Secure communication without the RIGHT encryption is like an airplane without wings
That tells you encryption is essential, but how exactly? And what do you need to know about encryption so you’re empowered to protect your privacy, always and everywhere? Scroll down for a crash course in encryption and gain the knowledge needed for choosing the right email solution.
To illustrate, imagine you’re a secret agent, a spy traveling the world day in day out. Your job is to go to one country, collect information – any James Bond movie plot works perfectly here – and then fly somewhere else to relay that information.
Of course, you’re a spy and most of your work will be done undercover. As such you’re a master of disguise. One moment you look like a CEO on a business trip, the next you blend in like a tourist asking for directions, whatever it takes to guard the information you carry.
That, in a nutshell, is what encryption is: it’s the process of encoding information, the same way a secret agent might disguise themselves.
So whenever you send and receive any kind of information online, think of that information as a secret agent, and then consider how to make sure your secret agent never gets caught along the way.
Encryption for dummies (and pizza lovers!)
Everything you need to know about end-to-end encryption with zero knowledge to protect your data and your online security. Explained with the help of pizzas!
Encryption dates back thousands of years. One could even argue it’s as old as writing itself, perhaps because of our innate right to privacy. Before the age of technology, encryption took the form of coded messages.
Of course, present day computing power has yielded encoding too complicated for a human brain to wrap itself around, but the underlying principle is very much the same:
When you want to send a message securely, you encode it. Only someone with the decryption key – the information that tells you how to decrypt something – will be able to receive and see this message.
Without encryption, it would be next to impossible to use the internet securely, the same way a secret agent would be lost without their ability to disguise themselves.
No one likes a breach: encryption protects your data and stops your business from getting hurt.
Increases consumer trust
No chance of a leak means your consumers can trust you with their sensitive data.
Gains you a competitive advantage
Customer data breaches average at a cost of $200 million! By offering encryption you gain an edge over the competition.
Protects your remote workers
Remote workers are often not as protected as those at the office, encryption offers an extra layer of security.
Email encryption encrypts, or disguises, your email to protect them from being read by anyone who isn't the recipient (whether that is the government or a crafty hacker). Email encryption is essential for secure communication, especially if you deal with sensitive information (or decide to log onto the public WiFi of your local library).
Much like opening someone's post (illegal, by the way), it is extremely easy for anyone to read an email, even those who are not part of the conversation.
Alright, got it! Email encryption is important, so what encryption should you use, and what parts of your email should be encrypted?
Is your email encrypted when sent between internet connections?
Is the content of your email protected?
Who has access to the encryption keys?
Are your emails stored encrypted?
Email encryption: Are you taking the red or blue pill?
(Email) Encryption means making information unreadable to anyone who is not authorized. It is like The Matrix, where you need a pill (or a decryption key) to read the underlying information, does that mean that there's only one way to encrypt?
Encryption in transit
Encryption at rest
End to end encryption
Zero knowledge end to end encryption
Encryption in transit
As the name suggests, encryption in transit protects your data while it’s transferring from A to B. It’s the disguise a secret agent would wear while travelling. It’s perfect for sending encoded information all across the world without anyone detecting a thing.
Of course, it begs the question: what happens when the journey’s completed?
Encryption at rest
Encryption at rest again is an aptly named encryption protocol: it encodes your email while it’s at rest. It’s the fake identity a secret agent might have in their day to day life.
Encryption in Transit and Encryption at Rest both fall short of protecting your data adequately. Their shortcomings are fairly obvious when you think of them in terms of a secret agent who can only hide their true identity either when they’re travelling or when they’re at home.
End to end encryption
The point of a secret identity is that your disguise holds up everywhere you go. Likewise, encryption from start to finish (end-to-end encryption) is therefore often considered to be perfectly safe.
While end-to-end encryption is widely used, it is founded on a dangerous assumption: trust. It's the assumption that the person you're sending it to is trustworthy (and haven't we all made the mistake of sending an email to the wrong recipient?). There goes your secret mission, unveiled by a stranger.
Zero knowledge end to end encryption
Imagine being a spy and having to relay your information. Your code word is ‘blue’, you ask him to confirm, and he gives you the color ‘green’. This makes him untrustworthy and it means that he won't get the secret information. Crisis averted!
This is in essence how zero knowledge end-to-end encryption works. Not only is your information encoded, it makes sure that only the intended audience holds the key to unlock the information. The onus is on the recipient to prove that they have the decryption key and are authorized to access your email's content.
End-to-end encryption vs Zero-knowledge end-to-end encryption
Let's have a look at the journey of your data as it surfs the web and decide at which points it’s vulnerable. Obviously, encryption in transit and at rest both fall short of offering full protection, but many people mistakenly believe this issue is resolved using end to end encryption.
Data protection is not only a matter of when and where it’s encrypted, but also where the encryption key is stored. After all, encrypted data is only useful if you have the encryption key.
This is where the biggest difference between end-to-end encryption and zero knowledge end-to-end encryption comes into play.
In other words: end-to-end encryption might help protect against data breaches or hacking attempts, but it doesn’t protect your privacy. To achieve the latter, you’ll need to rely on an encryption solution where they encryption key is not stored in the cloud: zero knowledge end-to-end encryption.
When you want to send a message, you encrypt it.
Only the person with the decryption key can see your message.
zero-knowledge end-to-end encryption
Why? This is the encryption that protects your files and emails through the entire process.
Only our customers have access to the decryption keys so that no third party can access the decrypted data, not even us. Safe, sane and secure. That's SmartLockr.
You protect your data from unauthorised people. These could be hackers, disgruntled employees or perhaps even jealous spouses, but what if authorities want to access your data?
It’s easy to see why a hacker wouldn’t have the right to see your data, but does the same apply to a government? A secret agent wouldn’t be allowed to withold data from their government. Does the same apply to your data?
The short answer is: it depends.
The short answer: yes, absolutely. If you use a US cloud provider (Microsoft, Google, Amazon). The question of who can access your data is partly a question of where your data is stored. This in turn is often a question of who stores your data for you.
An important gamechanger entered the scene in 2018: the US CLOUD Act, a law passed by the US government which states that the US government can subpoena any data stored in an American cloud.
Now before you go on Googling non-US cloud providers: it doesn't mean that using the cloud is unsafe. The important thing is that you use the right type of encryption. Let's dive into some of the necessary terms:
Free whitepaper: Is it safe to store data in a US-based Cloud provider?
Is it possible to use the cloud safely? What does encryption mean when it comes to data security in the cloud? Get answers to this and much more.
What is the CLOUD Act?
The CLOUD Act is a US state law that allows US government agencies to request data stored on US-based cloud services, even if the cloud may be stored in Europe or elsewhere.
If your data exists in a cloud owned by a US-based company, they are obliged to disclose it to the authorities.
What is the Privacy Shield?
The Privacy Shield was a trade agreement that, until summer 2020, allowed transatlantic data transfers between the EU and the US. When the CLOUD Act came into force, a case was filed with the European Court of Justice. The Court then ruled that the Privacy Shield did not provide an adequate level of protection for such an exchange of data to proceed.
What is Schrems II?
The CLOUD Act doesn't sound very GDPR-friendly and you're right in thinking it's not. Schrems II is a ruling that the Privacy Shield is not an adequate level of protection for transatlantic data transfers between the US and Europe.
This ruling came about largely because the US CLOUD Act is in direct conflict with the GDPR.
In order to comply with the GDPR, some adaptions are necessary to avoid the CLOUD Act. Because the CLOUD Act allows US authorities to request data from US-based cloud providers, encryption keys must be stored separately from these cloud providers. Because the key is missing, the data cannot be read by the American authorities and is therefore useless.
How do you protect yourself from the Cloud Act?
Get encrypted data protection
Encrypted data protection is the best way to protect your information from the CLOUD Act. By using the right encryption, your information becomes unreadable and in turn worthless to the prying eyes of American authorities.
Store your encryption keys correctly
With zero knowledge encryption, neither the cloud provider nor the data protection provider has access to your encryption keys. Neither can disclose your data to an outside party, at least not a decrypted visible version of said data.
"If the data is going to be stored on a US cloud provider, then you can use encryption, where the encryption keys are being kept separate from the provider."
- Alexander Hanff, Data privacy and GDPR expert
CLOUD Act vs. GDPR - How to protect your data with the data and privacy expert, Alexander Hanff
Does Schrems II mean that organizations are violating the GDPR? What can you store in the cloud? Is it possible to get the benefits of the cloud, with proper data protection?
See our webinar and get answers to all these questions!
What to look for in an email encryption solution?
Think of your data like it’s James Bond and you’re the Queen of England. Keeping your James Bond safe and secure should be your top priority, so you’ll have to check if the encryption your data enjoys achieves this.
Secure communication needs encryption. But this does not mean that all encryption is secure. Many email providers (e.g. Outlook, Gmail) have an option to encrypt your emails, but it is not secure if you handle sensitive information. Both of these options use TLS encryption that, when used alone, it means that only the transmission channel is encrypted. This leaves the message vulnerable before and after it is sent. In addition, Gmail and Microsoft store the cryptographic keys in the cloud, which means you are not protected against the CLOUD Act.
To best protect your data, SmartLockr uses these features.
Zero knowledge end-to-end encryption
It ensures that only the authorized recipient has access to the encryption keys, which are stored separately from the provider. No one, not even the provider, can access your encrypted data.
Ease of use
Human error is the biggest cause for data leaks. If your safety solution isn't user-friendly, chances are your employees won't use it, negating its efficiency. Make sure to choose a solution that is user-friendly!
If you want to work safely, you should be able to do so on a Windows, Android, Mac or iOS. Make sure that your encryption solution supports all platforms.
Choose a supplier who knows what they're doing. Make sure they can answer all of your questions about encryption and that they are up-to-date on any security risks. Additionally, ensure that their encryption solution is updated regularly.
If your company grows, your solution should be made to fit that growth without requiring a new solution altogether.