Messaging platforms often offer encryption; but not all offer “end-to-end encryption.”
In the former, communications data sent via a messaging service is only encrypted while it is in-transit. Once it reaches its destination, the service provider could access the message content.
“In many cases, a service provider’s sole purpose for using this kind of encryption is to access the message for data processing, analytics, targeted advertisements, etc.,” Anurag Lal, president and CEO of Infinite Convergence Solutions, which offers secure enterprise messaging service NetSfere, and former director of the US National Broadband Task Force, tells InformationWeek.
E2EE, conversely, encrypts the data both in-transit and at each endpoint, thereby making the message sent between those two endpoints unreadable by anyone other than the sender and the intended recipient. Only the party with the corresponding decryption key at the intended endpoint can read the message.
The type of encryption used has implications not just for senders and recipients, but also for service providers. If a government agency compels a service provider to supply customer information via warrant, subpoena, or other measure, a E2EE service provider will only be able to supply encrypted content. Transparency reports from Google and Facebook show how government requests for customer data continue to increase, including in enterprise accounts.
Value Proposition and Downsides
E2EE messaging can play a vital role in enterprise cybersecurity, helping companies to protect sensitive data and meet data privacy standards. Rapid cloud adoption and the rise of remote work have broadened the enterprise-level attack surface. E2EE messaging can operate as a part of corporate cybersecurity strategy. In addition to protecting messages in transit, E2EE can reduce the potential impact when a breach does occur.
“If the breach occurred on my device, it's only my messages that would be impacted versus non-end-to-end encrypted messaging; if the breach occurred at the service provider, then the impact could be significant, and all messages could be essentially decrypted,” Ryan McCarthy, senior director in technology consulting in the security and privacy practice at global consulting firm Protiviti, expounds.
The security strength of E2EE messaging is in many ways an asset, but enterprise leadership must also consider the potential downsides of that strength. Corporations have a number of reasons to access and monitor employee communications, which EE2E may prevent.
“If a company is going to implement E2EE, it needs to carefully plan and implement or it could have unintended consequences such as hindering their monitoring and logging capabilities for insider threat detection or their data loss prevention capabilities,” says Don Heckman, a director at consultancy Guidehouse.
E2EE is difficult to compromise in a brute force attack, but it is not a one-solution-fits-all for data security.
Man-in-the-middle attacks are still a security concern. “If an attacker can masquerade as the intended recipient, then they can insert themselves in the commutations stream reading the traffic and relaying messages to and from the sender and receiver,” says Heckman.
Additionally, enterprises cannot forget about the endpoints. Cyberattackers can find ways to exploit endpoint vulnerabilities to access sensitive information. Endpoint security remains vital.
Breaches caused by human error are common, and E2EE cannot prevent phishing and social engineering attacks.
It is also critical for enterprises to consider how encryption system backdoors, whether intentionally established or not, could be exploited by threat actors.
E2EE in the Corporate World
E2EE is a valuable data privacy tool. “As more organizations accelerate digital transformation initiatives and move to cloud environments and privacy laws and regulations become more stringent, end-to-end encryption systems are becoming more important to the overall cybersecurity programs for companies,” Heckman points out.
What kind of solutions are available for enterprise-level E2EE messaging? Many corporations leverage the same E2EE messaging platforms that are popular among consumers.
Messaging platforms like WhatsApp, Signal, and Viber leverage end-to-end encryption. Companies with messaging services leveraged in the corporate world, including Microsoft, Google, Zoom, and Apple, also offer E2EE solutions.
With many E2EE messaging options available for enterprises, what does adoption look like?
“End-to-end encryption has made a lot more headway in the consumer space than the enterprise space mostly because the enterprise ecosystems are a lot more complex,” Tarun Thakur, founder and CEO of data authorization platform company Veza, clarifies. Corporations must juggle not only internal messaging but also communication with contractors and third-party vendors.
McCarthy has observed many smaller clients leveraging E2EE messaging as an informal way for employees to connect. In his experience, adoption varies, depending on the size and industry for the enterprise.
For example, the financial services industry may be slower to adopt E2EE messaging because of compliance issues. Financial firms are subject to stringent federal laws in regard to recordkeeping. In 2021, investment banking company JPMorgan was fined $75 million by the Commodity Futures Trading Commission (CFTC) and $125 million by the US Securities and Exchange Commission (SEC) due to allowing its employees to use WhatsApp to conduct business on personal devices.
The Outlook on Adoption
Implementing E2EE messaging, like any cybersecurity tool, is a question of risk for enterprises. Does the benefit of accessing enterprise messages for search and analytics purposes and insider threat detection outweigh the data security risks? Some enterprises may decide the answer to that question is “yes.” Other organizations may consider navigating the potential regulatory pitfalls of using common E2EE messaging apps to be a greater risk than eschewing E2EE messaging.
Some organizations may opt to avoid E2EE messaging, while others may use it selectively.
“You may see enterprises adopt it for very specific use cases where highly confidential information and conversations need to be had with third parties or your peers,” McCarthy anticipates.
For enterprises that face potential regulatory complications with the adoption of E2EE messaging, the answer lies in strict policies and governance of the types of E2EE tools, the employees who can use these tools, and the appropriate context for use.
E2EE messaging may not immediately be embraced by all organizations, but its value as a data security tool will likely drive enterprises to find solutions to the obstacles standing in the way of adoption.
“One of the main strategies that can be useful to help overcome the consequences of end-to-end encryption is separating data decryption processes from encryption key handling. Such separation allows organizations to provide authorized access to encrypted data without exposing a user's private keys,” says Ryan Lasmaili, CEO and co-founder of data privacy company Vaultree.
A shift away from consumer-grade messaging platforms to E2EE platforms built for enterprises could drive further adoption in the corporate world as well.
“An E2EE messaging service with dedicated administrative controls provides the level of security and compliance that’s required in today’s rich cyber-risk environment,” Lal argues. “When implemented and mandated properly, it eliminates the use of consumer-grade messaging apps, like WhatsApp, that compromise enterprise data. It allows the enterprise to stay compliant with government rules and regulations and concentrate on their core business offering.”