Enterprise security teams have long struggled with the complexity of encryption and key management. While integrated solutions are starting to make it easier to encode and decode critical data, the goal of enterprisewide encryption has greatly increased the time it takes for security teams to cover their bases.
In fact, for many it could be a resource-sucking nightmare.
"Most enterprise encryption products require investments in data compartmentalization, account management, and user training in order to be effective," says Ryan Shaw, co-founder at Bionic. "Unfortunately, many organizations just can't afford that investment."
Add to that, most solutions don't offer protection from an advanced and determined attacker — another reason why many organizations have not embraced enterprisewide encryption, Shaw says. It also becomes complicated due to competing priorities among the different lines of businesses, each with their own ideas of what serves the business objectives and yields the best return on investment.
Not So Fast
Despite these legitimate obstacles, enterprise encryption is still a mandate for many security teams — though it doesn't have to be all or nothing.
Rather than taking an all or nothing approach, organizations should begin with the core elements of good cyber hygiene inherent in full disk encryption and transport layer security (TLS). Organizations that are not burdened with budgetary restraints are more likely able to make use of them for data at rest and for data in transit.
"Cloud providers, such as Amazon and Microsoft, also have robust, well-tested solutions in place to secure data at rest," Shaw says. "Additional authentication measures, specifically multifactor, to access critical systems and data are a step in the right direction and supported in most modern infrastructures."
Implementing enterprisewide encryption requires teams to take many factors into consideration, including key management, access and authorization Dan Tuchler, CMO of SecurityFirst, says. Encryption is only effective if it is coupled with the policies around key storage as well as policies that ensure controlled access and proper key transmission.
"Deploying encryption without an overall architectural plan can lead to a difficult and ineffective solution," Tuchler says. What has worked effectively, though, is policy-based access control that limits data access to only valid users, organizations, and applications, he adds.
An overall architectural plan includes a process for reporting any suspicious access attempts to the threat analytics systems. In addition, Tuchler says, "Keys must be securely managed across the organization. Combining encryption with these elements, enterprisewide data protection is possible, and with the increasing regulations being enacted, there is more reason to do it now."
Data, Data Everywhere
Most organizations are encrypting data in transit, which is fairly straightforward, according to Ameesh Divatia, CEO of Baffle. "It is end-to-end encrypted with SSL," Divatia says. "Encryption in transit prevents somebody from being a man-in-the-middle or tapping the wire."
Still, encrypting data in transit has its own challenges, particularly because the new version of TLS makes it nearly impossible to do man-in-the-middle, says Sean Frazier, advisory CISO at Duo Security.
"In an ideal world, yes, you would want to encrypt everything, but the larger an organization gets, the harder it is to encrypt everything because of data spread," adds Dylan Owen, senior manager for cyber services at Raytheon IIS. "You now have a lot more hurdles to overcome in order to do it across the board."
Organizations want to inspect traffic so that if traffic containing sensitive information comes across, they know whether to allow that to happen. Frazier says in order to see that data, security teams need to take apart the channels.
"You have to be the man in the middle, which is what bad guys normally do, but you do that as an organization because you want to make sure that the right content is going across the wire and the wrong content isn't," Frazier says.
The problem is that taking apart channels happens at the application layer.
"Applications have to be modified to actually encrypt data and incorporate crypto into it," Divatia says. However, users first need to understand how crypto works, and they need to have the original application developer around, lest they go messing with somebody else's code.
At-rest encryption — encrypting inactive data that is stored in any digital or physical form — is essentially borrowing from storage-based encryption. In transit and at rest is relatively easy to implement, but Divatia says it does not protect against breaches; otherwise, they would not be happening.
The Key to Key Management
Because data encryption is only as strong as the key itself, key management becomes critical. Organizations need to have a key management strategy that includes policies for how to expire keys and how to use keys for data in a database where they have to decrypt and encrypt multiple times. The larger an organization, the more difficult key management becomes.
"Key management is a pain," Frazier says. "It's always been a pain."
That's why organizations should first identify the data that actually needs to be encrypted. "If you are only going to encrypt a small amount of data, key management is easier. If you want to encrypt everything, it becomes harder because you have that many more devices to worry about providing a key to," Owen says.
Security teams should consider their reasons for using encryption. Encrypting for the sake of best practice isn't always good. Instead, Owens says to approach encryption from a protection perspective. "That helps you sort out how you do key management," Owen says.
Still, many organizations do need to encrypt a larger pool of data, which sets the groundwork for a complex key management situation. That's where picking the right software procedures can help them handle encryption. It's important to make sure the solution can manage all keys.
"You don't want to have a tool for your laptops, your mobile, your SaaS, and your cloud. Having as few tools as possible will help to manage keys," Owen says. "The best practice is to see what you need to encrypt and what makes the most sense. Encryption is expensive, and it can be really difficult, particularly from the user perspective. For some organizations, enterprisewide encryption is not really practical."
Of course, legal requirements and the internal business perspective will guide encryption decisions, but it's also important to remember that encryption is not the easiest thing from a user perspective, and it creates a lot of barriers for them.
"In order to get them to do the right thing, you need to make encryption as easy as possible," Owen says.
- Keep Your Eye on Digital Certificates
- FBI Publishes GandCrab Decryption Keys
- Enterprise Data Encryption Hits All-Time High
- 6 Reasons to Be Wary of Encryption in Your Enterprise
Image Source: agsandrew via Adobe Stock)