Bottom of the 9th in a winner take all game, the pitcher looks to his catcher for signs and what to throw with bases loaded, a full count, and the score tied. Let’s hope the base runner on second base doesn’t figure out the signs and relay home to the batter what to expect. A fastball? Slider? Or changeup catching him looking? No pressure! Here’s the windup, and the pitch…
ClickToTweet: Don't Take Your Eye Off the Ball After Encrypting Data @MikeSaurbaugh http://bit.ly/1S10BeC pic.twitter.com/qFXkhGmglw
Whether teams are flashing signs from the dugout, behind home plate, or talking into their gloves at the pitcher’s mound, their intent is to conceal their communication so the other team doesn’t know what they are planning. In a manner of speaking, transmitting data in plain sight. The other team is well aware of what is going on, but they don’t know what’s being communicated because ideally they can’t decipher the secret code. Somewhere there is a secret key (supposedly) only that team knows about. Protect the key and in theory the communication is safe. Fail to protect the key from being stolen and the other team may steal home and win the game. A data breach of the baseball kind…
This encrypted communication between players and managers is not only tactical, but also part of their strategy towards winning and preventing the other team from breaching them. According to a joint study between IANS Research and Vormetric, 84% considered encrypting all sensitive data as a security strategy and 66% for protecting against a data breach.
While encrypting data is without question a good thing, there are more factors which need to be accounted for within a sound data security program. Let’s face it, encryption is a key tactic to protect data from theft and misuse. And the need to meet compliance minimums and check it off the list is often top-of-mind. But just because data has been encrypted doesn’t mean it’s time to relax and take your eye off the ball. Avoid these three strikes after encrypting data:
Strike 1. Poor key management
- Who has access to the keys? Seems like a pretty straightforward question to ask, but is this known and can it be proven? The fact that data is encrypted is certainly great, but the chink in the armor can relate to poor key management and failure to protect them. If key management is not centralized and is chunked up throughout the enterprise, it is a dreadful process to wrangle and is at risk of accidental mishandling. Solutions must be able to prove activities for key generation, rotation, and access when keys are exported or imported, as well as destroyed. More successful deployments consist of solutions which make this typically burdensome process more effective and one which provides efficiencies on top of the expected security and access controls.
Strike 2. Failure to continuously monitor activity
- Has there been an attempt to circumvent the encryption process and how do you know? What if an authorized user is performing a massive data transfer, but they are doing it off-hours on a weekend? Would this stand out as abnormal? Reviewing unauthorized access attempts is important, but so too is authorized access with other abnormalities. Similar to key management, being able to continuously monitor who has authorized access and to log and alert if there is something which does not add up. Insiders who are compromised or decide to go rogue have the ability to try and circumvent the solution, but solutions which are constantly monitoring will be able to ensure any attempt to tamper is foiled quickly. Hence, this is a multipronged approach, one which consists of data layer encryption and rigorous monitoring for obvious unauthorized attempts. In addition, monitoring users allowed access but with other behavior which does not align with policies. Monitoring usage patterns aid in identifying if the one who has access to the data is in fact correct and not compromised or going rogue.
Strike 3. Leaving encryption to the cloud storage provider
- Cloud storage providers certainly provide valuable services but there’s more that can be done by companies to further secure their data. Many cloud providers tout data encryption, but encrypting the data prior to transfer to maintain privacy is a step many should consider. In doing so, data owners don’t need to surrender control of the keys and they remain in full control of stored data. This provides data owners with the peace of mind knowing their data, while entrusted to the cloud provider, is further protected from unauthorized access. Security leaders can be assured data that is copied to storage providers such as Box or Amazon S3 will retain control and visibility through policies which they govern. Therefore, if there is any unauthorized access to data from the likes of the cloud storage provider, attacker, or even data which has been subpoenaed, data is still protected because the key is retained with the owner. Essentially coverage begins on-premises and extends to cloud storage.
Many of these core principles independently implemented are strong, but collectively they provide an even more formidable solution. In summary, security is further strengthened with an encrypt everything approach. But there is a need to ensure that the keys to communication are not compromised and there is a watchful eye for anomalous behavior, especially when playing away without home field advantage, such as in the cloud.