Implementing advanced encryption to services and applications will become quicker, simpler and more cost-effective.
Encryption is an example of "defence-in-depth”, which provides a second security control that works independently from access control. Defence-in-depth is a data-security best practice, where multiple security controls are put in place to protect valuable data such as personally identifiable information.
Next year encryption will become easier thanks to the increasing availability of cloud-based encryption-key management services. Managing and protecting encryption keys can be difficult. Organisations need to work where to store the keys, and how to protect a system. Getting it wrong can lead to catastrophic data breaches. Cloud-based key-management services will give organisations the option to store their keys securely, away from their physical site. And they will also provide greater control over which users and applications have access to the keys, under what context they can use the keys, and for how long.
We will also see an increase in encryption for data in motion – that is, data moving around networks and across the internet – thanks to a new implementation of the Transport Layer Security (TLS) protocol, which provides end-to-end secure communications over the internet. Most organisations today use OpenSSL for their TLS needs. OpenSSL has 500,000 lines of code, with at least 70,000 of those involved in processing TLS. This is old code and when it was written there was no way to have modern security threats in mind. What’s more, it is hard to understand, and difficult to audit and it is tricky to fix bugs within it. Often the fixes introduce new ones.
At Amazon Web Services we have, over the past few years, been rolling out a new, simpler implementation of TLS called s2n – a small and easily auditable code base, with around just 6,000 lines of code. It is also open source, and available on GitHub, which will make it easier for organisations to build encryption into any service or application, correctly.
This year we will see increasing use of automated mathematical proof of correctness. One example of this is proving the correctness of the TLS handshake, during which the server and the client exchange the information required to establish a secure connection. Proofs, which we have been running to prove the correctness of s2n, are automated. When changes are made to s2n, the proofs are rerun, mathematically proving that the maintenance of the desired security properties in the new code is correct. We will see more and more companies requesting this form of automated reasoning, especially for systems that deal with security and encryption.
Security is our top priority, and we all need to take precautions and protect the most precious asset: data. Next year this will become even easier and more widespread. As I like to say: "Dance like nobody is watching. Encrypt like everyone is watching."
Werner Vogels is vice-president and chief technology officer of Amazon Web Services
This article was originally published by WIRED UK
