End-to-end encryption (E2EE) has been an integral part of consumer messaging applications such as WhatsApp, Viber, and Skype for years. In the past six months, Zoom has added the security measure to its video conferencing platform with Microsoft adding it to Teams shortly after — underscoring the growing popularity of E2EE as a robust security option for enterprises who have embraced cloud computing as a standard business model.
However, E2EE has its detractors. Created to ensure that messages stay private between correspondents, E2EE has been a thorny issue between law enforcement and intelligence agencies seeking to gain access to users’ encrypted messages and tech companies who want to keep their customers’ communications confidential.
What is E2EE?
End-to-end encryption is an encryption technique that uses cryptographic keys to scramble messages between a sender and a recipient. A program on a sender’s device generates two keys — a public and a private one — that encrypts the message that is then used to decode it for the recipient. This process ensures that no one, including the communications provider, can read or access the message while it is in transit as it appears as unintelligible gibberish to prying eyes or malicious actors.
As the pandemic continues to reshape workforce models and the push toward digital transformation accelerates, the benefits of enterprise E2EE are emerging.
Benefits of Enterprise E2EE
While E2EE has been around for years in consumer-grade devices, the leap to enterprise use is a recent development. As the COVID-19 pandemic took hold, forcing organizations large and small to accelerate digital transformation initiatives, E2EE became an attractive consideration for enterprises concerned about data security both in the cloud and on-premises network environments.
Enterprises who have their cloud computing environments in place, often rely on the security measures offered by their cloud providers. Though this security offers data encryption at rest, data becomes vulnerable if hackers access the providers servers where encryption keys are stored. Because E2EE stores encryption keys on user devices and not on servers, access to encrypted data during such a breach would not be possible.
“End-to-end encryption (E2EE) ensures that the data itself is protected, no matter where it is stored,” says Istan Lam, CEO of Tresorit, a Switzerland-based provider of E2EE solutions. “Besides providing the highest security level, E2EE is combining the convenience of cloud-based services with the data security and control of on-premises solutions for enterprises: it enables easy implementation, flexibility, accessibility, and scalability — together with the highest level of data security, integrity, and confidentiality.
“End-to-end encryption ensures that control over encryption keys and the data itself remains in the hands of the owner, providing enterprises ultimate control over their data. No third party can access end-to-end encrypted data, not even the service providers themselves. Due to this, E2EE helps enterprises meet strict data protection compliance requirements and mitigate the risks of data breaches and leaks.”
As the diversification of the workforce continues, allowing remote workers access to files in the name of collaboration and efficiency has raised concerns about phishing scams and potential malware threats. These potential breaches also exist within organizations’ IT teams, where inexperience and the rush to build digitally driven processes can result in configuration issues that open up threat windows and surfaces.
“Enterprise IT is often no longer a “known entity” where all parts are on managed and fully controlled infrastructure,” says Mathias Ortmann, CTO/CSA at New Zealand-based Mega Limited, an E2EE solutions provider. “Instead, there are mobile users, remote workers, and independent third parties who could potentially make enterprise networks porous. E2EE can add an important layer of protection in that scenario. E2EE also lets enterprises and other large organizations outsource storage and communication services without compromising on security or having to build costly, and probably inferior, systems from scratch.”
Enterprise E2EE Use Challenges
When properly implemented, E2EE providers can not decrypt user data or communication that resides or moves through its infrastructure, notes Ortmann. However, if encryption credentials are lost so is access to your data.
“Put simply, with proper E2EE, there is no password reset,” Ortmann explains. “Password loss is the biggest E2EE-related risk an organization faces. MEGA recognizes this and frequently reminds its users of the importance of safeguarding their recovery keys, which enable them to set a new password while retaining access to their data. Robust and secure key management is an essential component of enterprise-level E2EE usage.”
Lam also acknowledges that there are some feature set gaps offered by EE2E providers that cloud service providers offer such as file and content searches — a fault of EE2E technology itself.
“As end-to-end encryption ensures that the data never reaches the services’ servers in a readable format, processing user data for features such as searching in file contents presents complex problems for developers to solve,” notes Lam. “However, there is promising scientific research — for example, in the field of homomorphic encryption — that should help vendors overcome these technology challenges in the future.”
Enterprise E2EE Use Rises
As global companies like Zoom and Microsoft implement E2EE into their platforms and products, the robust security measure is on its way to becoming an industry standard. This growing recognition of the benefits of E2EE runs parallel to efforts by law enforcement agencies to have regulations in place to require E2EE providers to create ways, such as master keys, that allows them access to customer data — a direct violation of the created purpose of E2EE, which is to give users complete control of how their data is accessed and shared. .
“MEGA sees E2EE becoming the norm for corporate audio and video calls and conferences,” Ortmann predicts. “E2EE will also help protect sectors that simply cannot afford to have their data exposed to anyone unauthorized, due to confidentiality and regulatory requirements, not to mention reputational risks. This could be law offices, health care providers, insurers, and financial sector enterprises.”
Lam, like Ortmann, Lam sees E2EE becoming an industry go-to security tool, with use cases emerging across consumer and enterprise data protection.
“As the demand for data security grows with digital acceleration, I expect even more enterprise IT vendors will integrate end-to-end encryption in their products and adoption in the enterprise sector will ramp up.”
Read next: Best Practices for Application Security