The problems with backdoors into security solutions
Adam Boone, Chief Marketing Officer, Certes Networks
Backdoors into security solutions, specifically encrypted communications, have been a major topic in some huge debates lately. While this discussion has certainly taken place in the past, it recently has shaken the tech industry to its core after Apple CEO Tim Cook released a letter stating that the company will fight the FBI’s court order to provide a backdoor into an encrypted iPhone.
Cook asserted that if Apple creates a way to circumvent the device’s security features, the organisation is compromising the fundamental aspect of digital security. While the backdoor could only be used once, Cook argued that it wouldn’t, since a backdoor of that magnitude would effectively nullify its attempts to protect private information – anyone, “good” or “bad”, could gain access to that backdoor and use it to steal data and further compromise systems.
Now, Google CEO Sundar Pichai joined the conversation, tweeting that by creating a backdoor into a piece of secure technology, whoever does so is essentially “hacking” end users’ computers and “compromising” privacy.
This point of contention has a solid answer, however. A recently published report from Harvard University’s Bruce Schneier and his peers Kathleen Siedel and Saranya Vijayakumar detailed the analysis of encryption products around the world, and these researchers wrote that a national law requiring backdoors into cryptography tools would have an “overwhelming” impact on end users with respect to data protection and privacy. Simply put, any infrastructure component could be compromised if a backdoor exists. It provides access for all those that exploit it, while giving hackers a definite way to infiltrate corporate networks and consumer devices.
That said, the only truly secure approach is to use software-defined security that is decoupled from the infrastructure as a part of a holistic “no trust” policy, in which organisations trust nothing, including the infrastructure itself. With security decoupled from the infrastructure, end-to-end encryption and role-based access control solutions can protect sensitive applications even if a backdoor exists in another product along the communications path.