By now most have heard of Apple's recent public statement in support of device encryption, widely praised by many in the media, public officials, and consumers as a hard-line stance against government overreach. The protections Apple has built into both the operating system and the hardware is such that unlocking the device to comply with government demands is incredibly difficult.On the other side of the issue are those that believe national security is of the utmost importance and that a "backdoor" can be built into the software to facilitate government access. Apple explains that such a backdoor into the system would allow sophisticated hackers to break iPhone security and that such access could be dangerous even in the hands of well-meaning law enforcement agencies. Granted, Apple is still required to comply with subpoenas and other court mandates, however, what many overlook are the implications this case will have for data security across the industry.
In today's world, much of the sensitive data is stored in public cloud applications and only occasionally downloaded to an end-user's mobile device. Much of this data is said to be protected by the cloud app vendor - Google, Microsoft, Box, and so forth. Apple's outspoken stance on the issue of circumventing encryption coupled with other companies' silence on the issue speaks to the importance of additional protective measures beyond those of the cloud app.
While these vendors are very much responsible for infrastructure and application security, organizations are responsible for protecting their most sensitive data, and that's where a more robust encryption solution is necessary, one where you own and control the encryption keys so that even if a cloud app vendor is forced to comply with some court order, decrypting that data isn't as straightforward as requesting that the vendor provide the key.
The debate over privacy laws has only just begun. Regardless of the outcome, it is clear that consumers and organizations looking to protect sensitive personal and corporate data will have to take additional steps to ensure that a backdoor will not enable easy access and that encryption keys are under your control.