It can be hard to penetrate all marketing buzz and get down to what truly matters with regards to security and privacy. This page highlights some important aspects to take into considerations when selecting a secure communication system.
Is the system secure?
The most fundamental aspect when choosing a secure communication system is obviously to determine if the system is secure enough to handle the intended information.
It goes without saying that it is a bad idea to use a system from a vendor you don’t trust. To this point vetting the vendor is a natural way to build confidence, e.g. ownership, financial status, commercial model, privacy polices, and references.
A security assessment of a communication tool is a very complicated and ongoing process that require expert knowledge on many separate fields, e.g. cryptography, user enrolment, software life cycle management, handling of meta data, networking, and operating environment on mobile devices.
Aspects to take into considerations:
- Do you have enough information to trust the vendor?
- Is the solution security assessed continuously and by an independent technical authority?
Cryptify Call has been successfully evaluated by the National Cyber Security Centre in UK (NCSC). NCSC is internationally recognized as a leader in cyber security.
UK OFFICIAL
Cryptify Call voice and messaging encryption is approved for communication at security level UK OFFICIAL (RESTRICTED) and NATO RESTRICTED.
NATO RESTRICTED
Who’s listening?
Another fundamental aspect of a secure communication system is for the users to be able to authenticate each other. However, this is often the weakest link in many communication systems. Authentication serves two main purposes:
- You know who you’re communicating with, and
- You know that no one else can listen in on the conversation, e.g. using a man-in-the-middle attack.
Generically there are two methods to achieve authentication:
- Leave it to the users
- Centrally managed
- Private key; used by the sender to sign messages
- Public key; used by the recipient to verify that the message was signed by the private key
- Certificate; a binding between the public key and the user identity, e.g. a phone number, guaranteed by the KMS
This method requires users to, prior to using the system, authenticate each other using separate means, e.g. by exchanging digital fingerprints. Such bilateral trust relations quickly grows as the number of relationships follows quadratic growth ( N*(N-1)/2, where N is the number of users in the system ).
Whilst this method might work for personal communication where the number of contacts are limited, but not suited for enterprises subject to accountability and risk management. Furthermore, it might be impracticable to require all users to manually pair with all others prior to using the system.
Centrally managed authentication is typically handled using asymmetric cryptography, e.g. DSA, ECDSA or ECCSI, where a Key Management System (KMS) / Certificate Authority (CA) issues certificates to the users.
Such method is based on the following components:
In other words, by controlling the KMS you control which public key the users in the system will associate with a specific identity.
Aspects to take into considerations:
- Does the system allow unauthenticated communication? E.g. if a user has neglected to manually verify the fingerprint of the other party
- Who do you trust to operate the KMS?
- How is the KMS protected?
- How, and by whom, is the identity of a user verified before a certificate is issued?
Cryptify Call uses a centrally managed method where the KMS, implemented in the Cryptify Management System (CMS), is handled by the organization itself.
The CMS operates off-line, i.e. it is not connected to any network, and hence is completely isolated from Internet threats.
The authenticity of a user identity is guaranteed by the CMS administrator ensuring that the correct user is provided the enrolment QR code.
What about privacy?
Another important aspect to take into consideration is what data is collected, who has access and what it is used for.
There are typically two sorts of data that can be collected
- Metadata; information associated with a specific session/event located on the central server and typically contains information such as who communicated with whom, at what time and for how long
- Personal data; data located on the device and contains information such as; address book, calendar appointments, photos, health information, location, network environment
Having access to all or a subset of such data enables sophisticated analyses, profiling and exploration.
Aspects to take into considerations:
- Does the system encourage, or even require, the user to upload its address book to the service provider?
- What data is collected?
- Who has access to collected data and for how long is it stored?
- What is the collected data used for?
- Does your organisation risk to be in breach of GDPR by using the system?
- Is the vendor subject additional legislation, e.g. Clarifying Lawful Overseas Use of Data Act (Cloud Act)
Cryptify Call is designed for on-premises deployment in order to give organization exclusive control of collected data.
Cryptify AB is committed to ensuring that your privacy is protected. Should you be asked to provide certain information by which you can be identified when using this Cryptify Call service, then you can be assured that it will only be used in accordance with this privacy statement. https://www.cryptify.com/privacy/
Does the system cover my need?
With the shift to a more and more mobile workforce the need for mobile collaboration tools becomes critical, and unless the organization can provide the tools needed to carry out the work, users will often find alternative solutions.
It is important to analyze which collaboration functionality is required so the workforce can use a secure solution:
- One-to-one voice call
- One-to-one video call
- Audio conference
- Video conference
- One-to-one messages
- Group messaging
- User managed messaging groups
- Centrally managed messaging groups
- Message attachment
Cryptify Call is developed to enable intuitive and secure collaboration between individuals and groups, e.g. end-to-end encrypted videoconferencing with up to 50 participants.