What does secure messaging mean?

Elena Kvitkovska
Elena Kvitkovska
6 Feb 2020
secure-messaging

Secure messaging is currently one of the hottest topics in the technology world. It allows us to send text, documents, and media files to another person without being afraid that it will be compromised.

What does secure messaging mean? Usually, the secure message means that it is encrypted before it’s sent. Messages sent through secure messaging applications are not available to other third-party users. A secure messaging application lets you exchange private information with employees, clients, and co-workers without compromising your data.

What information is sensitive

Information can be different, including the one with limited access. It includes confidential, secret and proprietary information. The defining characteristic of sensitive information is the secret content in it: state, professional, medical, banking, etc. It must be protected from unauthorized access to safeguard the privacy of an individual or organization.

Personal information

Sensitive personally identifiable information (PII) is data that can be traced back to an individual. If released it could result in harm to the person. Such information includes:

  • Biometric data
  • Medical information (PHI) – medical records, laboratory tests, and insurance information
  • Personally identifiable financial information (PIFI) – credit card numbers, banking information, tax forms, and credit reports
  • Unique identifiers such as passport or Social Security number
  • Account credentials, personal messaging

If such information is stolen it can result in personal information getting into the wrong hands. Loss of such data means mostly financial damage or loss of security. That is why sensitive PII should be encrypted both in transit and at rest.

Business information

Sensitive business information is any data that creates a risk to the company if released to a competitor or the general public:  

  • Trade secrets
  • Acquisition plans
  • Financial data 
  • Supplier and customer information
  • Account credentials, business messaging

With the ever-increasing amount of data generated by businesses, Depending on data sensitivity, there are different levels of protection required. The ways to secure corporate information from unauthorized access include metadata management and document sanitization.

Metadata provides information about other data. It includes an input to messages that can be interpreted and processed to reveal more information. Most messaging apps store message metadata by default. This information can be used by hackers to identify the user and apply social engineering skills to retrieve the decryption key.

Data sanitization is the process of removing or destroying the data stored on a memory device to make it unrecoverable. There are three methods to achieve data sanitization: physical destruction, cryptographic erasure and data erasure.

Data Sanitization helps the organization to address an important security risk. It helps to ensure that data cannot be reconstructed or retrieved from hard disk media in your server and storage devices, without posing a data breach threat or a compliance failure. 

Security criteria

Encryption helps the governments and service providers protect data from intruders.  At the moment, with proper use and developed wisely it is almost impossible to crack. Even if the message gets into the wrong hands, an attacker cannot read it without a special secret key.

Client-side

Client-side encryption is performed locally, within your browser or application. The private key (which is another password) is never transmitted to the server. Encryption solves this problem by ensuring protecting the customer data in their devices or network. It also guarantees that cloud providers (or other third parties) cannot access the encrypted data.

Server-side

Preventing intrusions to your servers and databases is the most important step you can take to secure the privacy of your business. Without proper backend security, you could face the risk of an attack.

Unfortunately, no cure-all solutions for the removal problems exist. We can divide new protection solutions into a few classes:

  • Encryption
  • Access control with strong compartmentation: authentication, granular CRUD authorization per user/table
  • Leakage prevention at rest / in use / in motion,
  • Authenticity and integrity of all data
  • Message wiping
  • Scanning the code and architecture for vulnerabilities, using security tools, cover the code with autotests

Infrastructure

To tackle the threats before they harm the business, you should expand your infrastructure security capabilities. The following steps help to maintain the security of your IT infrastructure:

Protecting the infrastructure using WAFs

Web Application Firewall is used to filter, block, or track inbound and outbound web application HTTP/HTTPS traffic. This helps to prevent common attacks that arise from application code vulnerabilities. WAF also serves as a tool for load balancing and keep-alive optimization. It also gives protection against newborn malware which is not detected by any known behavior analysis.

Encrypting client-server communication on the infrastructure layer

Secure Socket Layer (SSL) protects information transmission between two systems via the internet. SSL can be used both in server-client and in server-server communication. The solution ensures that sensitive information (such as names, IDs, credit card numbers, and other personal information) is not stolen in transit. Websites that have the SSL certificate have HTTPS in the URL. SSL supports the following information security principles:

  • Encryption: protect data transmissions (e.g. browser to server, server to server, application to server, etc.)
  • Authentication: ensure that you are connected to the correct server
  • Data integrity: ensure that the data that is requested or submitted is what is actually delivered.

Configure server access and security.

Servers are the mainstay of any IT environment. Customer and company data saved on servers require special protection. It is important to control who is able to access this data via the network. Access to the server room itself should also be dictated by a transparent set of rules. Access to IT systems should be documented and checked on a regular basis.

Back-up your data.

Having a data backup solution can help in data recovery if the infrastructure is at risk. Store encrypted backups of your critical data offsite or use a cloud solution.

Audit your servers

It analyzes what services are running on the server, their protocols, and which ports they are communicating through. An audit of your server and focus on aspects such as user database, file sharing permissions, password standards helps to protect IT infrastructure. It determines the current level of server security and identifies any system flaws. 

Keep your software updated

IT infrastructure is a vast collection of equipment and tools. Regular update the software on a server is a crucial step in keeping it safe from intruders. Keeping everything up-to-date, ensures its protection and boosts IT infrastructure security.

International information security standards

Protecting customer personal information is regulated by the following international regulations:

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a generally accepted set of security standards and requirements for protecting health information. It regulates the exchange of protected health information (PHI). PHI is transmitted via a secure platform that makes it available to only the authorized hospital employees.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation is a unified framework of data privacy rules, introduced by the European Parliament. GDPR sets strict regulations on how businesses operating in the EU collect, store and manage personal information. They must protect sensitive data and notify affected parties in the event of a breach.

QuickBlox services are both HIPAA and GDPR-compliant. While setting up the infrastructure, we will configure our API so that it meets international and your own security requirements.

QuickBlox security practices

We have spoken about preventing security incidents in your product. For QuickBlox, the security of our clients is essential, so we follow the latest client-side and server-side security practices.

Client-side communication

To secure the customer data on the client-side, QuickBlox team uses HTTPS protocol to ensure that all traffic is protected from malicious attacks. Also, we use our own modification of Auth token-based security protocol.

Each application has an owner ID, app ID, public key, and secret key. Client-server traffic is signed with a unique token generated using the application key and device ID. This means each request is only valid for the specific token, specific app and specific user.

All user passwords are encrypted via a one-way hash function which means even if someone has access to the database, they will not be able to find out users’ passwords.

QuickBlox XMPP includes a method for securing the stream from tampering and eavesdropping. This channel encryption method makes use of the Transport Layer Security (TLS) protocol. We use TLS v1.2. for API, admin endpoints, ssl_protocols, chat, and video.

Server-side communication

To ensure the backend security, we protect our infrastructure with SSL certificates. We also included nonce & timestamp protection which secures against ‘replay attacks’. This means if request is intercepted somewhere in the network, tampered with and re-sent later, it won’t pass the authorization as timestamp will be different to what is authorized for current token.

We use HMAC with a cryptographic hash function SHA1 160 bit. Also, we store cipher keys using hashing algorithms and “salt” value, so, the passwords are never stored as a “raw” value.

Our DevOps team is able to configure HIPAA and/or HA/DR instance, which means we can enable encryption for all data stored (including DB). We can enable AES-256 encryption for AWS S3 as per the client’s request which means data is encrypted via 256 bit AES and the keys are stored by Amazon separately. Also, we can encrypt both the boot and data volumes of an EC2 instance using AWS Key Management Service (AWS KMS). 

As a premium function for our Enterprise customers, we give the possibility of implementing Custom Identity provider (the clients can link the user from their database with our server using QB_userID). So, the user is anonymous, and we don’t know the owner of a chat or other information.

Conclusion

Protecting user data must be a high priority and should never be ignored. Due to increasing privacy concerns, more companies are starting to secure their messaging.

QuickBlox takes security issues seriously. By default, we apply all the practices that were listed in this article. Yet, for different businesses, there are different security requirements, so we will configure the infrastructure according to your needs. Contact our team to discuss the options.

Share
Subscribe icon

Subscribe for news

Get the latest posts delivered right to your inbox.

Ready to get started?