Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

The Fallacy of the Silver Bullet for Cloud Security

Security is orthogonal to functionality – just because a security product functions properly does not mean it’s secure.” – Bruce Schneier

Security is orthogonal to functionality – just because a security product functions properly does not mean it’s secure.” – Bruce Schneier

Over the holidays, I had had dinner with an old friend who works as the CIO of a large financial services industry. Over the course of the evening, our conversation drifted between his organization’s plans for adopting a major cloud platform to host their sales and marketing data.

Toward the end of the last year, I wrote about the challenges and opportunities that adopting a cloud platform will bring to an increasing number of organizations in 2014. My friend covered many of them during our conversation: the risk that their regulated data could be inadvertently leaked to external agents, staff with permission to access account data from their new iPads and phones and laptops, some of which would inevitably be left in a hotel room or on a conference room table in the new year, and the overall problem of how they would keep their data secure and in compliance without losing the benefits of the cloud strategy itself (namely, reduced IT cost, simplified technology management, and increased collaboration).

Silver BulletOver dessert, he leaned in and said, “But that’s what encryption is for, right?”

The answer is no, but it’s a surprisingly common mistake — one that’s even codified into some regulatory requirements, where liability is reduced after a data breach if the data that was lost was encrypted. There is no denying the value of encryption; even at my own company, we use it (albeit selectively, when and where it makes sense based on potential loss). However, my friend’s response was representative of the confusion I often hear from CIOs and their colleagues, where the idea of encrypting data is mistaken for a one-stop solution, and the result is that a tremendous amount of money and time are being spent solving the wrong problem.

To help understand why this is happening, it’s helpful to begin by asking where the highest probability threats for a cloud-enabled company are. Generally, two thirds of most data breaches are the result of human error and system misconfiguration. Authorized users are the source for these issues, often by mis-sharing files, installing insecure applications that externalize their data, or by having their credentials misused or stolen outright.

Encryption, on the whole, solves a different problem: it prevents targeted external access threats to organizational data. The two primary means of enforcing encryption are as part of a tokenization mechanism, where a company still needs to host and secure their own data and where the “tokenized” version of this data is all that is available in the cloud, or true encryption, where the company hosts their encryption keys and makes files and information available on the fly. The simpler of the two problems with a bulk encryption strategy is that both implementation models create weak link in moving high-value assets (either data or keys) out of the cloud hosting environment and into either the company’s on-premise servers or a secondary vendor’s platform. Neither reflects the cost savings and consolidation approach that the cloud brings, and both are at odds with the idea of reducing risk and IT management overhead.

The second and more significant problem is that this encryption model does not inherently addresses risk around internal access; bulk encryption of a company’s entire data set still requires a means of differentiating sensitive data from non-sensitive data, and ensuring that only the right people have access to the former. In a nutshell, this is the fallacy of the silver bullet: organizations implement bulk encryption, however, encryption needs to be part of a defense in depth approach to security in the cloud.

As I suggested to my friend, it makes sense to solve urgent problems in moving to the cloud, rather than theoretical or low-probability ones. As the past few years of Ponemon and Symantec data studies show, internal and non-malicious staff behavior results in the majority of regulatory and organizational policies violations, putting company at the highest risk of a data breach. Simply encrypting everything does not address this problem. What does work is the implementation of a system capable of doing deep content analytics, exposure discovery, and automated access management to remediate those exposures. This does not deny the value of selectively encrypting data in the cloud, but it redefines the lines between doing what feels good and what actually secures the organization.

Where will your focus and attention be in 2014?

Related Reading: Silver Bullets only Work in the Movies, Not Security

Related Reading: As Security a Professional, What Will You Be Focused on in 2014?

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility