Why not use open source encryption?

Data Encryption

There’s a lot of talk about encryption these days. Often the issue arises when moving data to the cloud, using solutions like Dropbox or Box. We start to wonder if our information will be safe if it’s no longer stored locally on computers in our offices. We are confident that Dropbox and Box store everything in a secure way -- we have little reason to believe that they don’t, right?

Next, we think, "OK, what happens when information leaves or enters the cloud? Is our communication safe? Maybe that information should be encrypted, too". Actually, there’s no question about it. Data should be encrypted when it moves in and out of a network and when it’s stored in the cloud.

Endpoint encryption: protection from human error

Where is data most vulnerable? It is at the endpoints. Without endpoint encryption on ultra notebooks, laptops and desktops, data is vulnerable. This is where you naturally store the user names and passwords to cloud apps and communication -- critical and confidential information that must be kept secure.

For some reason people seem to underestimate the importance of the human factor when it comes to IT security. Recent findings show that more than six out of ten data breaches emanate from a lost or stolen laptop. If you lose your laptop, then you most certainly are losing confidential information as well. We can’t always prevent the loss of a laptop, but we can prevent unauthorized access to what’s stored on our laptops.

Open source: "you get what you pay for"

So, how do I secure my laptop? When browsing the Internet for security software you will most certainly find some open source software that looks interesting -- and perhaps it may be even more appealing because it is free. But don’t be fooled by low or no cost -- because the costs associated with frequently unsupported "as is" free applications and poorly tested open source software can also be quite high.

Open source can create a false sense of security. Using open source means being dependent on something that might not work in the end, when you most need it.

"One of the challenges with using open source is the potential of introducing vulnerabilities that can cause exploits down the road", says Len Carella, Vice President of Corporate Infrastructure for iCIMS, a provider of SaaS solutions for talent acquisition. "There is no guarantee you’ll receive timely support on technical issues that may arise. What originally may look attractive based on price may end up being very costly to your business in the long run".

Are you hanging on to the TrueCrypt encryption system?

The TrueCrypt story is a good example of what happens when a team decides to no longer develop its product and patch security holes. In May 2014, the TrueCrypt website announced that the project was no longer being maintained and recommended that users find alternative solutions.

Why is this sound advice? Critical security flaws have been revealed. Attackers could leverage the flaws to ultimately have free access to your "protected" data. Malware could be downloaded, unwanted surveillance could take place, a PC could be ruined -- there is virtually no end to the damage a hacker could do once flaws have been exposed but not patched.

Customers are often not on top of the latest IT security issues with the products they use. If a bug is found, it's safe to assume it will not be patched when the developers are gone -- no matter how serious the flaw is.  Do users simply not understand the risk of using unsupported software? Or are they simply misled by the "price" of a free product?

Another problem with using open source is the fact that you are not sure who is behind the software and that there could potentially be back doors you are not aware of, but who knows?

Self-installation of laptop encryption can be quite difficult if you don’t have the right skills, and many SMBs don’t. Companies without an IT department of their own need someone to help them when problems arise.

In the case of a software/hardware crash or forgotten password, data can become inaccessible, with no assistance available. Who is responsible for retrieving that data when a company is using freeware such as open source? The implication here is that large enterprises remain secure, while SMBs remain vulnerable.

My advice to TrueCrypt users is that it is time to move to another, safer solution to make sure that your information is protected and secure. If you don’t have an IT department of your own, look for an online service provider that can help you. Their technology should be based on a supported software that’s upgraded and updated as new threats are discovered.

And, last but not least, stay away from open source!

Photo credit: Lightspring / Shutterstock

Ebba Blitz_AlertsecEbba Blitz is president of Alertsec. Specializing in the fast deployment of IT security and sales, she has been on the board since its inception in 2007 and is responsible for setting up the U.S. West Coast sales office. The encryption company provides computer security through the cloud.

42 Responses to Why not use open source encryption?

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.