Just encrypting data, like locking money in a vault, does not enable the business unless you can also make it available. So just as a vault would unlock at certain times but still resist attacks encrypted data must be able to be accessed securely while resisting compromise to various physical and logical threats. Vaults were not really that effective until banks could control how and when they could be opened; therefore, ergo encryption without access control, much like a vault without a smart lock or cheerios without milk, is useless.
A look at the development of vaults and locks can be instructive about how "checking the box" to protect sensitive data with simple full disk or home-grown encryption does not meet the needs of an enterprise-ready solution for protecting sensitive data.
Though locks and vaults have existed for thousands of years, and at one time the lock being a crocodile, when was the first combination lock invented? Louis Yale Jr. - 1861. The combination lock was invented because key locks had too many means in which they could be compromised.
Robbers quickly realized that the combination lock also had weaknesses in that one could:
- Force punch the combination through the door
- Drill holes in the lock case and use a mirror to view combination slots
- Simply kidnap (or payoff) someone who had the combination.
Timelocks came to be as a result, essentially a combination lock that worked on a timer, thus called the "theftproof lock"; invented by James Sargent, an employee of Yale around 1864. This new lock mostly eliminated the kidnapping problem, but since bad guys react quickly, they learned to use the tiny cracks between the vault door and frame to blast them open or pry them apart. Vault makers responded with stair-stepped grooves in the door frame so that the tiny cracks were not vulnerable. But economic motive leads to invention - boil dynamite in a kettle of water, skim off the top, drip this liquid into the grooves and destroy the door - bingo - liquid nitroglycerin.
Every security improvement was followed by new and better ways to break in, like the cutting torch in the 1920s and more recently, the burning bar; and the technology race between good and bad continues. The good guys keep coming up with new devices such as heat sensors, motion detectors, alarms and biometrics and the bad guys continue finding more technological tools and opportunities around these systems.
This sounds similar to the challenge of protecting information assets yet with two differences:
- One cannot just lock up information in a secure place - it isn't useful unless it can be appropriately accessed
- Unlike sensitive information, money cannot be encrypted so it is unreadable and thus cannot be spent
However locks, vaults and encryption do have similarities and common security characteristics:
- Role enforcement - The lock for a modern bank vault is usually a dual-control combination lock, meaning it takes two people to open it - data encryption products should enforce split level knowledge, separation of roles for management and security, and dual authorization would be a plus.
- The who, what, where and when of data access - The lock is connected to a timing mechanism that can be set so that the combination lock will not open until the pre-set number of hours has passed - encryption solutions should permit granular policies to be created, provide secure key management, and thus enforce the who, what, where and when of locking (encrypting) and/or opening (decrypting) data.
- Data access monitoring - The vault area has secured entries, continual video survelliance and monitoring - data encryption products should prevent unauthorized access and capture all events in secure logs for auditing and forensics.
- Expert solutions - Vaults and locks are manufactured by companies with product and technical specialization and know-how (not by banks) and so should it be with data encryption solutions.