The agency has announced it will be cutting down on the number of system administrators in an attempt to limit the number of people who could have access to that type of data in the future, and has also said that it will implement a two-person system that will require two employees to sign off on copying any classified data from a secure network onto a portable storage device, so that incidents such as these can be prevented.
The two-person rule has long been employed by military organizations to minimize the possibility of weapons of mass destruction being discharged - accidentally or intentionally - by a single person. Now, content delivery network and distributed DNS service CloudFlare has implemented the rule into open source encryption software they dubbed "Red October”.
To be used in organizations storing and handling sensitive and confidential data, the software aims to make it impossible for malicious (or not) insiders to access said data unless another employee (or more of them) also uses his or her encryption key.
“From a technical perspective, Red October is a software-based encryption and decryption server. The server can be used to encrypt a payload in such a way that no one individual can decrypt it,” CloudFlare software engineer Nick Sullivan explained in a blog post.
“The encryption of the payload is cryptographically tied to the credentials of the authorized users. Authorized persons can delegate their credentials to the server for a period of time. The server can decrypt any previously-encrypted payloads as long as the appropriate number of people have delegated their credentials to the server. This architecture allows Red October to act as a convenient decryption service.”
“Red October was designed from cryptographic first principles, combining trusted and understood algorithms in known ways," Sullivan pointed out. "CloudFlare is also opening the source of the server to allow others to analyze its design.”
The open source software is available on GitHub, and the company invites users to experiment with other types of authentication and new core cryptographic primitives.