We spoke with Richard Moulds, the vice president of product strategy at Thales e-Security, at the recent RSA Conference held in San Francisco about the role of encryption in a number of different security issues.
“Everyone thinks encryption is a single thing but of course it’s not. It’s a basket of 25 different technologies,” says Moulds. “Encrypting a thumb-drive or someone’s laptop or a web connection or a backup tape or database or file-system are all completely different. To say we’re doing encryption isn’t really good enough”.
Thales released their tenth annual Global Encryption and Key Management Trends Study this week. Among the key findings were that the biggest challenge in planning and executing a data encryption strategy is discovering where sensitive data resides in the organization. Support for cloud and on-premise deployment is one of the most important features of an encryption solution and management of keys and certificates is painful because of no clear ownership and systems are isolated and fragmented.
Looking back at Peter Gutmann’s presentation at AusCERT last year - where he said "No matter how strong the crypto was, or how large the keys were, the attackers walked around it" - it’s clear the challenges surrounding the deployment of encryption remain.
Deploying encryption in a cohesive, organisation-wide manner remains a significant challenge.
“There are still two opposing trends. There’s the trend of it becoming embedded, a native capability in a system, which is about trying to make it easier. But then there’s the trend of it moving up the stack. I can encrypt a network or a file-system but anybody above that doesn’t really know that encryption is even applied”.
This is where access rights to data become important. While data might be encrypted when in-flight of at rest, once a user with appropriate rights accesses the data, the encryption becomes irrelevant.
“Why bother trying to steal the key when you can just fake the identity of a person that legitimately has access to the file? Encrypting stuff is easy. Figuring out who can decrypt it is the challenge”.
One way organisations can improve when it comes to data security, says Moulds, is to consider applying the principals of PCI/DSS to data more generally and not just credit cards. Citing the recent Anthem breach, he suggested the healthcare industry could significantly improve its security standards it of it adopted PCI/DSS on healthcare data.
With the shift to the cloud now marching forward, encryption has becoming an increasingly important element of the security discussion.
“You don’t want to be leaving valuable things, not just keys, even your application code in the open. It’s a data at rest problem,” says Moulds.
One of the challenges is even when you leave the cloud and erase your data, you can’t be certain the data is completely gone.
“Being confident you’ve not left any remnants when you leave, even if you leave temporarily – passwords, keys, sensitive data should be encrypted”.
Even though there are third party and integrated solutions for encryption of data stored on cloud services, the issue of key management still remains.
“At the end of the day, if a cloud provider has the keys, how do you know the provider won’t hand the keys over if those pesky Americans show up and demand that they do so,” he asked.
Thales has been working with Microsoft on key management within Azure and recently launched their BYOK, Bring your own Key, Deployment Package that enables businesses to generate and transfer their own keys to Azure. Although some cloud providers offer Hardware Security Modules, or HSMs, as part of their service, Thales’ nShield® Hardware Security Module (HSM) can manage keys on-premise that can then be used with Azure. This means the encrypted data and keys are stored in completely separate enviornments.
This works with the recently launched Key Vault service that uses hardware, rather than software, for key management.