Facebook Private Social Platform (The future is Private)
Refer to Mark Zuckerberg gives keynote speech at Facebook Developer F8 Conference, CEO Mark Zuckerberg stressed his vision of building a new “Privacy-Focused” platform that’s covered few priorities as below
• Private Interactions
• Encryption
• Reducing the permanence of posts
• Safety
• Interoperability
• Secure data Storage
Zuckerberg said that huge effort needed to build the infrastructure to support this “Privacy” vision. From a product manager perspective, we will try to explore what the top challenges if any other enterprise wanted to implement encryption technology.
Security vs Convenience and Cost
Security and convenience are always functioned in opposition and security experts are finding hard to get the right balance between these. Although encryption can be used to protect the sensitive data and system however, this will increase the cost in term of technology investment, people hiring and at the same lower down the convenience with newly added security control.
Refer to https://enterprise.verizon.com/resources/reports/dbir/, in 2018, 53,000+ incidents and 2,200-odd breaches happened globally. High level this show that the need to get more stake-holder buy-in to resolve the data security or information security investment remain high.
You need to find the right “Adoption driver” or “Motivation” to justify the investment.
People
In short you need someone who understands encryption technology well and more importantly is know how to apply and fit your organization needs. “Applied Cryptography” expert or practitioner is important in defining the problems and project scope, cryptography strategy and implementation strategy as well.
For example security controls below is not sufficient to protect end-to-end data security.
• “Proprietary” way to secure the data …
• Deploy SSL for our mobile application already ….
• Application that enforces strong password rules ….
Technology (Standards & Tools)
Compare to your own defined standards, you can start with look into two widely accepted cryptography industry standard as below
• https://www.nist.gov/topics/cryptography
• OASIS Key Management Interoperability Protocol (KMIP) TC (https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip)
In commons both standards introduce concepts, provides cryptography key management guidance best practices, key management specification requirements and etc.
Depends on scope and team ability you can choose the right tools based on few options as following
• Open source software – https://www.ibm.com/developerworks/library/se-kmip4j/
• https://www.bouncycastle.org/
• Enterprise Key Management Software / Appliance
• Build your own KMS based on Java Cryptography or .Net Framework Cryptography
More information explained from this link. https://en.wikipedia.org/wiki/Key_management#cite_note-14
We will share more detail about “What is Key Management System?” in our next blog
