The traditional and well-established approach to cybersecurity is to build multiple layers of defense to stop hackers or rogue insiders gain unauthorized access to data.
But just follow the headlines to see that it doesn’t always work. Determined criminals, hacktivists or just lucky hackers are used to finding a way through. It’s just a matter of when. If we cannot keep people out or trust the people around us, we need to rethink traditional methods of protection and take a data-centric approachwhere security is built into the data itself.
encryption is the only technology to do so; but even though as a concept it has been around for millennia, there are still many myths and misunderstandings surrounding it. In particular, many well-informed and well-intentioned information security managers fail to encrypt their data when and where it is most vulnerable. Too often they rely on implementing full disk encryption, which is ideal for protecting data on a powered down system. So, if you leave your laptop or USB key on the train, no one will be able to decrypt and steal your data. . But as soon as a PC is turned on, data can be stolen from it – in the clear, unencrypted. It’s a bit like seat belts that only work when a car is parked.
The language around this technology does not help. Here’s what Microsoft says about enabling device encryption: “Encryption helps protect the data on your device so that it can only be accessed by authorized people.” While this statement is technically true, authorization occurs when the user unlocks the disk drive at system boot time. Thereafter, no security checks are applied by device encryption. Data is most vulnerable and valuable while in transit or in use.
Data in transit is digitized information traversing a network, such as when sending email, accessing data from remote servers, uploading or downloading files to and from the cloud, or communication by SMS or chat. The data used is information that is actively accessed, processed, or loaded into dynamic memory, such as active databases or files read, modified, or deleted.
Interceptions by third parties, or man-in-the-middle attacks, occur outside of controlled environments, making data in transit highly vulnerable. For example, attackers can use sniffer tools to capture data as it traverses a wired or wireless network in real time. They can then read any unencrypted data, such as passwords or credit card numbers. When data is in transit, another type of encryption is required. The best known is secure socket layer/transport layer security (SSL/TLS), which secures most Internet traffic in HTTPS format. Many other encryption variants protect Wi-Fi data streaming and cell phone traffic.
The problem with these solutions is that data is only protected while it is on the move. Data is processed in an unencrypted state, it travels encrypted, then when it arrives at its destination, it is decrypted again. In some cases, data can be encrypted on the target server if it’s deemed sensitive, but what about all that information that’s downloaded to users’ endpoints? This is often the weakest point of security. For cybercriminals, this is the first place to look.
Although there are different cross-points between states, data must be protected in all three – and during its transitions from one state to another. When a vendor or cloud service provider claims that data is encrypted on their servers, that doesn’t mean it’s tri-state protected. In addition to data in transit to and from the cloud, or at rest on cloud serversthe data is used by active databases or cloud-based applications.
So what’s the answer? How do you combat data theft at rest, in transit, and on a running system? File-level encryption accompanies the data rather than being an attribute of the hardware on which it happens to be stored or executed.
File-level encryption ensures that data is inherently protected and backed by public key encryption or asymmetric key encryption, which uses a key pair comprising a secret private key and a public key.
For data encryption, the public key encrypts while the private key decrypts. Since the public key is just that, it can be freely distributed to anyone, allowing for seamless sharing. Without the private key, data encrypted with the public key cannot be decrypted, making it secure for data in transit, in use, and at rest.
File-level encryption ensures that data is encrypted whenever a file is created, modified, or transferred over the network. Additionally, this encryption persists no matter where the file goes – whether it’s moved to another drive, archived to backup media, or stored in the cloud. This means that data moved maliciously or unintentionally by an insider remains encrypted and protected.
Combining the benefits of public-key cryptography with file-level encryption covers all three states of data. And by encrypting packets in transit to create secure connections, such as SSL/TLS, those data streams that aren’t in a file format can also be protected.
Another common misconception is that encrypting everything at source should be difficult to configure and manage, which impacts performance and user experience. But this is not the case. It is perfectly possible to deploy file-level encryption that encrypts all your data, all the time, without deciding or configuring which folders to encrypt or not. This means there is no need to decide and classify which data is sensitive and needs to be protected. Rightly so – all data is considered sensitive. As far as the user is concerned, the entire process is transparent and seamless.
There’s no point in only protecting data when it’s least vulnerable, like with full disk encryption, or adding cumbersome or cumbersome security measures, like expecting users to make the right decisions in terms of encryption or classification. Data, regardless of value, is active, in transit, or accessible, making it highly vulnerable to user error or malicious attack precisely when encryption needs to work.
Encryption tools of different shapes and sizes can effectively prevent data loss or breaches regardless of the state of the data. But it is not enough to point out that some form of encryption exists and claim that data and systems are secure. Wherever data resides, is processed, or travels, encryption must be there. When it comes to encryption, everything has to mean everything.
Nigel Thorpe is Technical Director at SecureAgea provider of data protection and encryption services