Network Encryption from CipherOptics
 
 
 Company Overview
 Executive Team
 Board of Directors
 Executive Advisory Board
 Newsroom
 In the News
 Tradeshows & Events
 Industry News
 Trophy Room
 Press Releases
 Careers
 Solutions Overview
 Network Encryption
 MPLS Network Security
 Metro Ethernet Security
 International Data Protection
 Network Security & Data Protection
 Disaster Recovery
 Ethernet Encryption
 Point-to-Point Encryption
 Real-time & High-volume Applications
 Secure Information Sharing
 Products Overview
 CipherEngine™
 Security Gateways
 Service Offerings
 Resource Center
 Compliance Overview
 HIPAA Compliance
 Sarbanes-Oxley Compliance
 GLBA Compliance
 CA SB 1386 Compliance
 PCI DSS Compliance
 Basel II Compliance
 FERPA Compliance
 FFIEC Compliance
 ISO 17799 Compliance
 NERC Cyber Security
 Government Overview
 Government Regulations
 FISMA Compliance
 DoD 8100.2 Compliance
 NISPOM Compliance
 DCID 6/3 Compliance
 Government Security News
 10Gig Network Encryption
 Partner Overview
 Strategic Partners
 Resellers
 Technology Partners
 Become a Partner
 Partner Portal Login
 Contact Information
 Web Contact Form
 Support
 
   

Compliance
Quick Links
Secure Information
Sharing
 White Papers
CipherEngine
Resource Center
Compliance Video
Regulatory Compliance Overview Video
Watch the video
Contact Us
1-877-878-6655
info@cipheroptics.com
Ask a Quick Question

Home > Compliance > RIPA Compliance

RIPA Compliance

The Regulation of Investigatory Powers Act (RIP Act or RIPA) covers various aspects of the interception of communications. It became a United Kingdom law in July 2000. Originally designed to provide instruments to combat Internet crime and child pornography, the act is now important in the fight against terrorism.

How does CipherOptics help?
However the RIP Act Part III is put into practice, it will require companies to have access to the keys it uses or has retained. And if the corporation has not retained a certain key, it must be able to show that. The loss or discard of a key is a valid defense if non-possession can be proved "on the balance of probabilities." This begs for a comprehensive key management system. CipherOptics provides enterprise policy and key management that supports all encryption devices for multi-protocol with long-term key management and archival.

The CipherOptics security policy server model not only provides comprehensive key management—it also offers the scalability needed for a comprehensive data protection solution. At the top of the model lies the Management and Authentication Point, a policy-based tool for managing access correlation and encryption policies. This tool can be used to manage large numbers of encryption points, provide policies, and fulfill the other requirements for management of data protection solutions. A key and policy distribution system (Key Authority Point) is required to enable IPSec, Ethernet encryption, and client access to scale across the enterprise, integrate into embedded encryption solutions, and not break the network. The combination of the Management and Authentication Point and the Key Authority Point eliminates all of the barriers to deploying an enterprise-wide data protection solution.

CipherOptics enables companies to centrally manage the keys for all points where encryption and security policies are enforced. In short, the CipherOptics enterprise key and policy management system enables companies to comply with RIPA.

What does CipherOptics do?
CipherOptics is the leader in scalable compliance gradeTM network security solutions, providing transparent network overlays that solve the fundamental problems of data protection. Some of the most security conscience organizations in the world rely on CipherOptics for their network security because we enable the confidential transmission of data with the lowest installation, management, and operational costs.

Who is affected by RIPA?
Any person or company may be called upon by UK authorities to comply with RIPA. While this is a UK law, it has implications for any international corporation that conducts business in the UK. Whether headquartered there or not, if a corporation has operations in the UK, its officers must be ready to comply.

What are the requirements of RIPA?
RIPA has three main sections. Parts I and II have already taken effect. Originally stating Part III would go into effect in late 2001 or 2002, the Home Office still hasn't taken the steps to activate this part of the act. However, in May 2006 the British government stated preparations to make Part III of RIPA legally enforceable.

Part III, titled "Investigation of Electronic Data Protected by Encryption etc.," is RIPA’s most controversial section. It grants law enforcement the right to demand the decryption of or the key to decrypt suspect communications. The relevant part of the act’s long title describes it as "An Act to make provision for and about…the acquisition of the means by which electronic data protected by encryption and passwords may be decrypted and accessed…" Both individuals and corporations (via their officers) can be requested to produce keys.

The act states that, "'key,' in relation to electronic data, means any key, code, password, algorithm, or other data the use of which (with or without other keys) (a) allows access to the electronic data, or (b) facilitates the putting of the data into intelligible form." Those government and law enforcement personnel who have the right to demand key disclosure are explicitly mentioned in the act.

What are the penalties for RIPA non-compliance?
Failure to comply carries a prison term of up to two years and/or a fine. If it's a case of national security or suspected terrorism, the Terrorism Act 2006 allows for up to five years for withholding keys.

How do companies comply with RIPA?
Individuals or businesses from whom an encryption key is requested by an authorized official must produce the key. If a company still has a requested key in its possession, it must hand it over.

What if the encryption key was lost or discarded? In that case, the burden of proof shifts. The person from whom the key is demanded must show "on the balance of probabilities" (i.e. it's more likely than not) that he was not in possession of the key at the time it was requested. But proving non-possession of the key could be a real challenge.

The implication is that the best way for enterprises doing business in the UK to comply with RIPA is with a system that manages and tracks its encryption keys.

Helpful Resources
Text of the Regulation of Investigatory Powers Act 2000
 
Copyright 2002-2008 CipherOptics, Inc. | All rights reserved | 1-877-878-6655
Trademark and Legal Notices | Privacy Policy | Site Map