IT Focus Area: security
November 6, 2018
7 Key Elements of a Successful Encryption Strategy
The world is run on codes and ciphers. From emails to ATMs, entertainment and shopping online, cryptography inhabits our every waking moment. In fact, life as we know it would be practically impossible without it.
Cryptography is the science of secret communication. Its fundamental objective is to enable communications over an insecure channel in such a way that a potential adversary cannot understand what is being conveyed.
The global proliferation of cyber attacks has led one particular component of cryptography —encryption — to become critical in the effort to safeguard sensitive data and intellectual property (IP).
Data Breach Damage
Inadequate security and eager cybercriminals have led enterprise data breaches to increase at an alarming pace. Staggering numbers of affected customers — and financial losses — continue to send shock waves through the business world, and threaten user trust. A total of six social media breaches, including the Cambridge Analytica-Facebook incident, accounted for over 76 percent of total records compromised during the first half of 2018.
Making matters worse, the Internet of Things (IoT) is providing new ways to gain access to systems and data. Every IoT device is an endpoint, and therefore a potential back door for hackers. They can also be used as weapons; millions of devices — everything from routers, security cameras and DVRs to medical devices, cars and more — have been infected with malware, and repurposed as zombie armies by cyber attackers looking to direct their power towards targets of their choosing. Manufacturers are not doing enough to protect devices, and consumers are backing away from companies that have been breached.
DNS provider Dyn lost nearly 15,000 customers after suffering a massive DDoS attack backed by a Mirai IoT botnet. "That is frightening," said Raj Samani, Chief Scientist at McAfee. "You can still be unfairly impacted just because other people didn't do the right thing."
Many connected device manufacturers prefer to use cheaper chips as opposed to ones that come with higher levels of security.
Manufacturers are trading off encryption for low-power chips, lower prices, storage space, and battery life. — Marc Bown, Senior Director, Security at Fitbit
The Importance of Being Encrypted
Finding a way to ward off cyber intruders has become a critical challenge. When asked how to do this during a press conference, notorious former NSA contractor Edward Snowden said, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
Encryption is a key element of comprehensive data-centric security. An intriguing example of the strength of encryption is “Kryptos”— a sculpture with a mysterious 865-character encrypted message on four large copper sheets. Kryptos has been on display at CIA headquarters in Langley, Virginia for 27 years and has become an obsession for would-be code-breakers. While it has received a lot of attention, nobody — not even the NSA — has been able to decrypt its entire message.
End-to-end encryption maximizes data protection regardless of whether the data is in a public or private cloud, on a device, or in transit. It can be invaluable in the effort to combat advanced threats, protect against IoT-enabled breaches, and maintain regulatory compliance. But the wide variety of options for enterprise deployment can be intimidating, and companies haven’t been using it effectively.
According to security company Gemalto's Breach Level Index, 944 data breaches led to 3.3 billion data records being compromised worldwide in the first half of 2018, a 72 percent increase over the first half of 2017. That’s over 18 million records exposed every day, or 214 records every second, including credit card and/or financial data or personally identifiable information.
It is not surprising that sophisticated hackers were able to access these records; what is surprising is that of all of the data breach incidents, only two percent involved data that was encrypted and therefore unusable.
So how can companies start using encryption to protect data?
Organizations can leverage encryption to provide persistent data protection by anchoring it with a comprehensive strategy that incorporates a complete lifecycle process along with the technology solution.
Encryption is a process based on a mathematical algorithm (known as a cipher) that makes information hidden or secret. Unencrypted data is called plain text; encrypted data is referred to as cipher text. In order for encryption to work, a code (or key) is required to make the information accessible to the intended recipients.
A Wake-Up Call
Edward Snowden had the keys to the data he leaked, which highlights the need to consider encryption as part of a broader data protection strategy, and focus on how encryption keys and digital certificates are used. Encrypted traffic and the use of encryption as an authentication mechanism within an organization's network is generally trusted, and direct access to keys and certificates allows anyone to gain elevated privileges. Snowden was a low-level SharePoint administrator who took advantage of the fact that keys and certificates are blindly trusted to elevate his privileges and enter areas where he should not have had access. In order to prevent this type of activity and “access creep”, organizations should implement solutions that create separation of duties. These controls, which include application and database security as well as identity and access management tools, will help to ensure that encryption keys and certificates cannot be accessed directly, and promote increased awareness and accountability of employees’ actions within the company.
Choosing What to Encrypt
Before enterprises can decide how to encrypt, they have to determine what to encrypt.
Developing an encryption program should be part of an overall enterprise risk management and data governance planning process. A comprehensive approach that considers specifically which data sets — structured, or unstructured — should be encrypted, and how key management should work will generate greater efficiency and effectiveness for an IT organization.
There is no single universal standard for encrypting all data, on all systems, all the time. A successful approach will depend on the sensitivity and risk level of your organization’s information and its data storage methods. The first step is understanding the different types of encryption, and what encryption can and cannot do.
Three States of Data
In order for data to be secure, it must be protected throughout its lifecycle. It is therefore important to consider the state of the data you are trying to protect: data in motion (data being transmitted over a network), data at rest (in your data storage area or on desktops, laptops, mobile phones, tablets and Iot devices), or data in use (in the process of being generated, updated, erased, or viewed). Each presents unique challenges. And each may have different tools and methodologies that can be used to secure it.
Encryption types for data-at-rest include the following:
Full Disk Encryption (FDE) for endpoint protection
Full Disk Encryption with Pre-Boot Authentication (FDE w/ PBA) for endpoint protection
Hardware Security Module (HSM) for key management lifecycle protection
Encrypting File System (EFS) for storage protection
Virtual Encryption for storage protection
File and Folder Encryption (FFE) for unstructured data protection
Database Encryption for structured data protection
Encryption types for data-in-motion include (but are not limited to) the following:
Virtual Private Network (VPN) for remote access
Wi-Fi Protected Access (WPA/WPA2) for wireless access
Secured Sockets Layer (SSL) for Web browser to server communications
Secure Shell (SSH) for secure remote systems administration
The most common method of protecting data in motion is the use of a secure sockets layer virtual private network (SSL VPN). Technologies such as SSL VPN are critical in the effort to protect against man-in-the-middle attacks and packet sniffers.
The Data-in-Use Challenge
Cloud computing has created the need to secure data in use as third-party providers increasingly host and process data. But data-in-use is the hardest to protect, since it almost always has to be decrypted and therefore exposed in order to be used. This opens up servers to attack by a technique called RAM scraping, which examines the memory of the running web server and extracts data while it is in its processed, unencrypted state.
Because decryption keys and decrypted data must be completely unavailable to an attacker in order for encryption to provide security, alternate controls are usually provided in an environment where either the keys or the data are in use. Enterprises deploying cloud services should look for a distributed solution such as HSM to keep keys secure and out of the service provider’s control. Security companies are starting to address the data-in-use encryption security gap by introducing new products such as “fully homomorphic” encryption that could potentially enable unrestricted analysis of encrypted information, as well as full memory encryption, which limits clear text data to the CPU internal cache.
The most common type of encryption for protecting email is asymmetric or Public Key Infrastructure (PKI). PKI is widely deployed for handling key distribution and validation, and consists of the following:
A certificate authority (CA) that issues and verifies digital certificates. A certificate is an electronic document used to prove ownership of a public key
A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor
One or more directories where the certificates (with their public keys) are held
A certificate management system
Building Your Strategy
It’s imperative to remember that your encryption project — and IT security in general — is a process, not a product. Effective encryption takes time; in addition to careful consideration of data states and encryption techniques, seven key elements can help you build a successful end-to-end approach:
Creating an encryption strategy requires a collaborative effort. It is best to approach it as a major initiative that includes members of management, IT and operations. Start by bringing together key data stakeholders and work to identify the regulations, laws, guidelines and external influences that will factor into purchasing and implementation decisions. From there, you can move on to identifying high-risk areas, such as laptops, mobile devices, wireless networks and data backups.
2. Data classification
It is important to leverage encryption as part of your broader IT security efforts. Companies that don’t have an effective data classification and/or prioritization program in place tend to struggle with data encryption.
Data classification policies and tools facilitate the separation of valuable information that may be targeted from less valuable information. Information is divided into predefined groups that share a common risk, and the corresponding security controls required to secure each group type are detailed. Classification tools can be used to improve the treatment and handling of sensitive data, and promote a culture of security that helps to enforce data governance policies and prevent inadvertent disclosure. Classification metadata can be ingested by data loss prevention (DLP), encryption and other security solutions to determine which information is sensitive and how it should be protected.
3. Key Management
Guard your keys. If keys and certificates are not properly secured the organization is open to attack, no matter what security controls are in place. Many organizations have tens of thousands of keys and certificates, with no clear understanding of their inventory. They do not know how keys and certificates are being used, what systems they provide access to, or who has control over them. It is imperative that organizations understand which keys and certificates are used in the network, who has access to them, and how and when they are being used. The first step in gathering this information is to gain a clear understanding of the organization’s inventory by centrally managing keys and certificates. This will enable you to detect anomalous behavior, such as rogue self-signed certificates. Critical aspects of key management include the following:
Encryption Key Lifecycle Management:
While encryption key lifecycle management can be overwhelming to organizations with a large number of keys, there is no way to validate the integrity of the keys and by extension, the integrity of the data itself, without it. Keys must be protected with a reliable key management solution from the moment they are created through their lifecycle of initiation, distribution, activation, deactivation and termination.
Heterogeneous Key Management:
A centralized key management platform allows for unified access to all of the encryption keys and a 360-degree "single pane of glass" view into the overall strategy. Requiring all keys to be managed from the same place, in the same way, allows for a granular understanding of how the keys are being used and more importantly, whether they are being accessed incorrectly. Without an overarching heterogeneous key management solution, the organization will be continuously chasing after rogue keys and struggling to ensure encrypted data is valid and able to be decrypted when necessary.
The deployment of HSMs can help to protect the key management lifecycle in complex environments.
4. Finding the Right Solution for Your Environment
Once you have established your key management needs it is time to evaluate and implement encryption solutions. There are many options and factors to consider. A “try-before-you-buy” approach is best because what works for one organization may not work for another. Companies should explore working with a vendor-independent partner who can help test potential solutions and find the best fit for their environment.
5. Access Control
Ensuring that only authorized users can access data is critical in the effort to prevent it from being tampered with by anyone inside or outside of the organization. A successful encryption strategy defines strong access-control techniques, using adequate combinations of file permissions, passwords, and two-factor authentication. Access controls must be audited on a regular basis to ensure their validity.
Prior to deployment, a written policy should be developed, endorsed by management and communicated to end-users, including business partners and third parties (including any cloud providers) that handle sensitive data. If they cannot meet your company’s policies, they don’t get your data. Otherwise, you risk running into a compliance problem. Encryption responsibility should be fixed and carry consequences for noncompliance.
7. SSL Decryption
While encryption is a great way to protect data, it is also a great way to hide threats. Most network security controls cannot decrypt and inspect HTTPS (SSL) traffic. As more applications turn to SSL encryption to help keep users secure — Facebook, Twitter, YouTube, Google Search and DropBox to name a few — they are inadvertently hampering the ability of enterprises to ensure malicious code isn’t making its way into network traffic. Cyber attackers are exploiting this vulnerability, so when choosing the right encryption solutions for your organization, it is necessary to also consider SSL decryption technology to ensure visibility into important data at points of ingress and egress.
Mitigate Risk, Maximize ROI
There are no silver bullets in IT security, and encryption is no exception. Targeted attacks have penetrated even the most secure and isolated computer systems over the past few years, forcing us to acknowledge the fact that it is virtually impossible to prevent attackers from breaching our networks and stealing our data. Encrypting sensitive data can add to an organization’s ROI in security and render data useless in the event of a breach, but only if it is part of a comprehensive strategy that incorporates encryption with key management, access control and SSL decryption. With careful planning and equal investments in people, process and technology, you can navigate the variety of enterprise encryption options at your disposal and stay ahead of threats while reducing complexity and compliance costs.
Find out how to mature your organization's security posture. Get your guide to transforming enterprise cybersecurity.