Tim Erlin, director of IT security and risk at Tripwire, said it's easy to make mistakes that can render encryption ineffective: "It doesn't matter if your database is encrypted if the application used to access it is available with a default password."
To catch such errors, there is a need for more transparency. Many encryption standards are open, but without third-party audits or public review of code, it's difficult to know whether products using them contain accidental or intentional backdoors.
Transparency is critical for trust, and vendor claims aren't enough, according to Bower. "A vendor can't simply tick a box and say encryption is turned on," he said. "That means nothing. It's how it's used, when data is encrypted and decrypted, with what method, and the process by which keys are managed, stored, and restored which is critical to understand before there's any measure of benefit for users. If it is well implemented, and provably so, then data privacy and surveillance risks are dramatically reduced."
RSA, the security division of EMC, recently found its trustworthiness and transparency called into question following a report by Reuters that it was paid US$10 million by the NSA to make a flawed pseudorandom number generator called Dual_EC_DRBG the default choice in its BSAFE cryptography library. Random number generators serve a critical purpose in cryptography and using a weak one can undermine the security of the whole crypto system. RSA denied that it had ever entered into a contract or project with the intention of weakening or introducing backdoors into its products.
The company had advised customers to stop using Dual_EC_DRBG in BSAFE following media reports in September claiming the NSA pushed this flawed random number generator as a standard as part of its efforts to defeat encryption.
Bower believes the recent surveillance revelations should act as a call for independent verification of security claims and cryptographic system designs in both open-source and commercial products.
The current situation with many commercial products "motivates users to consider existing open-source alternatives that might provide greater transparency and security," according to Erlin, while Bower expects the open-source software community to start pushing for open audits to make sure there are no backdoors in popular free tools.
An example of that is the project organized by Green and Kenneth White, principal scientist at health software-as-a-service provider BAO Systems, to audit TrueCrypt, a popular open-source disk encryption tool.
Snowden's revelations of mass surveillance have brought the value of encryption into focus for a large number of people, but the challenge of securing all communications involves making encryption seamless and fully automated.
It needs to be as easy as using electricity, Bower said. "End users don't need to understand electromagnetic theory to use electricity; they simply plug in, turn on, and use their favorite new gadget."
Sign up for CIO Asia eNewsletters.