Software Connect logo Software Connect logo
Best-in-Class Software Reviews Research
Best-in-Class Software
Financials
Best Accounting Software
Best AP Automation Software
Best Invoicing Software
Best Budgeting Software
Best Expensing Software
Best Fixed Asset Software
Construction
Best Construction Management Software
Best Estimating Software
Best Takeoff Software
Best Progress Billing Software
Distribution
Best Distribution ERP Software
Best Food Traceability Software
Best Pharmaceutical Distribution Software
ERP
Best Cloud-Based ERP
Best ERP for Small Business
Best Open Source ERP
Human Resources
Best Applicant Tracking Systems
Best HRMS Software
Best Payroll Software
Best Workforce Management Software
Maintenance
Best Auto Repair Software
Best Aviation MRO Software
Best CMMS Software
Best EAM Software
Best Fleet Maintenance Software
Best Work Order Software
Manufacturing
Best Job Shop Software
Best Manufacturing ERP
Best MES Software
Best MRP Software
Best PLM Software
Best QMS Software
Nonprofits
Best Fund Accounting Software
Best Fundraising Software
Best Grant Management Software
Supply Chain
Best 3PL Software
Best Demand Planning Software
Best Inventory Software
Best Order Management Software
Best Procurement Software
Best Yard Management Software
Best WMS Software
Other
Best BI Tools
Best Fleet Management Software
Best Field Service Software
Best Freight Broker Software
Best POS Systems
Best PSA Software
Best Retail Software
Best Seed-to-Sale Software
Best Time and Billing Software
Best TMS Software
All Roundups →
Reviews
Accounting Software
FreshBooks Review
QuickBooks Online Review
Zoho Books Review
CMMS
eMaint CMMS Review
Hippo CMMS Review
MaintainX Review
ManagerPlus Review
UpKeep Review
Construction Software
Buildertrend Review
Procore Review
Sage 100 Contractor Review
Sage 300 CRE Review
Spectrum Review
ERP
Acumatica Cloud ERP Review
Dynamics 365 Review
NetSuite ERP Review
Odoo Review
Sage Intacct Review
SAP Business One Review
Fund Accounting Software
Aplos Fund Accounting Review
Financial Edge NXT Review
FastFund Review
Manufacturing ERP
Aptean ERP Review
ECI M1 Review
Epicor Kinetic Review
Global Shop ERP Review
Infor SyteLine Review
SYSPRO Review
WMS Software
Körber Review
Latitude WMS Review
Logiwa WMS Review
All Reviews →
Research
2022 ERP Market Share Report
ERP Trends for 2023
Buyer Trends: Fund Accounting Software
Buyer Trends: MRP Software
Buyer Trends: WMS Software
Construction Tech Trends Report
CMMS Pricing 2023 Report
ERP Pricing 2023 Report
Web to Phone Qualification Report
All Research →

8 Experts Discuss Security, Encryption, and the NSA in the Cloud Age

Last Updated: January 16th, 2023
Researched and Written by: Adam Bluemner

On September 5, 2013 the New York Times published an article titled “Secret Documents Reveal N.S.A. Campaign Against Encryption.” The article contained an excerpt from a 2013 NSA budget request document for the $250M a year “SIGINT Enabling Project.” The NSA documentation described the program, which carried the operational nickname, “Bullrun,” this way:

The SIGINT Enabling Project actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs. These design changes make the systems in question exploitable through SIGINT collection (e.g., Endpoint, MidPoint, etc.) with foreknowledge of the modification.

The documents left little to the imagination. In fact, the overall picture was clear. The NSA has been spending hundreds of millions of dollars a year to “insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices.”

The opportunities offered by the web and the new age of cloud-hosted applications, though, continue to prove irresistible to businesses. According to a recent study by North Bridge Partners, 75% of businesses are now using at least one cloud based software. Our own study revealed that despite the exposure of domestic NSA surveillance and data collection, only 18% of IT pros said they definitively would not recommend cloud hosting of software.

Establishing data security is a complicated business challenge that every company connecting to the internet must contend with. The recent revelations about NSA activity serve only to make the issue even more complex. In his recent videoconference at the SXSW festival, NSA whistleblower, Edward Snowden, commented on the issue of data security in the age of surveillance–and what can be done to ensure privacy.

We wanted to take the conversation a step further. We connected with 8 leading web, cloud application, and data security experts to get their opinions on 6 critical questions related to corporate data security.

Questions

During the SXSW Videoconference Edward Snowden Said: “It Is the Development Community That Can Really Craft the Solutions and Make Sure We Are safe.” Do You Agree? If So, What Role Does Encryption Technology Play?

I absolutely agree. Encryption doesn’t have to be that difficult, but it will introduce friction where it wasn’t before. Email encryption is likely to continue to be problematic for a long time because it’s not a closed ecosystem, but things like file encryption (that applies even post-download, and includes in transit and at rest protection) and messaging encryption are very possible to do properly, given a decent balance between user experience and security in the design process. Ryan Kalember, Chief Product Officer, WatchDox

Yes, security is a responsibility of developers. But it’s also something that has to come from the top management of every business organization. The vast majority of developers are under huge pressure to deliver functionality. Security unfortunately is often a secondary priority. At Epiphany, we develop for the NetSuite Platform with native NetSuite code, which means NetSuite functionality governs security features in the platform. To establish good security, companies need to be focused vigilantly on it with up-to-date infrastructure, personnel, procedures and so on. It’s a cultural thing. Dave Hynek, VP of Business Development, Epiphany, Inc.

What I’ve traditionally recommended to clients who are trying to track down their weakest security link is to look at viruses and malware arriving via email. But with the advent of all the spam and AV solutions that reliably check email at the workstation level, we’re finding the weakest security link is often now web-browsing. We’ve seen browsers picking up malware that’s getting on user workstations and being used as a beachhead to get at other data resources on the network. The question we ask clients is: How are you protecting your web-browsing? Web-filtering software tools and tightening web-browsing policies are becoming critical approaches for securing the weakest security links for most companies. Kevin Lalor, President, Business Intelligence 101

I think that the ultimate weakest link is the fact that our economy and environment is so volatile as a country and world. As long as there are people that do not have everything they need or want and live in conditions of scarcity there will be those people that want to get those means, even if that is not legal a route. So there will always be attempts to breach security if that means possibly getting resources that would be unattainable to that group of people through other courses of action. If there was less volatility and inequality as far as economic policy and economic conditions worldwide, we would not see as many attempts at breaching security. This is not a vote in favor of one type of economic theory or another, it is just to point out the fact that as conditions are not up to par for certain groups of people, then they will have more incentive to find ways to make money or gain necessary resources even if those means are illegal. Isaiah Bollinger, CEO, Trellis

The Difference in Security Features Offered in Free Cloud Products Versus Business Class Tools Came Up During the Snowden Videoconference. “Shadow Technology” – or Software Used Outside of the Sponsored IT Ecosystem – is Becoming a Hot Topic. What Can Businesses Do to Combat This Security Risk?

There are definitely privacy and civil liberties issues at stake here. For a company really to have tight security, they would have to impose security protocols on every employee’s devices where company information might be stored or discussed. This would include smart phone and tablets–not just the single desktop or laptop that the employee uses at work. I, for example, can run all of my work-related applications on my Surface, but my IT department doesn’t even know that I have one, so it’s very likely that my Surface doesn’t meet my company’s security requirements. In order for that to happen, companies would have to become the personification of Big Brother. I do see the possibility that 2014 will move many businesses closer to Orwell’s 1984! Marcia Nita Doron, Marketing Director, Altico Advisors

SSL Has Been Providing Encryption of Traffic to and From Many Websites and Web Applications for a Long Time. What About File and Hard Drive Encryption? Is This Also Becoming a Must for Business Security?

When dealing with sensitive data, hard drive encryption is worth considering although there might be performance impacts. Still, like SSL in which some underlying technologies have been shown to be vulnerable to attacks, there might be vulnerabilities with such encryption. Encryption provides protection and can reduce risk of exposure of sensitive data. In itself, it will never solve all security problems. It’s important to recognize the inherent insecurity of doing business on the global Internet in order to put in place processes to deal with this insecure reality. Patrick Cloutier, Senior Software Architect, Sirius Software

Providing Any Sort of Web-Based Service or Product Inherently Means Discussing Security With Customers. Has the NSA Surveillance Story Changed This Conversation in Any Meaningful Way for Your Company? Do Your Customers Mention It?

The NSA revelations have become one of the defining moments for solidifying an open, transparent and trusting relationship with our customers. As an Internet company with security in its DNA, we’ve always had the philosophy of building products with security in mind instead of tacking it on as an afterthought. On our web site blog, we have discussed PRISM and the use of forward secrecy in TLS to thwart it, explained why random numbers are important for security, described how the NSA may have put a backdoor in RSA’s random number generator, and made it easy for our customers to participate in The Day We Fight Back against Internet surveillance. Engaging our customers about these issues also helped drive new initiatives such as Strict SSL usage, an open source cryptography project, and the publication of our first transparency report. Nick Sullivan, Software Engineer and Security Architect, CloudFlare

What’s the Role of Development Community in Ensuring That the NSA or Others Aren’t Successful in Creating Encryption Backdoors of the Variety Sought via “The SIGINT Enabling Project”?

Vendors should make their encryption code public, including the protocol specifications. The community should create independent compatible versions of encryption systems, to verify they are operating properly. There should be no master secrets. These are just too vulnerable. All random number generators should conform to published and accepted standards. Encryption protocols should be designed so as not to leak any random information. Bruce Schneier, Security Guru, Schneier.com

Talk with a software advisor
Talk with an advisor
Get a free consultation from an independent software expert.
Or, call toll-free: (800) 827-1151
Talk with a software advisor
Talk with an advisor