Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News

8/7/2019
07:00 AM
Kacy Zurkus
Kacy Zurkus
Edge-DRsplash-10-edge-articles
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The Key to Enterprisewide Encryption

Security teams have been slow to embrace enterprisewide encryption, and for good reasons. But the truth is, it doesn't have to be an all-or-nothing endeavor.

Enterprise security teams have long struggled with the complexity of encryption and key management. While integrated solutions are starting to make it easier to encode and decode critical data, the goal of enterprisewide encryption has greatly increased the time it takes for security teams to cover their bases. 

In fact, for many it could be a resource-sucking nightmare. 

"Most enterprise encryption products require investments in data compartmentalization, account management, and user training in order to be effective," says Ryan Shaw, co-founder at Bionic. "Unfortunately, many organizations just can't afford that investment."

Add to that, most solutions don't offer protection from an advanced and determined attacker — another reason why many organizations have not embraced enterprisewide encryption, Shaw says. It also becomes complicated due to competing priorities among the different lines of businesses, each with their own ideas of what serves the business objectives and yields the best return on investment.

Not So Fast
Despite these legitimate obstacles, enterprise encryption is still a mandate for many security teams — though it doesn't have to be all or nothing.

Rather than taking an all or nothing approach, organizations should begin with the core elements of good cyber hygiene inherent in full disk encryption and transport layer security (TLS). Organizations that are not burdened with budgetary restraints are more likely able to make use of them for data at rest and for data in transit. 

"Cloud providers, such as Amazon and Microsoft, also have robust, well-tested solutions in place to secure data at rest," Shaw says. "Additional authentication measures, specifically multifactor, to access critical systems and data are a step in the right direction and supported in most modern infrastructures."

Implementing enterprisewide encryption requires teams to take many factors into consideration, including key management, access and authorization Dan Tuchler, CMO of SecurityFirst, says. Encryption is only effective if it is coupled with the policies around key storage as well as policies that ensure controlled access and proper key transmission. 

"Deploying encryption without an overall architectural plan can lead to a difficult and ineffective solution," Tuchler says. What has worked effectively, though, is policy-based access control that limits data access to only valid users, organizations, and applications, he adds.

An overall architectural plan includes a process for reporting any suspicious access attempts to the threat analytics systems. In addition, Tuchler says, "Keys must be securely managed across the organization. Combining encryption with these elements, enterprisewide data protection is possible, and with the increasing regulations being enacted, there is more reason to do it now."

Data, Data Everywhere
Most organizations are encrypting data in transit, which is fairly straightforward, according to Ameesh Divatia, CEO of Baffle. "It is end-to-end encrypted with SSL," Divatia says. "Encryption in transit prevents somebody from being a man-in-the-middle or tapping the wire."

Still, encrypting data in transit has its own challenges, particularly because the new version of TLS makes it nearly impossible to do man-in-the-middle, says Sean Frazier, advisory CISO at Duo Security. 

"In an ideal world, yes, you would want to encrypt everything, but the larger an organization gets, the harder it is to encrypt everything because of data spread," adds Dylan Owen, senior manager for cyber services at Raytheon IIS. "You now have a lot more hurdles to overcome in order to do it across the board." 

Organizations want to inspect traffic so that if traffic containing sensitive information comes across, they know whether to allow that to happen. Frazier says in order to see that data, security teams need to take apart the channels. 

"You have to be the man in the middle, which is what bad guys normally do, but you do that as an organization because you want to make sure that the right content is going across the wire and the wrong content isn't," Frazier says. 

The problem is that taking apart channels happens at the application layer. 

"Applications have to be modified to actually encrypt data and incorporate crypto into it," Divatia says. However, users first need to understand how crypto works, and they need to have the original application developer around, lest they go messing with somebody else's code. 

At-rest encryption — encrypting inactive data that is stored in any digital or physical form — is essentially borrowing from storage-based encryption. In transit and at rest is relatively easy to implement, but Divatia says it does not protect against breaches; otherwise, they would not be happening. 

The Key to Key Management
Because data encryption is only as strong as the key itself, key management becomes critical. Organizations need to have a key management strategy that includes policies for how to expire keys and how to use keys for data in a database where they have to decrypt and encrypt multiple times. The larger an organization, the more difficult key management becomes. 

"Key management is a pain," Frazier says. "It's always been a pain."

That's why organizations should first identify the data that actually needs to be encrypted. "If you are only going to encrypt a small amount of data, key management is easier. If you want to encrypt everything, it becomes harder because you have that many more devices to worry about providing a key to," Owen says.

Security teams should consider their reasons for using encryption. Encrypting for the sake of best practice isn't always good. Instead, Owens says to approach encryption from a protection perspective. "That helps you sort out how you do key management," Owen says. 

Still, many organizations do need to encrypt a larger pool of data, which sets the groundwork for a complex key management situation. That's where picking the right software procedures can help them handle encryption. It's important to make sure the solution can manage all keys. 

"You don't want to have a tool for your laptops, your mobile, your SaaS, and your cloud. Having as few tools as possible will help to manage keys," Owen says. "The best practice is to see what you need to encrypt and what makes the most sense. Encryption is expensive, and it can be really difficult, particularly from the user perspective. For some organizations, enterprisewide encryption is not really practical."

Of course, legal requirements and the internal business perspective will guide encryption decisions, but it's also important to remember that encryption is not the easiest thing from a user perspective, and it creates a lot of barriers for them.

"In order to get them to do the right thing, you need to make encryption as easy as possible," Owen says.

Related Content:

Image Source: agsandrew via Adobe Stock)

 

Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM's Security Intelligence. She has also contributed to several publications, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
billycripe
100%
0%
billycripe,
User Rank: Strategist
8/21/2019 | 12:32:23 PM
Keys Keys Keys
The thing with TLS 1.3 (and any standard that incorporates perfect forward secrecy with ephemeral keys) is that there are no longer "master keys" or the ability to derrive the "keys to the kingdom". Each session has its own symmetric key which no longer is derrived from the certificate. This means that there are hundreds of thousands of symmetric keys popping into and out of existence. MITM no longer works. And hairpinning all back end api calls through front end firewalls or decryption zones is downright untenable in a cloud world.

This is by design (read the TLS 1.3 spec for the gory details and read the public comments for the arguments and ideas that ensue). 

The only thing that seems to make sense in a perfect forward secrecy and TLS 1.3 world is symmetric key intercept that runs out of band. 

 
Ajfreeland
100%
0%
Ajfreeland,
User Rank: Apprentice
8/8/2019 | 1:34:30 PM
Agreed, MitM is impractical
I appreciate this article and agree that TLS 1.3 makes it extremely impractical for man-in-the-middle. It can also be a high strain on CPU usage. Nubeva has just come out with a new way to decrypt TLS 1.3 encrypted traffic, giving visibility while maintaining security. It's called Symmetric Key Intercept. Check it out at Nubeva's website.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19797
PUBLISHED: 2019-12-15
read_colordef in read.c in Xfig fig2dev 3.2.7b has an out-of-bounds write.
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.