data stores on an as-needed basis without impacting the rest of the company’s stored data.
Partridge said customers currently upload data to the Intralinks infrastructure by first encrypting the data with transport-layer security (TSL), the follow-on to secure socket layer (SSL) technology commonly in use by websites today. Once the data reaches the Intralinks site, the user's data then goes through a 13-step process to ensure that it's malware-free, indexed and encrypted. Master encryption keys are generated, and those customers using the latest Intralinks features then use their own encryption keys to encrypt the Intralinks Master Keys.

Partridge also made news when he told Tom's IT Pro that the company is planning to develop a hardware security module (HSM), which is a server or hardware appliance-like device that safeguards and manages digital encryption keys, for corporate use later this year. The HSMs, which are expected to be available during the second half of the year, will allow customers who use Intralink's service to take advantage of some of those capabilities on the client's enterprise network as well as in the cloud.

Recently, Box unveiled its Box Enterprise Key Management, a service that will be offered through Amazon Web Services and Gemalto. Users of Box EKM will have full control over their encryption keys and audit files, an approach that is still rare among some larger cloud and SaaS providers. Many cloud services, including Amazon AWS, currently make the customer responsible for physical and logical access controls outside the cloud provider’s network, including encryption.

The Box offering will be powered by the AWS CloudHSM. "When a customer decides to use EKM, they work with Box to provision a CloudHSM in AWS and an on-premises backup in the customer's own data center, all connected by secure, dedicated connections," read a post by AWS chief evangelist Jeff Barr on Amazon's AWS Official Blog.

The Box announcement follows Amazon's own Key Management Service (KMS) announcement by less than a month. In that launch, Amazon said users will be able to create and manage their own keys, as well as manage all of their keys. However, the two announcements are unrelated, an Amazon spokesman said.

While the Amazon, Intralink and Box approaches all call for the users to use TSL or SSL encryption to send data to the web site, recently launched Red Folder from Woodinville, WA-based Prevendra Inc. is an approach where the user fully encrypts their data beforesending it to the Red Folder site. Once the data reaches Red Folder, only the owner of the data or the owner's designee can access the data; Red Folder has no access to the decryption keys.

"Not all information is sensitive," said Christopher Burgess, CEO and founder of Prevendra. The more secure the data, the higher the cost. While Burgess strongly supports the encryption of data in transit, highly confidential data needs to be encrypted at rest as well. Burgess knows something about confidential data, having service with the Central Intelligence Agency for more than 30 years.

The flood of encryption offerings for the consumer and corporate markets appears to reflect the caution and concern intellectual property owners are displaying after the numerous, high-profile data breaches. However, Burgess cautions, many corporate executives still fall victim to what he calls "event amnesia," forgetting how bad it felt when their networks were breached and data stolen. Encryption, Burgess said, is an important part of "Security 101."