It’s always fun to come up with headlines around a brand that has an exclamation point as part of their name, but I digress. What this is really about is Yahoo!’s recent announcement that they’re going to start to encrypt the data of users.
On Monday, Yahoo!’s CEO Marissa Mayer posted a blog in which she outlined the steps the company will be taking to secure user data. This included:
- Encrypt all information that moves between our data centers by the end of Q1 2014;
- Offer users an option to encrypt all data flow to/from Yahoo by the end of Q1 2014;
- Work closely with our international Mail partners to ensure that Yahoo co-branded Mail accounts are https-enabled.
These are great steps to increase the security of user data that Yahoo! has domain over however, it may not be ideal for end users and potentially provides a false sense of security. But let’s look at things on an individualized basis, specifically points 1 and 3.
Enabling and using SSL should be a no-brainer for a company like Yahoo! Their competitors have been doing it for a while now for their mail (just look at Gmail and Outlook.com) and securing the ‘tunnel’ between data centers shouldn’t have been an afterthought in the first place.
But it’s point number two that raises questions and leads to broader implications for users. If you want air-tight security or the perception that you’re offering it, remove the user ‘option’ and just do it. The second you let users make security decisions, is the second you leave holes in the security of your data.
And that’s the nut of it. More and more service providers like Yahoo! are promoting the security they’re implementing to protect their users. But it’s potentially leading to a false sense of security.
Let’s look at this from another perspective, security in the cloud and user expectations. Are they relying on their providers ‘encryption’ to protect their data? What happens if someone hacks the provider? Is their data safe? Not likely.
From a data-at-rest perspective, we can look at this in an over-simplified way: Service providers like Yahoo!, Google and Dropbox, Outlook etc. all employ some form of security. Think of them as an apartment building. Think of yourself and your data as being a tenant in this building. Every tenant in the building has keys to the front door of the building – they can get in, but can only get access to their own apartment because they have the key to that particular area.
However, there’s another person in the building that has access to the front door and every single apartment – the landlord/superintendent (the service provider). If that landlord/superintendent is ever compromised, every tenant is at risk of having someone break into their apartment.
If you have valuable stuff in your apartment, it’s recommended that you lock them away somewhere – like in a safe that only you have the combination to. If that landlord/superintendent is ever compromised and your apartment is accessed, your most important information is locked away in your safe, not leaving you at risk and ensuring that your information isn’t lost or stolen.
It’s always better for the end-users to be encrypting at the device level. Keys tied to the end point vs. the service provider’s services are far more secure and less susceptible to prying eyes. What Yahoo! Is doing is a start, but it can’t all start and end with the provider’s security. There needs to be accountability and management at the user/company level as well.