Risk
Guest Blog // Selected Security Content Provided By Intel
What's This?
11/12/2013
02:54 PM
Guest Blogs
Guest Blogs
Guest Blogs
100%
0%

Lock Three Doors To Protect Your Data

Data is at risk when it's at rest, in motion, or in use. Here are some tips for approaching data protection in each state.

Willie Sutton, the infamous bank robber, had a talent for wry understatement.

Asked why he robbed banks, he purportedly replied, "Because that's where the money is."*

If Willie had been born in the 1980s instead of in 1901, he would have been a cybercriminal looking to steal data. Why? Because that's where the money is.

Intellectual property, trade secrets, sensitive customer information, user credentials, patient information -- all of these are forms of data that are as valuable as money in the bank. And the risks associated with losing or failing to protect that data are far greater than those associated with cash. And just like cash, data is at risk when it's at rest, in motion, or in use.

Here are some tips for approaching data protection with the three states as a guide.

Data At Rest
Data is at rest when it is not being accessed, such as when it is stored on a physical or logical medium. Examples include files sitting on a flash drive or on archived magnetic tapes in the corporate warehouse.

Despite recent sensational headlines, encryption still works well to protect data at rest. Encryption applications, such as full disk encryption, provide very strong data protection when coupled with strong random number generation, the right encryption algorithms with robust keys, and intelligent acceleration, such as Intel Advanced Encryption Standard New Instructions (Intel AES-NI) to make the encryption unobtrusive to the user.

Application owners and IT administrators are often concerned about an "encryption tax" -- a lag in application performance caused by CPU cycles consumed in complex cryptographic processing. If that performance tax is too great, user productivity and application efficiency suffers, making encryption an unattractive option. With intelligent acceleration of some cryptographic operations, this tax can be dramatically decreased so that encryption can be more widely deployed.

Data In Motion
Data is in motion when it is moving between applications, traversing a network, or moving between networks.

Data in motion can be protected by protocols, such as TLS, SSL, and IPsec, which encrypt data packets for secure transportation and decryption by intended parties. Like a really thick security envelope for an important letter, these protocols provide a wrapper that helps prevent unauthorized access to your data as it's in motion. Use of Intel instruction enhancements, such as Intel AES-NI and Intel Advanced Vector Extensions (Intel AVX), can help these protocols be more efficient, which can, in turn, help your data centers run more cost effectively. You can and should complement these protocols with data loss prevention software or appliances that monitor network traffic to help prevent unauthorized transmission of sensitive data.

Data In Use
Data is in use when it is being actively read or written by an application, and this is its most vulnerable state. When in use, data sheds its protective layers so it can be used and changed.

When living in an apartment building with other tenants, your apartment and its contents are secure only if the building manager keeps unauthorized people out and if the windows and doors are secure. If someone leaves a door or window unlocked (as with an application vulnerability), or if the building manager hires a cleaning crew who are actually crooks (like malware that's injected into a system service DLL), then you might as well leave your apartment door unlocked. Data in use can be just as unprotected and just as exposed to risk.

You can establish an environment in which only trusted applications can access your data. This trusted execution environment is like a safe inside your apartment, to which you have the only key. In addition, like checking your apartment for items out of place or missing, a trusted execution environment can be measured and known to be secure, such as with Intel Trusted Execution Technology (Intel TXT), so you can be confident that your data is protected even when in use.

Which Data Should You Protect?
You now have more freedom to answer this question because of the rapid pace of technological innovation. One important innovation is the acceleration of encryption technologies.

The performance hit associated with encryption used to be so high that enterprises sometimes did not encrypt data that needed protection. However, today's encryption acceleration technologies let you base data-protection decisions on risk assessment rather than fears about performance because accelerated encryption essentially removes encryption overhead from the equation. This means you can deploy encryption where it's needed -- up to and including encrypting all of your data.

While this greater freedom is a boon to data protection, your organization still must define policies that place data on a sensitivity continuum from highly restricted to public data. Then you can enforce those policies with processes and tools. This is an important topic that I'll address in a future post.

Data Protection Starts With Encryption
The days when you might protect your data by locking up paperwork in a filing cabinet are long gone. That's because our connected business depends on keeping data both safe and available to business partners. Encryption remains a valuable data-protection tool. When you apply it systematically to data throughout its life cycle, you'll be on a path to foiling our modern-day Willie Suttons.

* Thanks to Wikipedia, which also reports that this exchange is probably apocryphal. Oh, well. It still makes a good story.

Follow me on Twitter: @tomquillin

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RoyKelly2
50%
50%
RoyKelly2,
User Rank: Apprentice
8/23/2014 | 12:55:27 AM
Excellent article!
Thanks for an article that reflects what I have preached for a while - encryption coupled with two-factor authentication, such as user credentials coupled with a trusted device - results in a lock that foils all but the most determined hacker.  

Much like my grandfather telling me that "locks keep honest poeople honest" our security feature cannot keep out the very determined hackers, but they can make it so hard to access that these determinied hacckers go after easier prey.
macker490
100%
0%
macker490,
User Rank: Ninja
11/13/2013 | 12:45:53 PM
re: Lock Three Doors To Protect Your Data
Superb!! the essay touches on the concept of the Trusted Environment,-- i.e. knowing that you have correct copies of the proper programs -- and nothing else. This needs to start at POST as Security is like a balloon: a pin-prick -- and POP! Gone.

security has to win by a complete shut-out

I shall look forward to additional comments supporting this excellent lead by Tom Quillin.
Cryptodd
100%
0%
Cryptodd,
User Rank: Moderator
11/13/2013 | 12:20:36 AM
re: Lock Three Doors To Protect Your Data
Great encryption points! While I get point about encryption for data-in-motion and data-at-rest, you miss that one can also use encryption to secure data in use. Wikipedia has a nice page describing data-in-use security - http://en.wikipedia.org/wiki/D... .
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8551
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to execute arbitrary code via crafted packets.

CVE-2014-8552
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to read arbitrary files via crafted packets.

CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?