The traditional and well-established approach to cyber security is to build multiple layers of defences to stop hackers or rogue insiders getting unauthorised access to data.
But you only have to follow the news headlines to see this does not always work. Determined criminals, hacktivists, or simply lucky hackers have a habit of finding a way through. It’s just a case of when. If we cannot keep people out nor trust the people around us, we must rethink the traditional “castle and moat” methods of protection and adopt a data-centric approach, where security is built into data itself.
Encryption is the only technology to do this; but even though as a concept it has been around for millennia, there are still many myths and misunderstandings around it. In particular, many well-informed and well-intentioned chief information security officers fail to encrypt their data when and where it is most vulnerable. Too often, they rely on implementing full disk encryption, which is great for protecting data on a powered-off system, so if you leave your laptop or USB stick on the train, no one is going to be able to decrypt and steal your data. But as soon as a PC is powered on, data can be stolen from it – in the clear, not encrypted. It’s a bit like seatbelts that only work when a car is parked.
The language around this technology doesn’t help. Here’s what Microsoft says about turning on device encryption: “Encryption helps protect the data on your device so it can only be accessed by people who have authorisation.” While this statement is technically true, the authorisation happens when the user unlocks the disk drive at the point of system boot. Thereafter, there are no security controls being enforced by device encryption. Data is most vulnerable and valuable when it’s in transit, or in use.
Data in transit is digitised information traversing a network, such as when sending an email, accessing data from remote servers, uploading or downloading files to and from the cloud, or communicating via SMS or chat. Data in use is information actively being accessed, processed or loaded into dynamic memory, such as active databases, or files being read, edited or discarded.
Third-party intercepts, or man-in-the-middle attacks, occur outside controlled environments, making data in transit highly vulnerable. For example, attackers can use sniffer tools to capture data as it traverses a wired or wireless network in real time. They can then read any data not encrypted, such as passwords or credit card numbers. When data is in transit, another type of encryption is necessary. The most well-known is secure sockets layer/transport layer security (SSL/TLS), which secures most internet traffic in HTTPS format. Many other encryption variants protect Wi-Fi data streaming and cell phone traffic.
The problem with these solutions is that data is only protected when it’s on the move. Data is processed in an unencrypted state, it travels encrypted and then when it arrives at the destination it is decrypted again. In some cases, data may get encrypted at the target server if it is deemed to be sensitive, but what about all that information which gets downloaded to user endpoints? This is often the weakest point of security. For cyber criminals, this is the first place to look.
Data in use
While there are various crossover points among the states, data must be protected in all three – and during their transitions from one state to another. When a supplier or cloud service provider claims data is encrypted on its servers, that doesn’t mean it is protected in all three states. As well as data in transit to and from the cloud, or at rest on cloud servers, data is in use by active databases or cloud-based applications.
So, what’s the answer? How can data theft be defeated at rest, in transit and on a running system? File-level encryption goes with the data rather than being an attribute of the hardware it happens to be stored on or running on.
File-level encryption makes sure the data is intrinsically protected and underpinned using public key encryption or asymmetric key encryption, which employs a key pair comprising a secret private key and a public key.
For data encryption, the public key encrypts while the private key decrypts. Since the public key is just that, it can be freely distributed to anyone, enabling seamless sharing. Without the private key, data encrypted with the public key cannot be decrypted, making it safe for data in transit, in use and at rest.
File-level encryption ensures data is encrypted as soon as a file is created, changed or transferred across the network. Furthermore, that encryption persists regardless of where the file goes – whether moved to another drive, archived on backup media, or stored in the cloud. This means that data moved maliciously or unintentionally by an insider still remains encrypted and protected.
Combining the benefits of public key cryptography with file-level encryption covers all three states of data. And by encrypting the packets in transport to create secure connections, such as SSL/TLS, those data streams not in a file format can also be protected.
Seamless approach
Another common misconception is that encrypting everything at source must be difficult to set up and manage, impacting performance and user experience. But this is not the case. It’s perfectly possible to deploy file-level encryption that encrypts all of your data, all the time, with no decisions or configuration of which folders to encrypt or not. That means there is no need to decide and classify what data is sensitive and should be protected. Rightly so – all data is considered sensitive. As far as the user is concerned, the complete process is transparent and seamless.
There’s no point in only protecting data when it’s least vulnerable, as with full disk encryption – or adding burdensome or inconvenient security measures such as expecting users to make the correct encryption or classification decisions. Data with any value is active, in transit, or accessible, making it highly vulnerable to user error or malicious attacks – precisely when encryption must work.
Encryption tools of various shapes and sizes can effectively prevent data loss or breaches, regardless of data state. But it’s not enough to point to the existence of some form of encryption and claim data and systems are secure. Wherever data resides, is processed, or travels, encryption must be there. When it comes to encryption, all has to mean all.
Nigel Thorpe is technical director at SecureAge, a supplier of data protection and encryption services