Endpoint //


02:50 PM
Sol Cates
Sol Cates
Connect Directly

FAQ: Understanding The True Price of Encryption

In the wake of recent events like Heartbleed, the search for cost-effective, easy, and scalable encryption solutions has never been more important.

I'm sure many of you have had mixed experiences with encryption techniques, architectures, and implementations that, in the wake of Heartbleed and the Dual_EC_DRBG scandal, point out the importance of getting encryption right -- and the costs of fixing problems when an implementation is weak, wanting, or compromised.

In those circumstances, the ability to patch or migrate your solution and rekey your data quickly is imperative. But, sadly, the reasons for encrypting data are often mandated, not part of a funded security initiative, and much more expensive than expected. If your organization -- like many others -- is searching for ways to make encryption cost-effective, easy, and scalable, the answers to this list of frequently asked questions may point you in the right direction.

What should I encrypt? There are three key questions to answer. What data needs protecting? (Often you will find that your data protection requirements grow over time.) What form (unstructured files, databases, logs, etc.) is the data in? And where is the data located -- in a datacenter, on your mobile device, in the cloud, or in a remote location.

How should I encrypt? Organizations will typically come up with a matrix of answers and, along with that, a complex web of potential approaches to achieve their encryption requirements. For example, organizations may be required to encrypt their data on a number of different applications. Their options per application will vary, and you could end up with multiple solutions for meeting one requirement.

What about the keys? Some encryption options are native to a platform, yet they lack a key (no pun intended) requirement -- key management -- that most encryption solutions must have to be compliant. We have found that, while encryption is often easy, the complexities of good key management are what organizations struggle with most. If you encrypt data with a key and leave that key with the data weakly protected, you might as well not encrypt it at all.

What risk are you removing? Encryption is often thought of as the ultimate weapon to protect data, but in practice, many implementations fall short on actually protecting data. Data has no defenses for itself; it must rely on the defenses of the environment in which it lives. If an organization encrypts its data with a self-encrypting disk, it is removing the physical risk of theft or data loss. It may have many privileged users and processes that interact with its data, but ensuring that encryption removes the risk is crucial.

Will it be cost-effective? The implementation and maintenance costs of encryption across multiple environments, use cases, and applications can add up quickly. It's not just the cost of licenses, but the operationalization of it, as well. Organizations need to ask themselves the following questions: Do I have to change code? Do I need multiple OS support? Do I need to get a key management solution?

Many Fortune 500 companies face issues with databases and file servers that require encryption because of a regulation called MAS, out of Singapore, that promotes sustained, non-inflationary economic growth through monetary policies and macro-economic surveillance of emerging trends and potential vulnerabilities. One chief security architect came to the realization that it would cost approximately $2.4 million in licensing and more 24 months to integrate encryption into just one custom application. To no surprise, he quickly did the math and found this unappealing.

What's the bottom line? Look for encryption platforms that offer lower total cost of ownership. You will find it easier to get the budget you need and create a secure way of doing business by allowing multiple ways to encrypt your data without having to change the way you run your business.

Sol Cates is the Chief Security Officer at Vormetric. As CSO, he ensures that Vormetric's internal security profile remains robust, while maintaining a strong pulse on technical and business decision-making processes. Cates partners with teams throughout the company and the ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
Ulf Mattsson,
User Rank: Moderator
4/29/2014 | 8:44:59 AM
Re: Cost effective is not enough to win the war
Thank you. I think that file encryption with proper key management can protect media (os files and backups) but not the data flow (that now increasingly is under attack).
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 8:38:52 AM
Re: Cost effective is not enough to win the war
Thanks for your thoughtful comment, Ulf, and also for raising the issue of data security and big data in the context of encryption, cloud computing and the recently released Verizon DBIR. That's a lot to think about! To  your point:

I think that file encryption will not stop the bad guys. The bad guys are no longer attacking stored data. The bad guys are now attacking the data flow, including data in memory. My view is that we now need to secure the data flow, including data in memory. The bad guys are no longer attacking stored data.

If file encryption "won't stop the bad guys," in the era of cloud and big data, what is it's proper role?

Ulf Mattsson
Ulf Mattsson,
User Rank: Moderator
4/26/2014 | 10:28:49 AM
Cost effective is not enough to win the war
The good news is that the Verizon's "2014 Data Breach Investigations Report," is now available for download.

The bad news, as Wade Baker, principal author of the Data Breach Investigations Report (DBIR) series, says is that: "After analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime – and the bad guys are winning."

My view is that that we are now more concerned about attackers that are targeting our data flow, including data in memory since the DBIR reported that "RAM scrapers" went from a low #17 in 2012 and shoot up the charts to a very concerning #4 spot in 2013. 

My view is that that we are now less concerned about attackers that are targeting our stored data since the DBIR reported that "Capture stored data" went from a #4 in 2012 and to a less concerning #9 spot in 2013 and "Privilege abuse" went from a #14 in 2012 and to a less concerning #17 spot in 2013.

I think that file encryption will not stop the bad guys. The bad guys are no longer attacking stored data. The bad guys are now attacking the data flow, including data in memory.

My view is that we now need to secure the data flow, including data in memory. The bad guys are no longer attacking stored data.

An important development was the addition of coarse-grained volume or file encryption will only solve one problem, protecting data at rest, but considering one of the primary goals is using the data, one might suggest that it provided little in the grand scheme of Data security.  Sensitive data in use for analytics, traveling between nodes, sent to other systems, or even just being viewed is subject to full exposure.

What they're seeking is advanced functionality equal to the task of balancing security and regulatory compliance with data insights and data utility. This balance is critical for Big Data and Cloud platforms.

Emerging Big Data and Cloud platforms are presenting new use cases that are requiring data insight for analytics, high performance and scalability for Big Data platforms cannot be achieved by old security approaches.  New security approaches are required since Big Data is based on a new and different architecture.

Big Data is introducing a new approach to collecting data by allowing unstructured data to be blindly collected. In many cases we do not even know about all sensitive and regulated data fields that are contained in these large data feeds. Analysis of the content is often deferred to a later point in the process, to a stage when we are starting to use the data for analytics. Then it is too late to go back and try to apply data security and compliance to regulations.

My view is that we now need to secure the data flow. The bad guys are no longer attacking stored data in files.

Ulf Mattsson, CTO Protegrity
User Rank: Ninja
4/22/2014 | 10:33:00 AM
I'm surpsied there are still software companies that actively utilize encryption schemes such as Blowfish cipher. Even with a 448 bit key it is still considered weak.

It's a poor choice of performance over security.

User Rank: Ninja
4/22/2014 | 8:10:36 AM
Re: Key management must be part of the picture
this is an excellent post

those who have been following the "hacking" problem for a while will have probably realized that a failure to authenticate is a big part of the problem -- possibly the biggest part.   

the commercial sector keeps trying to provide authentication for us.   the Certificate Authorities provision of the SSL, TLS, and X.509 certificate system being the Prime Example.

still, attackers have broken through, -- Comodo and Digi-Notar being examples.

my take on this problem is that they have allowed the "attack surface" to become large.   Those familiar with Phil Zimmerman's original work will note that participation is required -- to maintain a proper Trust Model for PGP keys and/or x.509 certificates -- which rely on public key encryption

the resolution here may be to assign only marginal trust to the current method; each user should generate a key-pair for his/her system -- and then validate and countersign those certificate which require full trust.

examples of certificates needing full trust: Credit Union, online banking, online shopping, IRS reports,-- where there's money there will be scammers

another thing noted by Phil Zimmerman's original work: you must work from a secure o/s.   think about this. what are you using?    what sort of reputation does it have ?   is anything better available?

security is something you do not something you get.
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
4/21/2014 | 9:13:31 PM
Key management must be part of the picture
The key point here is, encryption alone is not good protection, even though to many users it is foolproof. On the contrary, encryption key management is what makes the process of encrypting work.
User Rank: Author
4/21/2014 | 4:15:37 PM
Re: Rethinking encryption


I think one of the biggest things to focus on in the advent of Heartbleed, is vendor management...  I had over 20 vendors effected by the Heartbleed bug, and had to focus our efforts on ensuring the vendor was responding quickly with a solution or effective workarounds.  

As with any software/hardware, there will be bugs.  It's the detection, and reaction to them is critical to get right.  
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 3:09:46 PM
Rethinking encryption
Thanks for a good overview on the ROI of encryption, Sol. In light of Heartbleed, what -- if any -- specific changes in corporate security would you recommend with respect to encryption. 
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-21
Remote file inclusion allows an attacker to craft a specific URL referencing the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, or BMXP342030H PLC web server, which, when launched, will result i...
PUBLISHED: 2019-03-21
Reflected Cross-Site Scripting (nonpersistent) allows an attacker to craft a specific URL, which contains Java script that will be executed on the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, ...
PUBLISHED: 2019-03-21
A vulnerability has been identified in SICAM A8000 CP-8000 (All versions < V14), SICAM A8000 CP-802X (All versions < V14), SICAM A8000 CP-8050 (All versions < V2.00). Specially crafted network packets sent to port 80/TCP or 443/TCP could allow an unauthenticated remote attacker to cause a D...
PUBLISHED: 2019-03-21
Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the advisory Impact section may be affected and should be upgraded to a fixed...
PUBLISHED: 2019-03-21
An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted X...