As applications redefine the perimeter, is encryption protecting it too well?

Encryption battle reflects the new considerations CSOs must give as the network perimeter expands to include mobile, cloud services

This year's high-profile battle of wills between Apple and the US Federal Bureau of Investigation (FBI), which sparked worldwide discussions about the propriety of security 'back doors', was eventually resolved when the FBI found another way to get the data it wanted.

Yet this solution raised more questions than it answered, not only tainting Apple with the spectre of an unknown and unpatched vulnerability but leading CSOs the world over to reconsider the true security of their data – and the need to shift their security policies away from the protection of perimeters that have become porous and fluid thanks to the broad adoption of mobile and cloud technologies.

“Many readers try to protect the perimeter very heavily and they sometimes forget the other things” that are reshaping the corporate security perimeter, Verizon Enterprise Solutions managing principal for investigative response told CSO Australia.

Mobile applications, in particular, are rapidly changing the dynamics around management of corporate data: Gartner, for one, has predicted that by 2017, 75 percent of mobile security breaches will be due to misconfiguration of mobile applications that inadvertently create serious corporate security holes.

While it makes sense in isolation, application-level security is a big step for CSOs that have long been focused on building security perimeters and carefully monitoring them for breaches. Application-level security changes this model by focusing on data and its movement through the application ecosystem, which can be most effectively controlled wth a focus on new notions of identity and the ways those identities are managed across network, mobile and cloud ecosystems.

“The rise of cloud-based services, where people keep their data offshore, is going to mandate the use of encryption,” John Baird, director of technology and production with Deutsche Bank, told a panel at a recent CSO Perspectives event.

“That data needs to be protected.” Even as the spread of application-based computing changes existing security models, so too is it driving changes in the way that encryption is handled at the enterprise level. The last year, after all, has seen a significant shift towards end-to-end encryption of many cloud-based services – sometimes in response to government hacking.

“Organisations are coming around to understanding that they need to do something about application level security – not just network security, and not just encryption.”

David Holmes, F5 Networks

This posture offers security benefits for individual users – but as the volume of encrypted data entering and existing the business increases, security management tools are progressively losing their ability to scan traffic for malware. “We're seeing more and more Internet traffic encrypted over time, particularly after Edward Snowden came out and told everyone that people are watching them,” David Holmes, worldwide security evangelist with F5 Networks, recently told CSO Australia.

“But this is causing a problem for CSOs because they have all these interesting data loss prevention (DLP) and other security tools that are specifically designed to look for malware – but they can't decrypt the traffic to see that malware. You simply cannot have a large enterprise where no one is checking for malware.” shift is being hastened by the recent availability of free digital-certificate services from the likes of Amazon Trust Services and Let's Encrypt, which issued 1 million free certificates in its first three months of operation. Since those certificates can be obtained by anyone to encrypt their online presence – adding a degree of legitimacy to visitors – they are fast becoming a favoured method of malware authors looking to encrypt their malicious payloads.

Indeed, by 2017, Gartner has predicted, half of all network attacks will be using SSL to obscure their activities. Without a way to examine encrypted traffic, enterprises will be at a loss to spot malware or its telltale activities that are hidden in data entering or exiting the organisation.

CSOs will effectively be flying blind unless they have some way to decrypt that traffic – and that blind spot will increase in size as the proportion of encrypted application traffic trends towards 100 percent.

There are ways to manage this conundrum: some security appliances, for example, are able to decrypt incoming traffic before scanning it for malware. Such tools are, however, constrained by the sheer volume of data – and the time and computing power it takes to decrypt that data – so compromises need to be put in place. “Organisations are coming around to understanding that they need to do something about application level security – not just network security, and not just encryption,” Holmes said, noting that the sheer volume of traffic – many companies have hundreds or thousands of applications potentially sending encrypted traffic simultaneously – can be a showstopper for many organisations.

“They just don't have enough security people to secure that many applications,” he said, “even if they assigned budget immediately and even if they knew every one. But there are hopeful signs that as threat intelligence gets better, hopefully we will be able to plug part of that skills gap.” In the meantime, one step towards managing the flow of data is to exclude data that is known to be part of innocuous data flows such as streaming media.

Netflix, for example, generates around 30 percent of all Internet traffic and, like many online service providers, encrypts all of this data. Netflix streams, like streams of virtual display interface (VDI) traffic that facilitate remote access using screen-scraping techniques, can be safely ignored – and doesn't, therefore need to be decrypted – when developing new application-security models.

“The rise of cloud-based services, where people keep their data offshore, is going to mandate the use of encryption. That data needs to be protected.”

John Baird, Deutsche Bank

CSOs could also make judgements about particular vendors' own security efforts to decide whether they can be trusted and, therefore, allowed to pass through unexamined. Ultimately, encryption is going to be something CSOs have to deal with – both for the improved governance it provides, and in terms of the need to implement techniques for decrypting data in line with corporate malware controls.

This not only requires decryption capabilities but will, increasingly, require competencies in areas such as encryption key management – which is being subsumed by many organisations that want to control their data's accessibility – as well as better management of privileged-user accounts, application patching, and application-level security.

This application-centric paradigm has fast become an imperative for every kind of security practitioner since the network – for so long the favoured unit of enterprise information management – is no longer defined by arbitrary perimeters.

Yet it is taking some time for corporate practices to catch up: while figures suggest 72 percent of today's data breaches are caused by compromised user identities or vulnerable applications, businesses are still spending 90 percent of their security spend maintaining conventional network-centric security. And this brings us back to that iPhone, a key source of potential evidence that could not be accessed because of the encryption technology that is fast becoming standard.

“While some in law enforcement consider encryption to be an impediment, in truth it's a fantastic asset. It's one of the strongest tools that we have to protect ourselves.”

Graham Cluley

This case may seem isolated and remote, but it's worth considering how your business would have responded if that mobile was one of your own fleets – and contained sensitive business information that you did not want revealed. “As we've seen recently with the revelations from Edward Snowden, there has been a long history of law enforcement and intelligence services breaching security and stealing information, seemingly with very little oversight,” technology analyst Graham Cluley told the CSO panel.


Join the CSO newsletter!

Error: Please check your email address.

Tags Let's EncryptDeutsche BankAmazon Trust Services (ATS)verizonDLPUS Federal Bureau of InvestigationencryptionnetflixVDIApple

More about AppleCSODeutsche BankDLPF5F5 NetworksFBIFederal Bureau of InvestigationGartnerNetflixUS Federal Bureau of InvestigationVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place