“Security is orthogonal to functionality – just because a security product functions properly does not mean it’s secure.” – Bruce Schneier
Over the holidays, I had had dinner with an old friend who works as the CIO of a large financial services industry. Over the course of the evening, our conversation drifted between his organization’s plans for adopting a major cloud platform to host their sales and marketing data.
Toward the end of the last year, I wrote about the challenges and opportunities that adopting a cloud platform will bring to an increasing number of organizations in 2014. My friend covered many of them during our conversation: the risk that their regulated data could be inadvertently leaked to external agents, staff with permission to access account data from their new iPads and phones and laptops, some of which would inevitably be left in a hotel room or on a conference room table in the new year, and the overall problem of how they would keep their data secure and in compliance without losing the benefits of the cloud strategy itself (namely, reduced IT cost, simplified technology management, and increased collaboration).
Over dessert, he leaned in and said, “But that’s what encryption is for, right?”
The answer is no, but it’s a surprisingly common mistake — one that’s even codified into some regulatory requirements, where liability is reduced after a data breach if the data that was lost was encrypted. There is no denying the value of encryption; even at my own company, we use it (albeit selectively, when and where it makes sense based on potential loss). However, my friend’s response was representative of the confusion I often hear from CIOs and their colleagues, where the idea of encrypting data is mistaken for a one-stop solution, and the result is that a tremendous amount of money and time are being spent solving the wrong problem.
To help understand why this is happening, it’s helpful to begin by asking where the highest probability threats for a cloud-enabled company are. Generally, two thirds of most data breaches are the result of human error and system misconfiguration. Authorized users are the source for these issues, often by mis-sharing files, installing insecure applications that externalize their data, or by having their credentials misused or stolen outright.
Encryption, on the whole, solves a different problem: it prevents targeted external access threats to organizational data. The two primary means of enforcing encryption are as part of a tokenization mechanism, where a company still needs to host and secure their own data and where the “tokenized” version of this data is all that is available in the cloud, or true encryption, where the company hosts their encryption keys and makes files and information available on the fly. The simpler of the two problems with a bulk encryption strategy is that both implementation models create weak link in moving high-value assets (either data or keys) out of the cloud hosting environment and into either the company’s on-premise servers or a secondary vendor’s platform. Neither reflects the cost savings and consolidation approach that the cloud brings, and both are at odds with the idea of reducing risk and IT management overhead.
The second and more significant problem is that this encryption model does not inherently addresses risk around internal access; bulk encryption of a company’s entire data set still requires a means of differentiating sensitive data from non-sensitive data, and ensuring that only the right people have access to the former. In a nutshell, this is the fallacy of the silver bullet: organizations implement bulk encryption, however, encryption needs to be part of a defense in depth approach to security in the cloud.
As I suggested to my friend, it makes sense to solve urgent problems in moving to the cloud, rather than theoretical or low-probability ones. As the past few years of Ponemon and Symantec data studies show, internal and non-malicious staff behavior results in the majority of regulatory and organizational policies violations, putting company at the highest risk of a data breach. Simply encrypting everything does not address this problem. What does work is the implementation of a system capable of doing deep content analytics, exposure discovery, and automated access management to remediate those exposures. This does not deny the value of selectively encrypting data in the cloud, but it redefines the lines between doing what feels good and what actually secures the organization.
Where will your focus and attention be in 2014?
Related Reading: Silver Bullets only Work in the Movies, Not Security
Related Reading: As Security a Professional, What Will You Be Focused on in 2014?