Data encryption is increasingly at the forefront of American conversations around cybersecurity. In fact, Fusion’s Daniel Rivero, citing government intrusion and overreach, went so far as to call it “the second amendment battle for the digital age.” Given October is National Cyber Security Awareness Month, it only seems appropriate to explore the benefits of encryption – a strategy that helps keep businesses accountable to their customers, partners, employees and stock holders.
Top of mind for most are Apple’s and Google’s decisions to automatically encrypt data on their iOS 8 software and on Google’s yet-to-be released new batch of Android smartphones. In much-publicized comments to Charlie Rose, Apple’s CEO Tim Cook stated “people have a right to privacy…I think that’s going to be a very key topic over the next year or so.”
Recently, U.S. Attorney General Eric Holder slammed this tactic, saying data encryption would make life harder for law enforcement. Taking an oppositional stance is former CIA CTO Gus Hunt; in his comments to the Wall Street Journal, Hunt advised companies to strengthen their defenses by extending them beyond the network to the applications, files and data at the core of the enterprise.
Although he gave a nod to traditional security practices such as malware detection, user identification, password authentication and data, router and firewall protections Hunt also made it clear this wasn’t enough. Said Hunt, “When you get through the outer layers, it is pretty easy to get the goods. The data is soft, often unprotected, once an intruder sneaks through the outer layers.” Predicting a “return to privacy by default, Hunt also said encryption would become “ubiquitous.”
It doesn’t take a rocket (or in this case, computer) scientist to figure out why this is the case. Just look at the headlines: Target gets breached, and its stock plummets; Home Depot gets breached, and then blasted for how it handled the announcement; Community Health services gets breached and hit with multiple class-action lawsuits. Supervalu gets breached not once, but twice.
Because this topic is in Vormetric’s wheelhouse, I thought it would be helpful to walk through some of the key technological and business considerations companies should keep in mind when contemplating an encrypt everything approach for data-at-rest. It has become obvious our standard security practices – like the ones mentioned above – don’t keep the adversary out of a company’s network and away from its data.
- Data Type Flexibility
- Can your solution handle all different types of data? Database data, unstructured data, big data – while data is a bunch of bits, it’s moved around and stored in many divergent fashions. With that in mind, it’s not advisable to approach your data as though it’s one and the same.
- Enterprise Scalability:
- In the past, encryption was much more isolated: a few servers here; a database there. It was often a grab bag of solutions. In these days of desired operational simplification, you want a platform that can scale from handling a handful of servers and applications to thousands and perhaps tens of thousands. This results in an entirely new requirement for most organizations. So, the questions you should ask yourself: does the solution scale? Is it fault tolerant and highly available? Does it offer centrally or distributed key management? How does policy come into play?
- Executive Buy-In:
- What is the top level corporate commitment to the task of encryption? Is your team effectively positioning and messaging the benefits of encryption and demonstrating they would be able to drive their progress against deadlines and schedules?
- Data Classification
- You’ll likely find that deploying an encryption solution is a good impetus for getting rid of old data. When taking this into account, consider a data classification model. For example, the most sensitive data is protected ASAP, the second most sensitive should also be encrypted but is less time urgent and the third category of data doesn’t need to be encrypted (and could even be removed).
- Management and Ownership
- Will it be very difficult to assign management and ownership for the overall task of overseeing encryption? If so, you should take a hard look at whether or not encryption is the best strategy for your organization. Organizations should be able to put a centralized executive in charge of global data protection and security. By doing so, they make it easier for business objectives to align with organizational data security policies, while also leveraging a common architecture and approach.
- Operational Costs
- At the end of the day, a simplified encryption platform is better than 20 different encryption platforms. Too many unique solutions will end up incurring considerable operational costs, which can have a burdensome effect on your bottom line.
- Infrastructure Impact
- Organizations need to take the performance impact of the encryption processing in to consideration. Today’s sophisticated computing platforms often provide hardware assisted encryption (Intel’s AES NI as the leading example). Even so, an organization wishing to implement a broad-based encryption platform needs to understand how the solution operates under various scenarios (transactions, big data, backup, etc). Encryption that requires 20-30% or more computational capacity to be provisioned is a non-starter for almost any organization.
- Platform (Operating System) Flexibility
- Most enterprises keep data in different types of systems, applications and databases and therefore, need to be able to address all sorts of platforms. You might use 20 different types of platforms – does that mean you’re going to use 20 different encryption platforms or will you try and reduce it to one encryption platform that supports the broadest operating system and database environment possible?
- Varying Operating Environments
- Does your encryption platform allow the flexibility to support on premise, public, private and hybrid cloud? Does the operational model and skills necessary to manage the system extend transparently to these various operating environments?
- Regulatory Concerns
- How might international regulations impact your deployment plans? For example, Switzerland, Luxembourg, Hong Kong and Singapore won’t allow encryption keys to be stored in the US.
Lastly, I want to cover what I think may be one of the most important questions of all: that of your privileged user’s access to data. System Administrators, Domain Administrators, Storage Administrators - these accounts exist because of the need for system maintenance and management.
But, as systems have become more closely interlinked and with increasing amounts of private and confidential data accessible to them, there is increased risk from privileged user account access. Both as a result of the “Edward Snowden Effect” and because compromise of these accounts is a primary attack vector. Bottom line: if your employee doesn’t need access, they shouldn’t have it just because they have a certain title. Further, if you are using cloud and/or other service providers, this same policy should extend to them. If they don’t have a need to see the data, they should never see the data. To put it into a real world analogy: postal workers do not need to open the envelope in order to deliver our mail. We refer to this as the concept of “least privilege”. At the same time, these privileged user accounts need to be able to maintain infrastructure and systems. Your solution to the problem needs to encompass both “least privilege” for data access and the capability for these accounts to continue performing their work. Encryption with access controls linked to your identity management systems are the best solution to the problem.
When you implement encryption, you also have to think hard about management of the encryption keys. Encryption is the fail safe if all the other security controls are broken or bypassed, but who has access to the decryption keys? Does your employee need access to those keys? Can your privileged users even see the keys or does the system you are using employ some other control mechanism to assign and serve the keys without allowing them to be created or visible to administrators and privileged users?
My overall takeaway? Very smart people at very smart companies have come to the conclusion that encrypting a vast majority of their data is one of the best things they can do to reduce risk and assuage customer fears. While no company or CEO wants to discuss a data breach, having a broad-based strategy to make data protection a priority plays well from both a security and marketing perspective.
By now – as each day brings a splashy new headline focused on internal security breakdowns and eroding consumer confidence – many high profile companies have learned a piecemeal, endpoint-centric security strategy is no longer wise. But a smart, privileged-access-focused encrypt everything approach?
Now we’re talking.