Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News

8/7/2019
07:00 AM
Kacy Zurkus
Kacy Zurkus
Edge-DRsplash-10-edge-articles
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The Key to Enterprisewide Encryption

Security teams have been slow to embrace enterprisewide encryption, and for good reasons. But the truth is, it doesn't have to be an all-or-nothing endeavor.

Enterprise security teams have long struggled with the complexity of encryption and key management. While integrated solutions are starting to make it easier to encode and decode critical data, the goal of enterprisewide encryption has greatly increased the time it takes for security teams to cover their bases. 

In fact, for many it could be a resource-sucking nightmare. 

"Most enterprise encryption products require investments in data compartmentalization, account management, and user training in order to be effective," says Ryan Shaw, co-founder at Bionic. "Unfortunately, many organizations just can't afford that investment."

Add to that, most solutions don't offer protection from an advanced and determined attacker — another reason why many organizations have not embraced enterprisewide encryption, Shaw says. It also becomes complicated due to competing priorities among the different lines of businesses, each with their own ideas of what serves the business objectives and yields the best return on investment.

Not So Fast
Despite these legitimate obstacles, enterprise encryption is still a mandate for many security teams — though it doesn't have to be all or nothing.

Rather than taking an all or nothing approach, organizations should begin with the core elements of good cyber hygiene inherent in full disk encryption and transport layer security (TLS). Organizations that are not burdened with budgetary restraints are more likely able to make use of them for data at rest and for data in transit. 

"Cloud providers, such as Amazon and Microsoft, also have robust, well-tested solutions in place to secure data at rest," Shaw says. "Additional authentication measures, specifically multifactor, to access critical systems and data are a step in the right direction and supported in most modern infrastructures."

Implementing enterprisewide encryption requires teams to take many factors into consideration, including key management, access and authorization Dan Tuchler, CMO of SecurityFirst, says. Encryption is only effective if it is coupled with the policies around key storage as well as policies that ensure controlled access and proper key transmission. 

"Deploying encryption without an overall architectural plan can lead to a difficult and ineffective solution," Tuchler says. What has worked effectively, though, is policy-based access control that limits data access to only valid users, organizations, and applications, he adds.

An overall architectural plan includes a process for reporting any suspicious access attempts to the threat analytics systems. In addition, Tuchler says, "Keys must be securely managed across the organization. Combining encryption with these elements, enterprisewide data protection is possible, and with the increasing regulations being enacted, there is more reason to do it now."

Data, Data Everywhere
Most organizations are encrypting data in transit, which is fairly straightforward, according to Ameesh Divatia, CEO of Baffle. "It is end-to-end encrypted with SSL," Divatia says. "Encryption in transit prevents somebody from being a man-in-the-middle or tapping the wire."

Still, encrypting data in transit has its own challenges, particularly because the new version of TLS makes it nearly impossible to do man-in-the-middle, says Sean Frazier, advisory CISO at Duo Security. 

"In an ideal world, yes, you would want to encrypt everything, but the larger an organization gets, the harder it is to encrypt everything because of data spread," adds Dylan Owen, senior manager for cyber services at Raytheon IIS. "You now have a lot more hurdles to overcome in order to do it across the board." 

Organizations want to inspect traffic so that if traffic containing sensitive information comes across, they know whether to allow that to happen. Frazier says in order to see that data, security teams need to take apart the channels. 

"You have to be the man in the middle, which is what bad guys normally do, but you do that as an organization because you want to make sure that the right content is going across the wire and the wrong content isn't," Frazier says. 

The problem is that taking apart channels happens at the application layer. 

"Applications have to be modified to actually encrypt data and incorporate crypto into it," Divatia says. However, users first need to understand how crypto works, and they need to have the original application developer around, lest they go messing with somebody else's code. 

At-rest encryption — encrypting inactive data that is stored in any digital or physical form — is essentially borrowing from storage-based encryption. In transit and at rest is relatively easy to implement, but Divatia says it does not protect against breaches; otherwise, they would not be happening. 

The Key to Key Management
Because data encryption is only as strong as the key itself, key management becomes critical. Organizations need to have a key management strategy that includes policies for how to expire keys and how to use keys for data in a database where they have to decrypt and encrypt multiple times. The larger an organization, the more difficult key management becomes. 

"Key management is a pain," Frazier says. "It's always been a pain."

That's why organizations should first identify the data that actually needs to be encrypted. "If you are only going to encrypt a small amount of data, key management is easier. If you want to encrypt everything, it becomes harder because you have that many more devices to worry about providing a key to," Owen says.

Security teams should consider their reasons for using encryption. Encrypting for the sake of best practice isn't always good. Instead, Owens says to approach encryption from a protection perspective. "That helps you sort out how you do key management," Owen says. 

Still, many organizations do need to encrypt a larger pool of data, which sets the groundwork for a complex key management situation. That's where picking the right software procedures can help them handle encryption. It's important to make sure the solution can manage all keys. 

"You don't want to have a tool for your laptops, your mobile, your SaaS, and your cloud. Having as few tools as possible will help to manage keys," Owen says. "The best practice is to see what you need to encrypt and what makes the most sense. Encryption is expensive, and it can be really difficult, particularly from the user perspective. For some organizations, enterprisewide encryption is not really practical."

Of course, legal requirements and the internal business perspective will guide encryption decisions, but it's also important to remember that encryption is not the easiest thing from a user perspective, and it creates a lot of barriers for them.

"In order to get them to do the right thing, you need to make encryption as easy as possible," Owen says.

Related Content:

Image Source: agsandrew via Adobe Stock)

 

Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM's Security Intelligence. She has also contributed to several publications, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ajfreeland
50%
50%
Ajfreeland,
User Rank: Apprentice
8/8/2019 | 1:34:30 PM
Agreed, MitM is impractical
I appreciate this article and agree that TLS 1.3 makes it extremely impractical for man-in-the-middle. It can also be a high strain on CPU usage. Nubeva has just come out with a new way to decrypt TLS 1.3 encrypted traffic, giving visibility while maintaining security. It's called Symmetric Key Intercept. Check it out at Nubeva's website.
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15129
PUBLISHED: 2019-08-18
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates' files in the photo folder on the website by specifying a "user id" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_n...
CVE-2019-15130
PUBLISHED: 2019-08-18
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to upload any file type to a candidate's profile picture folder via a crafted recruitment_online/personalData/act_personaltab.cfm multiple-part POST request with a predictable WRC01_USERID parame...
CVE-2019-15135
PUBLISHED: 2019-08-18
The handshake protocol in Object Management Group (OMG) DDS Security 1.1 sends cleartext information about all of the capabilities of a participant (including capabilities inapplicable to the current session), which makes it easier for attackers to discover potentially sensitive reachability informa...
CVE-2019-15136
PUBLISHED: 2019-08-18
The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition.
CVE-2019-15137
PUBLISHED: 2019-08-18
The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows fnmatch pattern matches with topic name strings (instead of the permission expressions themselves), which can lead to unintended connections between participants in a Data Distribution Service (DDS) network.