Apple this week rolled out a new version of its operating system running mobile devices such as iPads and iPhones. It also announced it will no longer be able to comply with requests of law enforcement to unlock the encryption governing those phones. Moving forward, accessing encrypted data on an Apple smartphone or tablet will only be possible by the owner of that device.
To many, Apple’s news is confusing. We’ve been led to believe that encryption is easily broken. We see it every day on television, on shows such as “24” and movies such as “Ocean’s 11” – the protagonist can effortlessly decrypt a device just by the mere flip of a switch.
But this is untrue. When properly managed, encryption is almost impossible to break. By not storing its own copy of the encryption key, Apple is unable to decrypt the phone. Period, end of story.
By the same token, and probably most important to note is that according to the Washington Post, the data on the phone is ONLY safe if the user has turned on encryption and has protected the phone with a very strong password. Recently, celebrity photos from iCloud accounts were accessed and distributed online. Even if the data is encrypted when it sits in the cloud, hackers just need a user’s password to decrypt it. Reports indicate this is what happened – in the case of the celebrity leaked photos, hackers tried numerous passwords against a given account in rapid succession, and voila – a PR nightmare.
So what’s the lesson learned here?
Never underestimate the importance of key management – not only should companies be encrypting their data in the cloud (and everywhere else for that matter) but they should also be managing access to the encryption keys. Protecting the keys will ultimately result in protecting the data.