To the InfoSec neophyte, it may seem axiomatic that data should be encrypted always and everywhere -- particularly in the age of the so-called "seamless" cloud.
And, despite sophisticated arguments to the contrary, one recently funded Boston-area startup is founded on the proposition that the neophytes are right.
Some pundits contend that accessibility tradeoffs may outweigh any security benefits when it comes to encrypting data at rest in addition to data in transit -- not least of all because compromising the right user's credentials can make encryption a moot point. (See My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption.)
In an interview with Security Now, Randy Battat, CEO of email- and file-encryption startup PreVeil, countered that -- tradeoffs aside -- end-to-end encryption of data both in transit and at rest is vital to seamless cloud security because of infrastructural trends -- particularly as IT organizations evolve from on-premise to hybrid clouds, from hybrid clouds to multicloud, and from all of the above to seamless cloud environments.
"There's a new generation of apps emerging to deal with this latent... legacy problem of plaintext data living on servers," Battat said. "Whether it's encrypted at rest or in transit, the problem is plaintext data being decrypted in use."
While not everyone is in agreement, these trends have some analysts thinking about encryption in the cloud era in new ways.
"Encrypting data at all times (at rest, in transit, and during processing) and during the whole data lifecycle -- from creation to destruction -- is that 'ideal world' that we all look for," Martin Whitworth, IDC's Research Director for European Data Security and Privacy, wrote to Security Now. "Unfortunately, practicalities often get in the way."
The way Battat puts it, however, security trends themselves have become impractical -- often amounting to little more than "building higher and higher walls" that do no good when intruders get in through a door or a window. While data segmentation is being increasingly deployed to achieve data-stewardship goals in seamless cloud environments, these goals may be self-defeated by the very accessibility measures used to make seamless clouds so seamless to begin with. The fundamental end-to-end security problem of email and file-sharing lies in the accessibility demands inherent to those applications' nature; they require storage indefinitely (sometimes forever).
"Certain discoveries are only unlocked when you have enough mass," Stefaan Vervaet, Western Digital's Senior Director of Strategic Alliances and Market Development, wrote in a recent blog post. "It's no surprise that some companies may decide to never delete data again."
Many enterprise IT organizations wind up with a severely poor software-development lifecycle (SDLC) -- having sensitive data hiding in all of the places where they didn't intend and don't know about, often in multiple centralized locations. (See Uber Loses Customer Data: Customers Yawn & Keep Riding.)
"Centralization creates exposure," points out PreVeil's "manifesto." "If an attack on a single server or network device yields vast quantities of valuable information, one can be sure the attackers will target this central point of failure."
While the decentralization of a seamless cloud can thereby aid information security, new problems crop up in such an environment as accessibility issues intersect with particularized processing challenges.
"If you have a hybrid [cloud], how do you effectively manage the encryption schemes (and keys) across these different environments?" Whitworth said. "[This includes] the challenges of managing keys -- not just for encryption/decryption, but also the issues of key rotation, issuance, cancellation, distribution, etc."
PreVeil's end-to-end encryption (based on XSalsa20, a stream cipher) for filesharing and email purports to work similarly to applications like DropBox, with users being able to "drag and drop" to encrypt data and synchronize that encryption across all devices -- all without having to be concerned with individual keys. Battat reports that PreVeil's cloud servers, meanwhile, sees neither any of the plaintext data nor the decryption keys. Additionally, with encryption-based validation instead of whatever business logic has been stored on the servers for administrative access, an intruder who has compromised one VIP admin or executive does not necessarily get the whole pot of gold.
Ultimately, said Battat, this kind of end-to-end encryption is uniquely qualified for securing a seamless cloud environment because of the problems of trusting data exposure on strange servers -- or any servers at all.
"The hybrid environment doesn't have to be any less secure if you're using end-to-end encryption because the whole premise is that anything on the server is not trustworthy," said Battat. "End-to-end encryption does a pretty good job because the encryption is handled at the client side -- so you're not really relying on server qualities to guarantee your safety."
— Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.