Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //


// // //
08:05 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli

Seamless Cloud Security Depends on Encryption Done Right

As the enterprise shift to the cloud, there's a debate about what's best for securing data as it moves from one platform to another. A Boston startup is looking to encrypt data in motion and at rest, and this could be the next big trend.

To the InfoSec neophyte, it may seem axiomatic that data should be encrypted always and everywhere -- particularly in the age of the so-called "seamless" cloud.

And, despite sophisticated arguments to the contrary, one recently funded Boston-area startup is founded on the proposition that the neophytes are right.

Some pundits contend that accessibility tradeoffs may outweigh any security benefits when it comes to encrypting data at rest in addition to data in transit -- not least of all because compromising the right user's credentials can make encryption a moot point. (See My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption.)

In an interview with Security Now, Randy Battat, CEO of email- and file-encryption startup PreVeil, countered that -- tradeoffs aside -- end-to-end encryption of data both in transit and at rest is vital to seamless cloud security because of infrastructural trends -- particularly as IT organizations evolve from on-premise to hybrid clouds, from hybrid clouds to multicloud, and from all of the above to seamless cloud environments.

(Source: Flickr)
(Source: Flickr)

Additionally, for Battat, a yet more pervasive yet often overlooked problem lies in the data lying in between -- data in use.

"There's a new generation of apps emerging to deal with this latent... legacy problem of plaintext data living on servers," Battat said. "Whether it's encrypted at rest or in transit, the problem is plaintext data being decrypted in use."

While not everyone is in agreement, these trends have some analysts thinking about encryption in the cloud era in new ways.

"Encrypting data at all times (at rest, in transit, and during processing) and during the whole data lifecycle -- from creation to destruction -- is that 'ideal world' that we all look for," Martin Whitworth, IDC's Research Director for European Data Security and Privacy, wrote to Security Now. "Unfortunately, practicalities often get in the way."

The way Battat puts it, however, security trends themselves have become impractical -- often amounting to little more than "building higher and higher walls" that do no good when intruders get in through a door or a window. While data segmentation is being increasingly deployed to achieve data-stewardship goals in seamless cloud environments, these goals may be self-defeated by the very accessibility measures used to make seamless clouds so seamless to begin with. The fundamental end-to-end security problem of email and file-sharing lies in the accessibility demands inherent to those applications' nature; they require storage indefinitely (sometimes forever).

"Certain discoveries are only unlocked when you have enough mass," Stefaan Vervaet, Western Digital's Senior Director of Strategic Alliances and Market Development, wrote in a recent blog post. "It's no surprise that some companies may decide to never delete data again."

Many enterprise IT organizations wind up with a severely poor software-development lifecycle (SDLC) -- having sensitive data hiding in all of the places where they didn't intend and don't know about, often in multiple centralized locations. (See Uber Loses Customer Data: Customers Yawn & Keep Riding.)

"Centralization creates exposure," points out PreVeil's "manifesto." "If an attack on a single server or network device yields vast quantities of valuable information, one can be sure the attackers will target this central point of failure."

While the decentralization of a seamless cloud can thereby aid information security, new problems crop up in such an environment as accessibility issues intersect with particularized processing challenges.

"If you have a hybrid [cloud], how do you effectively manage the encryption schemes (and keys) across these different environments?" Whitworth said. "[This includes] the challenges of managing keys -- not just for encryption/decryption, but also the issues of key rotation, issuance, cancellation, distribution, etc."

Boost your understanding of new cyber security approaches at Light Reading's Automating Seamless Security in Carrier & Enterprise Networks event on October 17 in Chicago! Service providers and enterprises receive FREE passes. All others can save 20% off passes using the code LR20 today!

PreVeil's end-to-end encryption (based on XSalsa20, a stream cipher) for filesharing and email purports to work similarly to applications like DropBox, with users being able to "drag and drop" to encrypt data and synchronize that encryption across all devices -- all without having to be concerned with individual keys. Battat reports that PreVeil's cloud servers, meanwhile, sees neither any of the plaintext data nor the decryption keys. Additionally, with encryption-based validation instead of whatever business logic has been stored on the servers for administrative access, an intruder who has compromised one VIP admin or executive does not necessarily get the whole pot of gold.

Ultimately, said Battat, this kind of end-to-end encryption is uniquely qualified for securing a seamless cloud environment because of the problems of trusting data exposure on strange servers -- or any servers at all.

"The hybrid environment doesn't have to be any less secure if you're using end-to-end encryption because the whole premise is that anything on the server is not trustworthy," said Battat. "End-to-end encryption does a pretty good job because the encryption is handled at the client side -- so you're not really relying on server qualities to guarantee your safety."

Related posts:

— Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-07
NVIDIA GeForce Experience contains an uncontrolled search path vulnerability in all its client installers, where an attacker with user level privileges may cause the installer to load an arbitrary DLL when the installer is launched. A successful exploit of this vulnerability could lead to escalation...
PUBLISHED: 2023-02-07
NVIDIA GeForce Experience contains a vulnerability in the installer, where a user installing the NVIDIA GeForce Experience software may inadvertently delete data from a linked location, which may lead to data tampering. An attacker does not have explicit control over the exploitation of this vulnera...
PUBLISHED: 2023-02-07
An improper check for unusual conditions in Zyxel NWA110AX firmware verisons prior to 6.50(ABTG.0)C0, which could allow a LAN attacker to cause a temporary denial-of-service (DoS) by sending crafted VLAN frames if the MAC address of the vulnerable AP were intercepted by the attacker.
PUBLISHED: 2023-02-07
A post-authentication command injection vulnerability in the CLI command of Zyxel ZyWALL/USG series firmware versions 4.20 through 4.72, VPN series firmware versions 4.30 through 5.32, USG FLEX series firmware versions 4.50 through 5.32, and ATP series firmware versions 4.32 through 5.32, which coul...
PUBLISHED: 2023-02-07
A cross-site scripting (XSS) vulnerability in Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.13)C0, which could allow an attacker to store malicious scripts in the Logs page of the GUI on a vulnerable device. A successful XSS attack could force an authenticated user to execute the stored ma...