The encryption challenge

It is critical to take the attitude that data must be protected at source.

There are many encryption challenges in the tech world today, particularly as the importance of encryption as a fundamental, rather than nice to have for data security, becomes the norm for businesses. An increasing number of organisations worldwide are adopting encryption to address the growing concerns of data safety and data privacy for compliance regulations. 

The prevalence of data breaches has played a huge role in this along with the growth of mobile and public cloud services becoming the norm in the enterprise IT infrastructure.  For example, there have been a number of hacks that have underlined the risks of using 3rd party storage or Enterprise File Sync and Share (EFSS) solutions as either a primary storage solution for corporate data or where employees are allowed to put corporate data onto their personal accounts.

But it’s not just the cloud services, working with files or cloud services through unauthorised hardware such as home computers or mobile devices, increases the risks to a company of a security breach taking place.  This could be a hack, or data being shared accidentally in an unencrypted format to an unauthorised person.  Devices off the corporate network, and in the shadows, are not protected to the same level as those known to corporate IT, and the same is true of cloud services.  They will not be subject to the same corporate, regulatory (HIPPA, SOX, PCI, etc.) policies in relation to encryption, authentication, identity and access management, threat detection, device management, or something as straightforward as password policy.  The new EU General Data Protection Regulation (GDPR) set to come into force in from 25th May 2018 will place significant responsibilities and penalties on those that process, or store data related to EU citizens, regardless of the company’s location in the world.

Protect your data at source

It is critical to take the attitude that data must be protected at source. This means knowing what controls are in place to control the way data moves to internal and external network resources, and how it’s protected in those locations.  Any data that you would fear losing, or is sensitive in any way, should always be encrypted at the end point in the organisation.  Taking that approach will ensure that when data leaves the organisation it is encrypted at those external end points – meaning access to the files remains completely under the control of the organisation, and the centrally controlled encryption key server. 

One example of where this is very valuable, is when a personal cloud service account is used by an employee, who then leaves the organisation.  Without encryption the user retains access to those files, and the organisation would have no way of removing them from the cloud service, or in fact any other device.  Using centrally managed encryption, the user’s access can be removed in the policy engine of software – the user instantly loses the ability to decipher and read the encrypted files.

Encryption challenges

Data encryption is a time-tested tool that can severely hinder attackers in their goal to steal confidential user and customer data, trade secrets, and more.  In addition, to the complex regulations, the increasing adoption of new technologies such as mobility, cloud and virtualisation have also found the need for encryption more than ever before.

With more organisations encrypting more and more data, the key management still remains one of the biggest challenges. The problem with encryption has always been around the management strategy, if you’re working with the different platforms, such as FDE, servers, file and folder, removable media, mobile devices, cloud IaaS, and cloud EFSS you should prep your management strategy before undergoing the project. Having a unified tool that can perform the key management responsibilities and also maintain the different platforms is an essential part of not only implementation, but ensuing solid ongoing security.

There are a lot of things to think about today when managing encryption and keys.  Organisations should make sure they have a product that could reach the many different platforms within their organisation; all platforms at one point in time could require encryption. In addition, organisations should make sure the product they choose can manage all the keys spanning those different platforms.  Below are just some examples of the different environments in which encryption might need to be managed for a typical enterprise.

• FDE (Full Disk Encryption)

o    BiLocker (Take over and manage)
o    Software Encryption
o    Apple FileVault (Take over and manage)
o    SED (Self Encrypting Drives)

• File and Folder Encryption

o SFE (Secure File Encryption) with persistence

• Removable Media and Container encryption
• Mobile Device Encryption
• Cloud IaaS (Private, Hybrid, Public)
o AWS
o Azure
o VMWare
o Citrix Zen
o HyperV

• Cloud EFSS
o Google Drive
o Dropbox
o OneDrive
o Box

Control over your data is one of the major benefits of centralised key encryption, rather than with external service providers, such as cloud storage services.  This adds yet another level of protection should a breach of usernames/passwords occur at a 3rd party cloud service provider – they can’t get the encryption keys.

It’s easy to see how things can quickly get very complex, and why It’s important that organisations enforce encryption automatically through their security policy to help avoid disaster. Encrypting at the source may not stop a hacker from gaining access to data, but it will prevent the data itself from being disclosed.

Data encryption, when executed properly, protects the sensitive information stored within any given organisation. Although there are many myths attributed to data encryption, the surprising truth of the matter is that at its core, data encryption provides a foundational piece to any data security and cloud strategy.  Many companies, when asked think they are well protected from attack, but ultimately every company should expect to become the victim of a data breach, whether accidentally at the hands of a miss-sent employee email, lost device, hacktivists, or the nefarious intentions of cyber criminals.  Its only by taking that attitude that we’ll ensure we have the best protection we can in place.

Mark Hickman, Chief Operating Officer, WinMagic
Image Credit: Sergey Nivens / Shutterstock