Yahoo! Security!

It’s always fun to come up with headlines around a brand that has an exclamation point as part of their name, but I digress. What this is really about is Yahoo!’s recent announcement that they’re going to start to encrypt the data of users.

On Monday, Yahoo!’s CEO Marissa Mayer posted a blog in which she outlined the steps the company will be taking to secure user data. This included:

  • Encrypt all information that moves between our data centers by the end of Q1 2014;
  • Offer users an option to encrypt all data flow to/from Yahoo by the end of Q1 2014;
  • Work closely with our international Mail partners to ensure that Yahoo co-branded Mail accounts are https-enabled.

These are great steps to increase the security of user data that Yahoo! has domain over however, it may not be ideal for end users and potentially provides a false sense of security. But let’s look at things on an individualized basis, specifically points 1 and 3.

Enabling and using SSL should be a no-brainer for a company like Yahoo! Their competitors have been doing it for a while now for their mail (just look at Gmail and and securing the ‘tunnel’ between data centers shouldn’t have been an afterthought in the first place.

But it’s point number two that raises questions and leads to broader implications for users. If you want air-tight security or the perception that you’re offering it, remove the user ‘option’ and just do it. The second you let users make security decisions, is the second you leave holes in the security of your data.

And that’s the nut of it. More and more service providers like Yahoo! are promoting the security they’re implementing to protect their users. But it’s potentially leading to a false sense of security.

Let’s look at this from another perspective, security in the cloud and user expectations. Are they relying on their providers ‘encryption’ to protect their data? What happens if someone hacks the provider? Is their data safe? Not likely.

From a data-at-rest perspective, we can look at this in an over-simplified way: Service providers like Yahoo!, Google and Dropbox, Outlook etc. all employ some form of security. Think of them as an apartment building. Think of yourself and your data as being a tenant in this building. Every tenant in the building has keys to the front door of the building – they can get in, but can only get access to their own apartment because they have the key to that particular area.

However, there’s another person in the building that has access to the front door and every single apartment – the landlord/superintendent (the service provider). If that landlord/superintendent is ever compromised, every tenant is at risk of having someone break into their apartment.

If you have valuable stuff in your apartment, it’s recommended that you lock them away somewhere – like in a safe that only you have the combination to. If that landlord/superintendent is ever compromised and your apartment is accessed, your most important information is locked away in your safe, not leaving you at risk and ensuring that your information isn’t lost or stolen.

It’s always better for the end-users to be encrypting at the device level. Keys tied to the end point vs. the service provider’s services are far more secure and less susceptible to prying eyes. What Yahoo! Is doing is a start, but it can’t all start and end with the provider’s security. There needs to be accountability and management at the user/company level as well.

Previous Post
Here, there, everywhere
Next Post
Crypto-Erase: More Relevant than Ever

Related Posts

The CES of Security Events

Much like January marks the annual tradition of consumer electronics companies embarking on a trip to Las Vegas for the mother of all technology tradeshows, February is the time of year all security companies gather together in San Francisco for…

An innovative approach – CIOSynergy

Last week I had the opportunity to attend the CIOSynergy event in Toronto at the Trump Hotel & Tower. It was an interesting day of interacting with key IT decision makers within various organizations and learning about some of the…
Read more

Here, there, everywhere

It’s a busy month for events as we’re a week away from U.S. Thanksgiving. This week we find our folks in a couple different places at once talking to financial services organizations in Arizona and to IT security focused organizations…
Read more

What’s the right choice?

We’re a huge proponent that Full Disk Encryption (FDE) is the cornerstone of any data security solution and should be the foundation for which all solutions should be built on. (more…)

Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.

Contact Us

This will close in 15 seconds