Facebook works to secure data centre links

Facebook security engineers are working feverishly to encrypt the links between the social network's data centres in order to give users complete confidence in the security of its services.

Gregg Stefanick, security engineer at Facebook.

Last year Facebook began encrypting every session between a user's device and Facebook's servers by default, a layer of protection that had previously been optional for users.

The company also uses encryption for 'perfect forward secrecy', which prevents the re-use of stolen private keys to look back on a conversation that has taken place on the social network.

The next step has been to encrypt data communication over the private lines Facebook leases from telcommunication providers to connect its data centres.

Former US intelligence contractor turned whistleblower Edward Snowden revealed late last year that many online services - including those of Google and Yahoo - had been tapped by the US National Security Agency, leading to efforts by cloud service providers to toughen their protections against state actors. Google, for example, has encrypted all data transmission between its data centres.

Gregg Stefancik, security engineer at Facebook, insists that encrypting links between data centres "was on our roadmap pre-Snowden".

"It's more complicated than encrypting web devices and the web front-end. The complexity of our infrastructure means sadly, we're not 100 percent there yet," he said today.

"We have prioritised the most sensitive traffic at Facebook. And we're working aggressively to get to the point where we'll have it all encrypted between data centres."

The Snowden revelations, he said, only confirmed what Facebook's security team had long suspected.

"Snowden validated the things we already wanted to protect against. Snowden proved that we were wearing our tin foil hats correctly. Yes, we do need to encrypt links between our data centres, because it has been shown that somebody can do this," Stefancik said.

Stefanick said data encryption was tricky to implement but worth the effort.

"Encryption comes up a lot because of the surveillance debate. We like encryption, because it is mathematically strong and we understand its properties. That said, it is hard to deploy. It has performance implications and there are still capability issues between devices," he said.

"Done wrong, it's an ineffective security control. Done correctly, it is a fantastically effective security control. We think it's worth investing in." 

Stefancik said demands to "hand over encryption keys" to the intelligence services of any nation was "something we would fight".

Facebook's defence in depth

Stefancik said Facebook does not employ cryptographers to assess encryption standards, and relies on the broader industry to collaborate on encryption standards that can be trusted.

"We have not engaged with NIST, but we do engage with the industry and are tracking trends in cryptographic protocols." 

Facebook has put its money where its mouth is - donating "a large sum of money" to the Linux Foundation's core infrastructure initiative in the wake of the OpenSSL/Heartbleed saga to "help fund people in the community working to make these building blocks more solid".

Facebook has also paid out over $2 million under its white hat bug bounty program, $20,000 of which has been awarded to security researchers in Australia. On at least one occasion, Facebook had fixed the problem within hours of the report.

The social network has also delivered security innovations of its own - including optional two-factor authentication and social authentication.

Stefancik said there will always be a requirement for large organisations to invest in perimeter security and monitoring and incident response teams, but the true measure of Facebook's commitment to security was ensuring its development process produced software that was "secure by default".

"The whole stack is interdependent and interlocked," he said.