There has been increasing demand from government and law enforcement in recent months for some sort of encryption backdoor. The theory–whether grounded in reality or not–is that an encryption backdoor will allow intelligence agencies to detect and prevent more terrorist attacks. The one thing that none of these demands for access to encryption seems to address, however, is the impact such a backdoor will have on the ability for organizations to conform to regulatory and industry security compliance mandates:
Companies are governed by an array of government and industry compliance mandates that require them to take steps to secure and protect data. Generally speaking, the primary method of securing sensitive data is to encrypt it, but demand is growing from government agencies and law enforcement to build some sort of back door to enable encrypted communications and data to be monitored. If such a back door exists, though, can we still hold organizations accountable for data security?
Let’s start by taking a look at what the major compliance frameworks say about securing data. PCI-DSS (Payment Card Industry Data Security Standard) says that strong encryption should be used. In 2009 Visa released a document defining best practices, which clarifies that companies should employ algorithms and key-lengths consistent with industry and regional standards, use robust key management solutions consistent with industry and regional standards, and protect the devices used to perform cryptographic operations from physical and logical compromise.
The encryption requirement for HIPAA (Health Insurance Portability and Accountability Act) is a bit more confusing. The HHS.gov website clarifies that the HIPAA Security Rule does not require encryption. Technically that is true, but when you view the HIPAA Security Rule in its complete context, encryption is still implied. At the very least, entities that fall under HIPAA are expected to take “reasonable and appropriate” actions to protect data—which essentially means encryption.
SOX (Sarbanes-Oxley) applies to publicly-traded companies and is specific to the financial accounting and reporting aspects of the organization. It does not necessarily mandate encryption, but it does require that any and all relevant financial and accounting information be properly safeguarded in order to maintain its integrity and reliability for accurate reporting. Again, the encryption is sort of implied.
One thing that is common across compliance frameworks is that they rarely dictate specific technologies or solutions. The challenge is to write requirements that apply universally and can stand the test of time. If a compliance requirement mandates a specific encryption method, then the framework becomes useless or needs to be re-written if and when that encryption method is no longer viable.
Back to the issue at hand, though. HIPAA and SOX don’t specifically mandate encryption, and PCI-DSS only requires that encryption algorithms and key management processes fit with industry and regional standards. Within the scope of those compliance frameworks, a back door for government or law enforcement doesn’t seem to overtly violate the compliance requirements.
Check out the full story on the RSA Conference Blog: An Encryption Backdoor Will Be a Challenge for Compliance.