With all the different hacks, data breaches and loss of personally identifiable information (PII) that are occurring, organizations are being challenged to encrypt their data throughout the data life cycle (from creation through destruction). But does today’s encryption technology really provide the level of confidentiality required in this totally Internet connected world?
There are three primary phases in which data can be encrypted: in transit, at rest and in use. Of these three phases, data in transit seems to provide the highest level of data protection. In this phase, encryption occurs between specific communicating devices. Protection provided by encryption in transit includes confidentiality from eavesdropping and sniffing, or man-in-the-middle attacks. Applications such as VPN clients and browser-based HTTPS provide strong encryption processes, which protect the confidentiality of data making it very difficult for unauthorized users to intercept.
It is common practice for organizations to encrypt data transmitted from remote devices; however, data that is being transmitted on internal networks typically goes unencrypted. There is a perception that data being transmitted on the internal network, or to remote facilities, is secure and therefore does not require encryption. Nevertheless, organizations’ internal networks can be easily breached, making data vulnerable to the same risks of eavesdropping, sniffing and man-in-the-middle attacks.
Consultants, vendors and individuals off the street not only have access to wireless networks, but also often have access to network jacks in conference rooms, cafeterias and other common areas. Also, devices that do not require direct authentication (i.e. printers, scanners, industrial controls, etc.) can be infected with malware that can eavesdrop, sniff or capture traffic and send out information to the Internet.
Past concerns over implementing encryption to internal data transit included increased overhead on servers, network devices and end user workstations which could cause system delays, loss of connectivity and loss or corruption of data. Many of today’s server and network technologies though have data encryption capabilities built in to allow for easier configuration and implementation to minimize the impact on utilizations. Implementing encryption of data in transit from endpoint to endpoint both remotely and internally is mandatory in today’s cyber risk environment.
Another phase of data encryption is the encryption of data at rest. Implementing encryption for data at rest is the easiest of all phases and, in fact, it is built in on many devices such as smartphones, tablets and PCs. There really is no reason not to encrypt all data on these devices; however, there are some major limitations ofencrypting data at rest. Users and applications must be able read data in order to use it. Consequently, when a user or application logs into the system, the data must appear decrypted. This is both necessary and a major vulnerability because when a user or application logs in all data, even that data at rest that they have access to becomes readable. So, if a user’s device or application is infected with a virus, malware, etc., and they log in, all data on their system or systems they can access becomes available to a hacker.
The last phase of data encryption is encryption of data in use. As defined in the previous encryption of data at rest section, in order to make use of data, it must be readable or decrypted. Many applications, database companies and cloud service providers are claiming different levels and characteristics of encrypted data in use.
But current technology does not make this completely possible. Encryption of data in use relies heavily on encryption of data at rest and in combination with strong authorization and access controls. By allowing only authorized users — limiting their access to the principles of least privilege and performing on the fly decryption of data upon access — companies are providing a minimal level of encryption of data in use.
Based on the functionality of encryption within the different phases, it must be obvious that encryption is not a silver bullet for the protection of data.
Encrypting data in transit can be compromised even if it is being performed across both internal and remote networks via the placement of malware on authorized devices which can eavesdrop or sniff data as it traverses the enterprise. Encrypting data at rest can also be overcome via the placement of malware on an authenticated device, and it can also be bypassed by unauthorized users who illegally obtain valid user IDs and passwords which have rights to view the data. The encryption of data in use with existing technologies uses the same, but stricter rules as defined within the encryption of data at rest phase and therefore can be compromised in the same ways.
Encryption is designed to provide an additional layer of data protection, but complex authorization policies and strict access controls providing only the least amount of privileges necessary for a user to perform their functions are still required in the protection of data.
If hackers get into a network, but are unable to gain authorized access with valid credentials, encryption will protect data from being read, copied or manipulated. However, cyber incidents facilitated by gaining unauthorized access to systems using valid user credentials, such as phishing scams or social engineering, can allow hackers complete access to decrypted data.
Jerry Irvine is CIO of Prescient Solutions and a member of the National Cybersecurity Task Force. He’s previously written for Homeland Security Today, and was profiled in the March 2014 issue of Homeland Security Today.
