Encryption is the big buzzword this year in the security conversations. Like most things when it comes to technology the media, companies and even those in the inner security circles misunderstand and over-promise a capability as the MUST HAVE security implementation. The media throws encryption out there toward all the big name breaches when it’s revealed that encryption was not in place. It’s an attempt to paint encryption as the ultimate solution to security – “If you use encryption the data wouldn’t have been lost!!!” In most cases this is 100% false. Encryption is one piece of a bigger pie and it doesn’t work like most people think it does.
Right now the big push in the enterprise environments is to encrypt ‘data at rest’. Meaning data and files that are sitting in a repository or file share. Encrypt it and we’re protected. Whew…
…not so fast…
Here’s what encryption does in a nutshell:
- Encryption scrambles data to make it illegible from the outside but it has the ability to be re-formed into the readable format by specific individuals.
- It prevents those without the access from reading it intentionally or accidentally.
- Protects the data, to an extent, in transit if the one of the channels is unsecure along the way.
Unless you have the key to how the data was scrambled you can’t read the data. But if you do have the key the data can be seen. This point is where the oversimplification of encryption starts, when corporations focus only on encryption without understanding the whole picture of an information security architecture to see the other components you need to enhance along side it.
If you get crazy and build a complex encryption process you end up with many keys to manage. As applications, users and system need access to the encrypted data you need to distribute those keys, copies are made and each time a key is given out the effectiveness of the encryption is reduced. Eventually you will be giving out the keys and end up like a poorly managed Active Directory environment where you give everyone Domain Admin, because it’s easiest.
Encryption, like most security products, are meant to slow down and reduce the probability of data loss through theft, a forced breach or mistake/loss. I say slow down because no encryption is unbreakable. The old myth is the stronger the encryption the more thousands of years it will take to break. Fujitsu in 2012 broke a 923-bit encryption key in 148.2 days. Most strengths used today are 128-bit or 256-bit. With the cheap cost of processing power, encryption is merely an obstacle to those that have the means and motivation.
Encryption is not security. Sure, encrypting a piece of data is fine and does make it more ‘secure’ in that it’s harder to read but once the data is out of your control it’s no longer secure, encrypted or not. Currently in the eyes of the law encrypted data does not constitute a reportable breach.
Encryption, by design, is 100% worthless to everyone that has the access to the keys to decrypt the data for their use. Encryption is going to do nothing from preventing your sysadmins, business users, applications, and whomever else from accessing the data with the keys if they have the need to.
When you look at the Anthem breach, Target and the others everyone is first to blame lack of encryption. As the details are revealed and explained by security experts you would see that encryption would have done nothing, the breaches still would have occurred and the data removed. Why? Because the breaches happened because the accounts that had the access to decrypt or to setup the process to decrypt were used. Encryption worthless in that scenario.
Don’t read this the wrong way, I am pro-encryption, but only as an additional layer to the overall security framework and where it makes sense. Encryption has a big performance cost when you begin to introduce it so there is a trade-off in its use.
In another post I will talk about the difference between encryption, hashing and encoding. They are all ways to scramble data but are different and each have their place in an organization.
In my experience you can accomplish more effective security impacts by tightening the access control policies, segmenting the networks, isolating data sets, move to a well-defined ‘need to have access’ model, hardcore governance, authorized approval workflows of any account use, alerting on logging activities, sirens go off when anyone touches sensitive data, in-line network protection that has a kill switch, and so on. Hackers are going after the users that have the access, it’s easier, more effective, there are way more targets to go after, and far more discrete than trying to do the Hollywood style of hacking breaking through the firewall.
If you fall into the buzz that encryption is the answer you will find out the hard way when other layers are ignored or reduced under a false sense of encrypted security.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.