This year's high-profile battle of wills between Apple and the US Federal Bureau of Investigation (FBI), which sparked worldwide discussions about the propriety of security 'back doors', was eventually resolved when the FBI found another way to get the data it wanted.
Yet this solution raised more questions than it answered, not only tainting Apple with the spectre of an unknown and unpatched vulnerability but leading CSOs the world over to reconsider the true security of their data – and the need to shift their security policies away from the protection of perimeters that have become porous and fluid thanks to the broad adoption of mobile and cloud technologies.
“Many readers try to protect the perimeter very heavily and they sometimes forget the other things” that are reshaping the corporate security perimeter, Verizon Enterprise Solutions managing principal for investigative response told CSO Australia.
Mobile applications, in particular, are rapidly changing the dynamics around management of corporate data: Gartner, for one, has predicted that by 2017, 75 percent of mobile security breaches will be due to misconfiguration of mobile applications that inadvertently create serious corporate security holes.
While it makes sense in isolation, application-level security is a big step for CSOs that have long been focused on building security perimeters and carefully monitoring them for breaches. Application-level security changes this model by focusing on data and its movement through the application ecosystem, which can be most effectively controlled wth a focus on new notions of identity and the ways those identities are managed across network, mobile and cloud ecosystems.
“The rise of cloud-based services, where people keep their data offshore, is going to mandate the use of encryption,” John Baird, director of technology and production with Deutsche Bank, told a panel at a recent CSO Perspectives event.
“That data needs to be protected.” Even as the spread of application-based computing changes existing security models, so too is it driving changes in the way that encryption is handled at the enterprise level. The last year, after all, has seen a significant shift towards end-to-end encryption of many cloud-based services – sometimes in response to government hacking.
“Organisations are coming around to understanding that they need to do something about application level security – not just network security, and not just encryption.”
This posture offers security benefits for individual users – but as the volume of encrypted data entering and existing the business increases, security management tools are progressively losing their ability to scan traffic for malware.
“We're seeing more and more Internet traffic encrypted over time, particularly after Edward Snowden came out and told everyone that people are watching them,” David Holmes, worldwide security evangelist with F5 Networks, recently told CSO Australia.
“But this is causing a problem for CSOs because they have all these interesting data loss prevention (DLP) and other security tools that are specifically designed to look for malware – but they can't decrypt the traffic to see that malware. You simply cannot have a large enterprise where no one is checking for malware.” shift is being hastened by the recent availability of free digital-certificate services from the likes of Amazon Trust Services and Let's Encrypt, which issued 1 million free certificates in its first three months of operation. Since those certificates can be obtained by anyone to encrypt their online presence – adding a degree of legitimacy to visitors – they are fast becoming a favoured method of malware authors looking to encrypt their malicious payloads.
Indeed, by 2017, Gartner has predicted, half of all network attacks will be using SSL to obscure their activities. Without a way to examine encrypted traffic, enterprises will be at a loss to spot malware or its telltale activities that are hidden in data entering or exiting the organisation.
CSOs will effectively be flying blind unless they have some way to decrypt that traffic – and that blind spot will increase in size as the proportion of encrypted application traffic trends towards 100 percent.
There are ways to manage this conundrum: some security appliances, for example, are able to decrypt incoming traffic before scanning it for malware. Such tools are, however, constrained by the sheer volume of data – and the time and computing power it takes to decrypt that data – so compromises need to be put in place. “Organisations are coming around to understanding that they need to do something about application level security – not just network security, and not just encryption,” Holmes said, noting that the sheer volume of traffic – many companies have hundreds or thousands of applications potentially sending encrypted traffic simultaneously – can be a showstopper for many organisations.
“They just don't have enough security people to secure that many applications,” he said, “even if they assigned budget immediately and even if they knew every one. But there are hopeful signs that as threat intelligence gets better, hopefully we will be able to plug part of that skills gap.” In the meantime, one step towards managing the flow of data is to exclude data that is known to be part of innocuous data flows such as streaming media.
Netflix, for example, generates around 30 percent of all Internet traffic and, like many online service providers, encrypts all of this data. Netflix streams, like streams of virtual display interface (VDI) traffic that facilitate remote access using screen-scraping techniques, can be safely ignored – and doesn't, therefore need to be decrypted – when developing new application-security models.
“The rise of cloud-based services, where people keep their data offshore, is going to mandate the use of encryption. That data needs to be protected.”
CSOs could also make judgements about particular vendors' own security efforts to decide whether they can be trusted and, therefore, allowed to pass through unexamined. Ultimately, encryption is going to be something CSOs have to deal with – both for the improved governance it provides, and in terms of the need to implement techniques for decrypting data in line with corporate malware controls.
This not only requires decryption capabilities but will, increasingly, require competencies in areas such as encryption key management – which is being subsumed by many organisations that want to control their data's accessibility – as well as better management of privileged-user accounts, application patching, and application-level security.
This application-centric paradigm has fast become an imperative for every kind of security practitioner since the network – for so long the favoured unit of enterprise information management – is no longer defined by arbitrary perimeters.
Yet it is taking some time for corporate practices to catch up: while figures suggest 72 percent of today's data breaches are caused by compromised user identities or vulnerable applications, businesses are still spending 90 percent of their security spend maintaining conventional network-centric security. And this brings us back to that iPhone, a key source of potential evidence that could not be accessed because of the encryption technology that is fast becoming standard.
“While some in law enforcement consider encryption to be an impediment, in truth it's a fantastic asset. It's one of the strongest tools that we have to protect ourselves.”
This case may seem isolated and remote, but it's worth considering how your business would have responded if that mobile was one of your own fleets – and contained sensitive business information that you did not want revealed. “As we've seen recently with the revelations from Edward Snowden, there has been a long history of law enforcement and intelligence services breaching security and stealing information, seemingly with very little oversight,” technology analyst Graham Cluley told the CSO panel.