Encryption - Is it enough?
CIOs and their corporations are looking for the magic bullet to protect their intellectual property and the personally identifiable information of their clients, partners and employees. Legacy security measures such as firewalls and antivirus provide little protection from hackers and malicious users breaching the enterprise environment and the implementation of more strict access controls.Data loss prevention (DLP) solutions are cumbersome and limit the productivity of end users.
With these technical and business constraints in place, CIOs are turning to encryption of data across the entire data life cycle to mitigate the risks of lost or stolen information. But does today’s encryption technology really provide the levels of confidentiality required in this totally Internet connected world?
There are three primary phases in which data can be encrypted: in transit, at rest, and in use. The highest level of data protection currently exists in the data transmission phase. In this phase, encryption occurs between specific communicating devices. Protection provided by encryption in transit includes confidentiality from eavesdropping and sniffing, or man-in-the-middle attacks. Applications such as VPN clients and browser based HTTPS provide strong encryption processes which protect the confidentiality of data making it very difficult for unauthorized users to intercept. It is common practice for organizations to encrypt of data transmitted from remote devices; however, data that is being transmitted on internal networks typically goes unencrypted. There is a perception that data transmitting the internal network, or even that being transmitted to remote facilities, is secure and therefore does not require encryption. Nevertheless, an organization’s internal network can be easily breached making data vulnerable to the same risks of eavesdropping, sniffing and man-in-the-middle attacks. Consultants, vendors and individuals off the street not only have access to wireless networks but often have access to network jacks in conference rooms, cafeterias and other common areas. Also, devices that do not require direct authentication (i.e. printers, scanners, industrial controls, etc.) can be infected with malware that can eavesdrop, sniff, or capture traffic and send out information to the Internet. Past concerns of implementing encryption to internal data transit included increased overhead on servers, network devices and end user workstations. This overhead could cause systems delays, loss of connectivity and loss or corruption of data. Many of today’s server and network technologies have data encryption capabilities built in to allow for easier configuration and implementation and minimize the impact on utilizations. Implementing encryption of data in transit from endpoint to endpoint, both remotely and internally is mandatory in today’s cyber risk environment.
Another phase of data encryption is the encryption of data at rest. Implementing encryption of data at rest is the easiest of all phases and, in fact, is built in on many devices such as smartphones, tablets and PCs. There are really no reasons not to encrypt all data on smartphones, tablets, PCs; however, there are some major limitations of encrypting data at rest. Users and applications must be able read data in order to use it, consequently, when a user or application logs into the system the data must appear decrypted. This is both necessary and a major vulnerability because when a user or application logs in all data, even that data at rest that they have access to, becomes readable. So, if a user’s device or application is infected with a virus, malware, etc. and they log in all data on their system or systems they can access becomes available to the hacker.
The last phase of data encryption is encryption of data in use, this is the weakest link. As defined in the previous encryption of data at rest section, in order to make use of data, it must be readable or decrypted. Many applications, database companies and cloud service providers are claiming different levels and characteristics of encrypted data in use; but, current technology does not make this completely possible. Encryption of data in use relies heavily on encryption of data at rest and in combination with strong authorization and access controls. By allowing only authorized users, limiting their access to the principles of least privilege and performing on the fly decryption of data upon access, companies are providing a minimal level of encryption of data in use.
Based on the functionality of encryption within the different phases, it must be obvious that encryption is not a silver bullet for the protection of data.
Encrypting data in transit can be compromised even if it is being performed across both internal and remote networks via the placement of malware on authorized devices that can eavesdrop or sniff data as it traverses the enterprise. Encrypting data at rest can also be overcome via the placement of malware on an authenticated device and it can also be bypassed by un-authorized users who illegally obtain valid user ids and password which have rights to view the data. The encryption of data in use with existing technologies uses the same but stricter rules as defined within the encryption of data at rest phase and therefore can be compromised in the same ways.
Encryption is designed to provide an additional layer of data protection but complex authorization policies and strict access controls providing only the least amount of privileges necessary for a user to perform their functions are still required in the protection of data. If hackers get into a network but are unable to gain authorized access with valid credentials, encryption will protect data from being read, copied or manipulated. However, cyber incidents facilitated by gaining un-authorized access to systems using valid user credentials, such as phishing scams or social engineering, can allow hackers complete access to decrypted data.