Endpoint // Privacy
4/21/2014
02:50 PM
Sol Cates
Sol Cates
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

FAQ: Understanding The True Price of Encryption

In the wake of recent events like Heartbleed, the search for cost-effective, easy, and scalable encryption solutions has never been more important.

I'm sure many of you have had mixed experiences with encryption techniques, architectures, and implementations that, in the wake of Heartbleed and the Dual_EC_DRBG scandal, point out the importance of getting encryption right -- and the costs of fixing problems when an implementation is weak, wanting, or compromised.

In those circumstances, the ability to patch or migrate your solution and rekey your data quickly is imperative. But, sadly, the reasons for encrypting data are often mandated, not part of a funded security initiative, and much more expensive than expected. If your organization -- like many others -- is searching for ways to make encryption cost-effective, easy, and scalable, the answers to this list of frequently asked questions may point you in the right direction.

What should I encrypt? There are three key questions to answer. What data needs protecting? (Often you will find that your data protection requirements grow over time.) What form (unstructured files, databases, logs, etc.) is the data in? And where is the data located -- in a datacenter, on your mobile device, in the cloud, or in a remote location.

How should I encrypt? Organizations will typically come up with a matrix of answers and, along with that, a complex web of potential approaches to achieve their encryption requirements. For example, organizations may be required to encrypt their data on a number of different applications. Their options per application will vary, and you could end up with multiple solutions for meeting one requirement.

What about the keys? Some encryption options are native to a platform, yet they lack a key (no pun intended) requirement -- key management -- that most encryption solutions must have to be compliant. We have found that, while encryption is often easy, the complexities of good key management are what organizations struggle with most. If you encrypt data with a key and leave that key with the data weakly protected, you might as well not encrypt it at all.

What risk are you removing? Encryption is often thought of as the ultimate weapon to protect data, but in practice, many implementations fall short on actually protecting data. Data has no defenses for itself; it must rely on the defenses of the environment in which it lives. If an organization encrypts its data with a self-encrypting disk, it is removing the physical risk of theft or data loss. It may have many privileged users and processes that interact with its data, but ensuring that encryption removes the risk is crucial.

Will it be cost-effective? The implementation and maintenance costs of encryption across multiple environments, use cases, and applications can add up quickly. It's not just the cost of licenses, but the operationalization of it, as well. Organizations need to ask themselves the following questions: Do I have to change code? Do I need multiple OS support? Do I need to get a key management solution?

Many Fortune 500 companies face issues with databases and file servers that require encryption because of a regulation called MAS, out of Singapore, that promotes sustained, non-inflationary economic growth through monetary policies and macro-economic surveillance of emerging trends and potential vulnerabilities. One chief security architect came to the realization that it would cost approximately $2.4 million in licensing and more 24 months to integrate encryption into just one custom application. To no surprise, he quickly did the math and found this unappealing.

What's the bottom line? Look for encryption platforms that offer lower total cost of ownership. You will find it easier to get the budget you need and create a secure way of doing business by allowing multiple ways to encrypt your data without having to change the way you run your business.

Sol Cates is the Chief Security Officer at Vormetric. As CSO, he ensures that Vormetric's internal security profile remains robust, while maintaining a strong pulse on technical and business decision-making processes. Cates partners with teams throughout the company and the ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Apprentice
4/29/2014 | 8:44:59 AM
Re: Cost effective is not enough to win the war
Thank you. I think that file encryption with proper key management can protect media (os files and backups) but not the data flow (that now increasingly is under attack).
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 8:38:52 AM
Re: Cost effective is not enough to win the war
Thanks for your thoughtful comment, Ulf, and also for raising the issue of data security and big data in the context of encryption, cloud computing and the recently released Verizon DBIR. That's a lot to think about! To  your point:

I think that file encryption will not stop the bad guys. The bad guys are no longer attacking stored data. The bad guys are now attacking the data flow, including data in memory. My view is that we now need to secure the data flow, including data in memory. The bad guys are no longer attacking stored data.


If file encryption "won't stop the bad guys," in the era of cloud and big data, what is it's proper role?

Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Apprentice
4/26/2014 | 10:28:49 AM
Cost effective is not enough to win the war
The good news is that the Verizon's "2014 Data Breach Investigations Report," is now available for download.

The bad news, as Wade Baker, principal author of the Data Breach Investigations Report (DBIR) series, says is that: "After analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime – and the bad guys are winning."

My view is that that we are now more concerned about attackers that are targeting our data flow, including data in memory since the DBIR reported that "RAM scrapers" went from a low #17 in 2012 and shoot up the charts to a very concerning #4 spot in 2013. 

My view is that that we are now less concerned about attackers that are targeting our stored data since the DBIR reported that "Capture stored data" went from a #4 in 2012 and to a less concerning #9 spot in 2013 and "Privilege abuse" went from a #14 in 2012 and to a less concerning #17 spot in 2013.

I think that file encryption will not stop the bad guys. The bad guys are no longer attacking stored data. The bad guys are now attacking the data flow, including data in memory.

My view is that we now need to secure the data flow, including data in memory. The bad guys are no longer attacking stored data.

An important development was the addition of coarse-grained volume or file encryption will only solve one problem, protecting data at rest, but considering one of the primary goals is using the data, one might suggest that it provided little in the grand scheme of Data security.  Sensitive data in use for analytics, traveling between nodes, sent to other systems, or even just being viewed is subject to full exposure.

What they're seeking is advanced functionality equal to the task of balancing security and regulatory compliance with data insights and data utility. This balance is critical for Big Data and Cloud platforms.

Emerging Big Data and Cloud platforms are presenting new use cases that are requiring data insight for analytics, high performance and scalability for Big Data platforms cannot be achieved by old security approaches.  New security approaches are required since Big Data is based on a new and different architecture.

Big Data is introducing a new approach to collecting data by allowing unstructured data to be blindly collected. In many cases we do not even know about all sensitive and regulated data fields that are contained in these large data feeds. Analysis of the content is often deferred to a later point in the process, to a stage when we are starting to use the data for analytics. Then it is too late to go back and try to apply data security and compliance to regulations.

My view is that we now need to secure the data flow. The bad guys are no longer attacking stored data in files.

Ulf Mattsson, CTO Protegrity
theb0x
50%
50%
theb0x,
User Rank: Moderator
4/22/2014 | 10:33:00 AM
Encryption
I'm surpsied there are still software companies that actively utilize encryption schemes such as Blowfish cipher. Even with a 448 bit key it is still considered weak.

It's a poor choice of performance over security.

 
macker490
50%
50%
macker490,
User Rank: Ninja
4/22/2014 | 8:10:36 AM
Re: Key management must be part of the picture
this is an excellent post

those who have been following the "hacking" problem for a while will have probably realized that a failure to authenticate is a big part of the problem -- possibly the biggest part.   

the commercial sector keeps trying to provide authentication for us.   the Certificate Authorities provision of the SSL, TLS, and X.509 certificate system being the Prime Example.

still, attackers have broken through, -- Comodo and Digi-Notar being examples.

my take on this problem is that they have allowed the "attack surface" to become large.   Those familiar with Phil Zimmerman's original work will note that participation is required -- to maintain a proper Trust Model for PGP keys and/or x.509 certificates -- which rely on public key encryption

the resolution here may be to assign only marginal trust to the current method; each user should generate a key-pair for his/her system -- and then validate and countersign those certificate which require full trust.

examples of certificates needing full trust: Credit Union, online banking, online shopping, IRS reports,-- where there's money there will be scammers

another thing noted by Phil Zimmerman's original work: you must work from a secure o/s.   think about this. what are you using?    what sort of reputation does it have ?   is anything better available?

security is something you do not something you get.
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Moderator
4/21/2014 | 9:13:31 PM
Key management must be part of the picture
The key point here is, encryption alone is not good protection, even though to many users it is foolproof. On the contrary, encryption key management is what makes the process of encrypting work.
solcates
50%
50%
solcates,
User Rank: Author
4/21/2014 | 4:15:37 PM
Re: Rethinking encryption
Marilyn,

 

I think one of the biggest things to focus on in the advent of Heartbleed, is vendor management...  I had over 20 vendors effected by the Heartbleed bug, and had to focus our efforts on ensuring the vendor was responding quickly with a solution or effective workarounds.  

As with any software/hardware, there will be bugs.  It's the detection, and reaction to them is critical to get right.  
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 3:09:46 PM
Rethinking encryption
Thanks for a good overview on the ROI of encryption, Sol. In light of Heartbleed, what -- if any -- specific changes in corporate security would you recommend with respect to encryption. 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.