Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:00 AM
Kacy Zurkus
Kacy Zurkus
Connect Directly

The Key to Enterprisewide Encryption

Security teams have been slow to embrace enterprisewide encryption, and for good reasons. But the truth is, it doesn't have to be an all-or-nothing endeavor.

Enterprise security teams have long struggled with the complexity of encryption and key management. While integrated solutions are starting to make it easier to encode and decode critical data, the goal of enterprisewide encryption has greatly increased the time it takes for security teams to cover their bases. 

In fact, for many it could be a resource-sucking nightmare. 

"Most enterprise encryption products require investments in data compartmentalization, account management, and user training in order to be effective," says Ryan Shaw, co-founder at Bionic. "Unfortunately, many organizations just can't afford that investment."

Add to that, most solutions don't offer protection from an advanced and determined attacker — another reason why many organizations have not embraced enterprisewide encryption, Shaw says. It also becomes complicated due to competing priorities among the different lines of businesses, each with their own ideas of what serves the business objectives and yields the best return on investment.

Not So Fast
Despite these legitimate obstacles, enterprise encryption is still a mandate for many security teams — though it doesn't have to be all or nothing.

Rather than taking an all or nothing approach, organizations should begin with the core elements of good cyber hygiene inherent in full disk encryption and transport layer security (TLS). Organizations that are not burdened with budgetary restraints are more likely able to make use of them for data at rest and for data in transit. 

"Cloud providers, such as Amazon and Microsoft, also have robust, well-tested solutions in place to secure data at rest," Shaw says. "Additional authentication measures, specifically multifactor, to access critical systems and data are a step in the right direction and supported in most modern infrastructures."

Implementing enterprisewide encryption requires teams to take many factors into consideration, including key management, access and authorization Dan Tuchler, CMO of SecurityFirst, says. Encryption is only effective if it is coupled with the policies around key storage as well as policies that ensure controlled access and proper key transmission. 

"Deploying encryption without an overall architectural plan can lead to a difficult and ineffective solution," Tuchler says. What has worked effectively, though, is policy-based access control that limits data access to only valid users, organizations, and applications, he adds.

An overall architectural plan includes a process for reporting any suspicious access attempts to the threat analytics systems. In addition, Tuchler says, "Keys must be securely managed across the organization. Combining encryption with these elements, enterprisewide data protection is possible, and with the increasing regulations being enacted, there is more reason to do it now."

Data, Data Everywhere
Most organizations are encrypting data in transit, which is fairly straightforward, according to Ameesh Divatia, CEO of Baffle. "It is end-to-end encrypted with SSL," Divatia says. "Encryption in transit prevents somebody from being a man-in-the-middle or tapping the wire."

Still, encrypting data in transit has its own challenges, particularly because the new version of TLS makes it nearly impossible to do man-in-the-middle, says Sean Frazier, advisory CISO at Duo Security. 

"In an ideal world, yes, you would want to encrypt everything, but the larger an organization gets, the harder it is to encrypt everything because of data spread," adds Dylan Owen, senior manager for cyber services at Raytheon IIS. "You now have a lot more hurdles to overcome in order to do it across the board." 

Organizations want to inspect traffic so that if traffic containing sensitive information comes across, they know whether to allow that to happen. Frazier says in order to see that data, security teams need to take apart the channels. 

"You have to be the man in the middle, which is what bad guys normally do, but you do that as an organization because you want to make sure that the right content is going across the wire and the wrong content isn't," Frazier says. 

The problem is that taking apart channels happens at the application layer. 

"Applications have to be modified to actually encrypt data and incorporate crypto into it," Divatia says. However, users first need to understand how crypto works, and they need to have the original application developer around, lest they go messing with somebody else's code. 

At-rest encryption — encrypting inactive data that is stored in any digital or physical form — is essentially borrowing from storage-based encryption. In transit and at rest is relatively easy to implement, but Divatia says it does not protect against breaches; otherwise, they would not be happening. 

The Key to Key Management
Because data encryption is only as strong as the key itself, key management becomes critical. Organizations need to have a key management strategy that includes policies for how to expire keys and how to use keys for data in a database where they have to decrypt and encrypt multiple times. The larger an organization, the more difficult key management becomes. 

"Key management is a pain," Frazier says. "It's always been a pain."

That's why organizations should first identify the data that actually needs to be encrypted. "If you are only going to encrypt a small amount of data, key management is easier. If you want to encrypt everything, it becomes harder because you have that many more devices to worry about providing a key to," Owen says.

Security teams should consider their reasons for using encryption. Encrypting for the sake of best practice isn't always good. Instead, Owens says to approach encryption from a protection perspective. "That helps you sort out how you do key management," Owen says. 

Still, many organizations do need to encrypt a larger pool of data, which sets the groundwork for a complex key management situation. That's where picking the right software procedures can help them handle encryption. It's important to make sure the solution can manage all keys. 

"You don't want to have a tool for your laptops, your mobile, your SaaS, and your cloud. Having as few tools as possible will help to manage keys," Owen says. "The best practice is to see what you need to encrypt and what makes the most sense. Encryption is expensive, and it can be really difficult, particularly from the user perspective. For some organizations, enterprisewide encryption is not really practical."

Of course, legal requirements and the internal business perspective will guide encryption decisions, but it's also important to remember that encryption is not the easiest thing from a user perspective, and it creates a lot of barriers for them.

"In order to get them to do the right thing, you need to make encryption as easy as possible," Owen says.

Related Content:

Image Source: agsandrew via Adobe Stock)


Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM's Security Intelligence. She has also contributed to several publications, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
8/21/2019 | 12:32:23 PM
Keys Keys Keys
The thing with TLS 1.3 (and any standard that incorporates perfect forward secrecy with ephemeral keys) is that there are no longer "master keys" or the ability to derrive the "keys to the kingdom". Each session has its own symmetric key which no longer is derrived from the certificate. This means that there are hundreds of thousands of symmetric keys popping into and out of existence. MITM no longer works. And hairpinning all back end api calls through front end firewalls or decryption zones is downright untenable in a cloud world.

This is by design (read the TLS 1.3 spec for the gory details and read the public comments for the arguments and ideas that ensue). 

The only thing that seems to make sense in a perfect forward secrecy and TLS 1.3 world is symmetric key intercept that runs out of band. 

User Rank: Apprentice
8/8/2019 | 1:34:30 PM
Agreed, MitM is impractical
I appreciate this article and agree that TLS 1.3 makes it extremely impractical for man-in-the-middle. It can also be a high strain on CPU usage. Nubeva has just come out with a new way to decrypt TLS 1.3 encrypted traffic, giving visibility while maintaining security. It's called Symmetric Key Intercept. Check it out at Nubeva's website.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...