Can you shut the backdoor?

In the aftermath of the Apple controversy and the encryption debate, where do developers and security practitioners stand on backdoors

hidden backdoor
Credit: MsSaraKelly

Though the encryption debate has quieted since the FBI resolved its issue with Apple, the question of whether to install backdoors or use encryption has not been answered. In a data encryption snapshot released by Spiceworks this spring, 90 percent of IT professionals reportedly believe the existence of backdoors (for government agencies, law enforcement, etc.) puts organizations more at risk of a data breach. That's nine out of 10 practitioners who stand firmly against installing backdoors.

Undoubtedly, this overwhelming opposition to the existence of backdoors has an impact on which products IT professionals choose, but how great of an impact?

The survey says it's a pretty substantial impact, finding that 65 percent of IT pros are less likely to buy from a company that's been known to put security backdoors in products. Only 20 percent of IT pros said a history of backdoors would have no impact on their vendor evaluation process.

According to Peter Tsai, an IT analyst at Spiceworks, security practitioners, especially when choosing cloud storage, are looking at the types of encryption being used. Tsai said, "They want to see that developers are in compliance, so they are looking to see that products meet a minimum standard." Before purchasing products, IT professionals are asking, What type of security is being used? What risks to security exist in backdoors? Are there intentionally placed vulnerabilities that could compromise their systems?

While historically a lot of developers have been cooperating with government agencies, some are starting to push back by enforcing the strong encryption. "Depending on how strong the encryption is, it could take months or years to decrypt. If you have a way to bypass that encryption, you can access data instantly," said Tsai.

Government agencies want real time access to data in order to combat perceived threats, but companies don’t want to divulge their sensitive data. As we all witnessed Apple buck this trend, many now are wondering whether it is better to do their part and cooperate with their government or to close the backdoors.

[ ALSO: 7 security backdoors that helped kill faith in security ]

Spiceworks's survey of more than 600 IT pros from North America and EMEA suggests that encryption is actually helping. 

Where companies are using encryption and why:

  • 57% of IT pros said they believe network and/or device encryption helped their organization avoid a data breach.
  • Nearly 50% of organizations encrypt data in transit their laptops/desktops, and 47% encrypt data in transit from their cloud computing and cloud storage services. However, encryption of data at rest is less common, particularly on cloud services.
  • Encryption on smartphones and tablets is much less common than on more traditional computing form factors. IoT devices are least likely to take advantage of encryption, with only 18% of companies encrypting IoT data in transit.
  • Lastly, 16% of organizations are not enforcing data encryption across any of their devices or services.

One area of concern for Tsai is in mobile and IoT. "They are produced by companies that aren’t traditional IT companies. They are consumer electronics manufacturer that are putting computers in devices that didn’t have them before. They are light bulb or coffee maker manufacturer that don’t have security at the top of their minds," Tsai said.

Unfortunately, there are not a lot of standards in the IoT space. "You are dependent on that company to update firmware and make sure it's secure on the back end," said Tsai.

Developers, especially those of mobile and IoT devices, need to develop products with security in mind first rather than trying to capitalize on their smart devices by pushing products out to market. The proliferation of these devices is only going to expand, which will inevitably create unforeseen opportunities for malicious actors.

This reality puts a lot of responsibility on developers to choose the best security measures. They need to be asking whether they should keep the backdoor open knowing that closing it will mitigate a certain level of risk.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.